Home What you need to know about ransomware

What you need to know about ransomware

There’s so much to learn about ransomware! This page is designed to answer the most common ransomware questions on the internet. Have unanswered questions? Find answers here.  Hit ctrl + f to search for terms that apply to your question or just explore.

Can ransomware attack Android?

All devices can be infected with ransomware. Android devices are the most common mobile operating system, meaning that ransomware infections will likely occur at a higher rate on Androids than other devices.

Can ransomware infect Linux?

Yes. Cyber criminals can attack Linux with ransomware. It’s a myth that Linux operating systems are completely secure. They’re as susceptible to ransomware as any other system.

Can ransomware encrypt encrypted files?

Yes, ransomware can encrypt encrypted files. Two primary means of encryption exist; device level and file level. Regardless of whether you have one of these encryption modes in place or both, ransomware can still encrypt a target’s files.

Avoid the hassle of contending with encrypted files by regularly backing up your images and data. A strong anti-virus and/or firewall will also prevent cyber criminals from deploying ransomware that can damage your files.

Can ransomware infect cloud storage?

Yes. Cloud storage can experience ransomware infections. Cloud storage is susceptible to ransomware attacks due to the fact that it syncs with local data storage. For instance, if you’re working on a file in DropBox or OneDrive, you’re working on your files locally. Should ransomware affect your local files, the file sharing engine (DropBox or OneDrive) will upload the malicious code to your cloud-based files.

The same phenomenon holds true in relation to cloud storage gateways or other cloud-based solutions. A locally infected/encrypted copy will translate to a cloud-based infected/encrypted copy.

Can ransomware spread through wifi?

Yes, ransomware can move through wifi networks to infect computers. Ransomware attacks that sleuth through wifi can disrupt entire networks, leading to severe business consequences.

Ransomware can also spread across different wifi networks, operating as a computer worm does. Ransomware that jumps across wifi boundaries can render an entire office building infected with the stuff.

To prevent the spread of ransomware in this way, ensure that routers and PCs are secure.

Specifically, be sure to use strong passwords on your devices. For example, Emotet ransomware is able to quickly and easily crack passwords and to then spread laterally across wifi connections.

Will ransomware infect external hard drives?

Yes. Ransomware can infect everything connected to networked devices, including external hard drives. If an external drive is not connected to a device, ransomware cannot wirelessly infect it. However, depending on the length of time for which ransomware has been lurking on a system, an external drive that was once connected to your system may already be infected.

Will ransomware infect OneDrive?

OneDrive can be infected by ransomware. Infection can take place in any of the following ways:

  1. Ransomware can infect OneDrive via the OneDrive sync client. In this scenario, the tool that syncs your data to OneDrive becomes corrupt and then spreads the infection.
  2. Ransomware can infect OneDrive via illicit permissions. In this type of case, software add-ons or extensions are often the culprit.
  3. Ransomware can infect OneDrive via an administrator’s account. In this scenario, a cyber criminal may phish an administrator for account credentials and then leverage them to introduce ransomware into a system.

Will ransomware infect Dropbox?

Ransomware can infect Dropbox. For example, if you keep files on your desktop that are automatically synced to Dropbox, a ransomware infection will corrupt both sets of files. In the event that a corrupted file is added to Dropbox, any files or devices linked or synced to that account may also become infected.

Did this happen to you? For attack clean-up methods, visit Dropbox’s website.

When was ransomware first discovered?

The first ransomware was discovered in 1989. It was created by Harvard-trained evolutionary biologist, Dr. Joseph Popp. In the present day, Dr. Popp is occasionally referred to as ‘the father of ransomware’. His ransomware was then discovered in Belgium and around the world, after a World Health Organization conference.

What does ransomware look like?

One can conceptualize a ransomware attack as a computer-based hostage situation, where the hacker is in full control and will only back down when others acquiesce to specified demands.

Ransomware attacks usually become self-evident when text flashes onto a screen demanding payment in exchange for file restoration. The attackers typically show how to pay the ransomware fee in order to receive a file decryption key.

The strain of ransomware affecting a computer can often be identified based on the style of the ransomware note. For example, Cerber ransomware uses text-to-speech technology, enabling the computer to read the ransomware not to victims.

Why is ransomware dangerous?

Ransomware is dangerous when organizations do not have recent backups of their files. Without backups, ransomware attackers gain access to critical business information and will either choose to release it, or not, upon payment. Organizations that choose to pay ransoms may or may not actually be able to recover their original files. For organizations like hospitals, which need access to patient data quickly, ransomware can cause unnerving disruptions.

Ransomware is capable of encrypting nearly all types of files; text, audio, video, photos or otherwise. Because ransomware can scramble file names, discerning which files in a system were affected by ransomware can be a challenge. Ransomware can also independently revise the extensions of your file names, leading files to behave in unexpected ways.

Lastly, organizations that want to pay the ransom must do so within a set timeframe. Should an affected organization operate outside of this timeframe, either the fees will increase or the files will be deleted.

Why do ransomware attacks keep happening?

In general, ransomware attacks appear to be increasing in frequency. Ransomware can slip into systems due to unpatched operating systems. They can also penetrate computers via downloaded software.

Antivirus software can prevent unauthorized applications from infecting your system. File backups can also help save the day. Furthermore, organizations should take care to follow industry-standard compliance guidelines, including those issued by groups like NIST and SANs. Making cyber security a core element of an organization’s strategy can prevent cyber attacks of all kinds.

Why is ransomware so popular?

Ransomware is popular on account of the fact that it earns hackers money very quickly. Hackers don’t need to sell data on the dark web to turn a profit. They simply devour the money paid by the victims.

Ransomware is popular among hackers because it’s easy to deploy, especially within organizations that have failed to address cyber security weaknesses. Some organizations are so busy trying to defend against more advanced threats that ransomware attack defense takes a backseat. Organizations need to ensure that defenses don’t fall short.

Can ransomware be removed? 

Ransomware can’t be removed as easily as other varieties of malware. In order to prevent removal, many ransomware programs self-destruct (i.e., delete themselves), after a specified period of time. In instances when ransomware does not self-destruct, ransomware removal tools can be effective.

How to remove ransomware:

A computer infected with ransomware can be disinfected. It is not always possible, but it is possible. To begin the process, disconnect the affected device from the network (placing it in isolation).

In some cases, rebooting the computer in Safe Mode, installing anti-malware software, scanning the system to identify the ransomware and then following the anti-virus software’s instructions can remove the ransomware from a computer. Nonetheless, these steps will not decrypt frozen files.

To decrypt files, organizations can pay hackers for decryption keys, although this method is frowned upon. In the event that an organization is able to identify the type of ransomware on the affected device or devices, it may be possible to find a specially designed ransomware decryption tool that can assist with file recovery. The website nomoreransom.org offers 160,000 decryption tools.

Alternatively, organizations with clean backups of data can reach out to their backup service provider and request assistance with file restoration. Experts recommend that organizations retain multiple backups of important data; physical backups (on external devices) and virtual backups in the cloud.

As a last resort, organizations can invite cyber forensics teams and cyber security professionals to assist with ransomware removal. In select cases, experts can successfully decrypt devices.

What is Ryuk ransomware?

Ryuk ransomware is a specific type of ransomware. It’s considered a “malware family”. First observed in 2018, Ryuk is particularly vicious on account of the fact that it can encrypt both files and stored copies of files. Without an external backup of files, it is nearly impossible for organizations to recover from Ryuk ransomware.

Ryuk ransomware typically targets high-value, high-profile organizations with the means to offer compensation in exchange for file decryption. In the past, hospitals and prominent journalistic outlets have been targets. In the span of about a year and a half, experts believe that Ryuk ransomware generated more than $60 million in revenue for its criminal operators.

Ryuk ransomware attacks often start with a malicious Microsoft Office attachment including in a phishing email. When an individual opens the attachment, a PowerShell command typically unleashed the Emotet trojan. Afterwards, additional malware was downloaded onto machines, including spyware. The malware is typically able to move laterally across a network, enabling hackers to access valuable documents or data. Once the hackers have what they want or deem the network unworthy of further exploration, Ryuk is released into the environment. A request for payment then appears.

How to avoid ransomware:

Organizations can avoid ransomware. To avoid ransomware, organizations should both educate employees about the threat and should put cyber security infrastructure in place.

When it comes to educating employees, organizations should ensure that everyone knows not to click on strange looking links or unfamiliar websites. Instruct people to avoid opening email attachments from unknown or seemingly suspicious senders. Tell teams not to hand out any personal information to unverified individuals. In the event that a company representative gives someone a call and asks for information, the call recipient should contact the company to ensure that the call is credible.

Otherwise, organizations should ensure that operating systems remain up-to-date and that robust security software is in place. Anti-ransomware software is often available as a component of comprehensive security packages. Ensure that ransomware protection is available for all endpoints. By some estimates, the cost of ransomware in 2019 exceeded $7.5 billion, worldwide. It is often more cost effective to invest in a ransomware solution than to rely on ransomware tools or alternative resources in the event of a breach.

Why do ransomware attacks use bitcoin?

Bitcoin functions like electronic cash and it’s nearly untraceable. It’s a reliable electronic payment system that works effectively.

However, bitcoin exchanges are regulated in certain countries. This can make it a challenge for hackers to change Bitcoins into fiat currency.

Who is behind ransomware?

It varies. The cyber criminals behind ransomware are often linked to organized crime groups or to foreign governments with political motivations. Those who deploy ransomware often spend months, or even years, working on the foundational elements of the attack. Their goal is to ensure that the attack is launched in a stealthy manner. Groups and individuals behind ransomware attacks do everything in their power to avoid identification.

What does the history of ransomware look like?

The first ransomware attack purportedly occurred in 1989. The ransomware itself was distributed on a floppy disk. The event took place in Antwerp, Belgium. The victim was directed to send ransomware payment to an PO box in Panama. Victims would the receive decryption keys. Roughly 20,000 computer enthusiasts, medical research institutions and researchers who attended the World Health Organization’s international AIDS conference in Stockholm received corrupted floppy disks. The software was attributed to a US citizen, Dr. Joseph Popp, who received his Ph.D from Harvard University, and served as an evolutionary biologist.

Dr. Popp was deemed unfit to withstand trial, and was not prosecuted. Ransomware was not distributed en-masse on the internet for at least another 16 years.

What does ransomware target?

Ransomware targets files. When it comes to ransomware, the goal is to encrypt the files so that the victim cannot access them, forcing the victim to pay the attacker.

When ransomware infects computers, it will…

Restrict users’ access to files and/or restrict access at the system level. It could also spread to other computers, networked or synched devices.

What happens when ransomware attacks occur?

When ransomware attacks occur, the malicious code encrypts a victim’s computer and/or files. The rightful owner can only retrieve their information by paying the ransom, relying on data backups, hiring experts (who may or may not be able to provide help), or testing out ransomware decryption tools.

Which antivirus stops ransomware?

Many different vendors offer ransomware protection. Check Point’s ransomware products are offered as elements of an endpoint suite. Encrypted files are restored automatically from snapshots, allowing people and organizations to proceed with business as usual.

 Windows 10 ransomware protection?

Microsoft offers the following recommendations when it comes to protecting PCs from ransomware.

  • Ensure that the given PC has the latest version of Windows installed.
  • Ensure that the Windows Security feature is turned on.
  • Invest in advanced ransomware protections.
  • Ensure that you have backups of your files via the File History feature.
  • You may want to store your most important files on Microsoft OneDrive. The OneDrive platform hosts built-in ransomware detection and recovery features. In addition, it offers file versioning so that lost files can be restored.
  • Ensure that your browser is secure and up-to-date.
  • Shut down your computer in-full at least once per week. This helps to ensure that systems have the opportunity to update themselves.

Why are ransomware attacks increasing?

In 2020, research showed a 7-fold increase in ransomware attacks, as compared to 2019. Cyber criminals have capitalized on the transition to remote work, exploiting new security loopholes to launch ransomware attacks. Unsecured or under-secured legacy systems are also at fault when it comes to perpetuating attacks.

Ransomware has not only increased; ransomware has evolved. The ransomware families that appeared popular in 2019 are no longer as popular in 2020. New ransomware families dominate the scene.

Why are ransomware attacks successful?

Ransomware commonly ravages systems because the victims fail to take adequate cyber security measures. Victims typically don’t know about the potential for ransomware, they don’t understand the probability of experiencing a ransomware attack, and they don’t have a sense of just how much damage it can engender. More than 25% of ransomware victims pay an average of more than $1M to recover from a ransomware attack.

Where does ransomware hide?

Ransomware can reside in a variety of applications, ranging from Skype to the Google Play Store. Suspicious emails and fake desktop updates can also disguise ransomware.

After it’s been downloaded, some malware will hide in modified Windows registry keys, temporary folders, “shortcuts” (.lnk files), Microsoft Word files and elsewhere.

Who does ransomware target?

Ransomware commonly targets sectors like healthcare, the energy sector, retail, and finance. These sectors represent top targets because data recovery is often complex for them and they are likely to pay ransomware decryption fees.

Other sectors that are also frequent targets include the legal sector, the food supply chain, education and manufacturing, according to TechRepublic.

How does ransomware spread?

Ransomware commonly spreads via phishing emails that include malicious attachments. These emails may include ZIP files, PDFs, Word documents, Excel sheets or other types of files. One the attachment has been opened, ransomware may download instantly or it may lurk on a device in stealth mode for weeks or months prior to launching an attack.

Alternatively, ransomware may spread through a process referred to as ‘drive-by-downloading’, which occurs when a person accidentally scrolls through a malicious website or scrolls over a malicious advertisement. Drive-by ransomware software analyzes your device for vulnerabilities and then executes the ransomware in the background.

Malicious URLs can also spread ransomware. It can also spread via pirated software. USB drives can hide ransomware within them too. Most ransomware attacks that start with USB drives are entirely accidental, as the person plugging in the USB remains unaware of the ransomware on the device.

More advanced forms of malware can ‘self-propagate’, as computer worms do, sleuthing laterally across a network to infect additional machines. This type of attack is known for hobbling entire businesses.

Less commonly, ransomware can spread through social media. Hackers are continually coming up with clever ways to spread ransomware. New techniques emerge on a regular basis.

How does ransomware affect business?

When the attack begins, ransomware can stall business operations. As the attack wears on, the attack may result in the temporary or permanent loss of proprietary data. Furthermore, attacks can lead to significant financial loss and can also damage organizations’ reputations in the long-term.

How does ransomware decryption work?

When dealing with ransomware, there are sometimes a few different decryption options (if you’re lucky). In some cases, the electronic ransomware notes on computer inform victims that after paying a specified sum, -ranging from hundreds of dollars to hundreds of thousands of dollars- a ransomware decryption key will be available to them. However, in other instances, the cyber criminals lie about having a decryption key. Instead, they take the money and run.

In other instances, cyber forensics teams can try to decrypt files. A selection of ransomware decryption tools are available from cyber security vendors and from organizations that serve the public, such as Europol.

How can law enforcement reign in ransomware?

This is a tough mission. In the US, the FBI encourages all ransomware victims to report attacks and the Department of Justice sees disrupting ransomware rings as a priority.

Europol is also committed to taking down ransomware rings.  “All over Europe police are working against the clock to bring the criminals to justice,” says Catalin Zetu, of the Central Cyber Crime Unit, National Police, Romania. In the EU, the police maintain cyber crime units that can help people resolve ransomware issues immediately, without payment to the attackers.

In Asia, the ASEAN Desk, which is a branch of Interpol, operates as a central regional hub for cyber criminal intelligence. It offers investigative and operational support when it comes to taking down malware (ransomware is a type of malware).

One difficult aspect of catching ransomware criminals is that they may reside in countries that do not have extradition treaties with a given country that wishes to pursue legal action.

Should people pay ransoms?

The general advice is not to pay the ransom. Paying a ransom does not guarantee that the criminals will hand the victims a decryption key. Furthermore, flaws in the coding of the ransomware itself mean that, even with a decryption key, a person’s files may not remain intact post-attack. Lastly, paying a ransom helps perpetuate cyber criminals’ activities. Nonetheless, some organizations do choose to pay ransoms when the cost of not doing so could lead to loss of life or serious injury (such as in the case of hospitals).