Imagine this: It is 8:30 am and you are about to walk into class. You need to quickly print off some papers for your students. You log in to the desktop only to see an intimidating popup proclaiming, “Your computer has been LOCKED!” In another part of the campus, 25 students enter the computer lab, each is confronted by the same demanding pop up screen. Much of the school’s activity stops dead and confusion reigns. The cause is ransomware which has arguably become the most sinister and threatening malicious software of our age.
Ransomware has no preference for who it affects. And, globally, the damage from ransomware is expected to reach $11.5 billion by 2019. In 2017, the massive WannaCry ransomware attack affected over 400,000 computers across 150 countries including school districts and universities. It is a growing problem and 2017 has become collectively known as the year of ransomware.
What is Ransomware?
Ransomware is a type of malicious software. Ransomware works just like normal software, by executing code on a computing device, like a desktop, laptop even a mobile device. The word ‘ransom’ is applied to this type of software because it works by performing an action that creates a ransom situation. Typically, this action is to lock a device or encrypt all files resident on a computer; the ransom, to unlock the device or decrypt the files, is requested on-screen and requires payment, most often, in cryptocurrency such as bitcoin.
Ransomware has been around for many decades, but ransomware has only started to make waves since 2011. Ransomware has two main variants – locker ransomware which locks the infected device, and crypto ransomware which prevents access to files on the infected device and associated network drives.
There are many variants of ransomware, but some of the most famous include:
In 2013, the now infamous ‘CryptoLocker made its appearance. CryptoLocker entered an organization using a fake email made to look like it was a legitimate company like FedEx. The ransomware itself was an attachment which, if clicked on, would install and encrypt files on network drives, USB drives, and even Cloud storage. Once encrypted, a decryption code would be offered if payment was made within 3 days (the code however often did not materialize).
Another infamous ransomware variant that appeared in 2014 was CryptoWall. As well as using infected emails as a way into an organization, Cryptowall also used ‘exploit kits’. This method began at an infected website or a website running an infected ad or video. The visit being redirected to a site that used tools to find vulnerabilities in the visitor’s browser or related software. An exploit kit was a particularly worrying addition to the ransomware arsenal. Exploit kits are behind the aptly named ‘drive-by-downloads’ where a user doesn’t even have to click on anything to become infected with ransomware – the exploit kit simply finds a chink in the software on that person’s computer.
Another infamous ransomware variant that appeared in 2014 was CryptoWall. As well as using infected emails as a way into an organization, Cryptowall also used ‘exploit kits’. This method began at an infected website or a website running an infected ad or video. The visit being redirected to a site that used tools to find vulnerabilities in the visitor’s browser or related software. An exploit kit was a particularly worrying addition to the ransomware arsenal. Exploit kits are behind the aptly named ‘drive-by-downloads’ where a user doesn’t even have to click on anything to become infected with ransomware – the exploit kit simply finds a chink in the software on that person’s computer.
WannaCry ransomware moved into a new realm of infection by using a remote method to compromise systems. The cybercriminals used an exploit in a vulnerability on Microsoft Windows machines known as ‘EternalBlue’. Once the ransomware was installed on a vulnerable server, it was then able to scan across any, even remotely connected, machines for exposed ports to deliver the ransomware and decrypt files.
McAfee has seen a steady increase in the numbers of ransomware since 2015, with a 36% increase in ransomware in Q3 of 2017. These figures are, at least in part, increasing because of new avenues such as mobile ransomware. And, as we move deeper into a highly connected era, we are now seeing new ransomware business models including Ransomware-as-a-Service (RaaS). McAfee discovering the first RaaS, Tox, in 2015. This model allows anyone, including non-programmers, to effectively rent ransomware – a fee being paid to the original author whenever a ransom is paid.