What is Ransomware?

Ransomware is a devastating type of malware with global damage projected to cost organizations $265 billion by 2031. Get the information you need to prevent infections, and find what to do if you are hit.

Defining Ransomware

Ransomware is defined as vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach.

September 2013 is when ransomware went pro. It typically gets installed on a user’s workstation (PC or Mac) using a social engineering attack where the user gets tricked in clicking on a phishing link or opening an attachment. Once the malware is on the machine, it starts to encrypt all data files it can find on the machine itself and on any network shares the PC has access to. Global-Cost-of-Ransomware-Infographic V2
The Global Cost of Ransomware Infographic

Next, when a user wants to access one of these files they are blocked, and the system admin who gets alerted by the user finds two files in the directory that indicate the files are taken ransom, and how to pay the ransom to decrypt the files. New strains and variants come and go as new cyber mafias muscle into the "business".  Techniques the cybercriminals are using are constantly evolving to get past traditional defenses. Some major strains are WannaCry, GandCrab, Phobos and Cerber. This is a very successful criminal business model. Annual ransomware-induced costs are projected to exceed $265 billion by 2031, according to Cybersecurity Ventures. 

Once files are encrypted, the only way to get them back is to restore a backup or pay the ransom. However, cybercriminals are now often corrupting backups before the victims know what hit them.  Storage Magazine reports that over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed. 

Today, a Ransomware Infection is a Data Breach

The emergence of new strains has slowed down, but ransomware is getting much more sophisticated. In the early days, hackers mostly targeted consumers, and it would encrypt immediately upon executing. Later on, ransomware gangs realized they would make a lot more money targeting businesses. At first they would spread like a worm through organizations, collecting credentials and encrypting files along the way. Threat actors are now a lot more intelligent in their approach. Once they've gotten in, the malware 'dials home' so that the hacker can do a full analysis on which data is most valuable to their victim, how much they can realistically ask for, and what can they encrypt that will get them a payday sooner. 

Most of the ransomware gangs are now exfiltrating your most valuable data and threaten to expose it on publicly available websites as an additional extortion method. Some of these criminals make you pay twice, once for the decryption key, and again to delete the data they have stolen.  In the U.S. alone, a single cybersecurity insurance consortium said they are paying $1M per day in ransomware payouts to these criminal gangs.

That figure doesn't include recovery and downtime costs, which can far exceed the cost of the ransom. By now, there are tens of thousands of ransomware victims, including school districts, police departments, and entire cities. It is important to understand that it is not just large organizations that are targeted, small and medium organizations are also at risk.

Cyber criminals constantly use social engineering and update their ransomware themes to stay current. Some themes include the FBI variant, the Internal Revenue Service, and even sadly, now COVID-19 pandemic-themed ransomware. In addition to updating themes, cyber criminals are also developing creative new ways to spread the ransomware. These include offering Ransomware-as-a-Service (RaaS) strains such as “Dot” or “Philadelphia”, where they offer your files back for free if you infect two other organizations. There are even marketing videos on YouTube for some ransomware strains.

Ransomware History Timeline

Since 1989, ransomware has become the number one security risk to businesses and users. Here is a full history and how it has evolved:
 

 1989

The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the 'father of ransomware'). It was called the AIDS Trojan, also known as the PC Cyborg. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference in Stockholm. The disks contained malicious code that hid file directories, locked file names and demanded victims send $189 to a PO Box in Panama if they wanted their data back. The AIDS Trojan was “generation one” ransomware malware and relatively easy to overcome. The Trojan used simple symmetric cryptography and tools were soon available to decrypt the file names. But the AIDS Trojan set the scene for what was to come. 

Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RanSimScreen-3

Run RanSim and test your network now, get your results in minutes!

Find out how vulnerable your network is against ransomware and cryptomining attacks.

A Master Class on IT Security:
Roger Grimes Teaches Ransomware Mitigation

Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever. Join Roger for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware.

Ransomware Strains and Families Knowledge Base

We've put together the background, history and inner-workings of all widespread ransomware strains and families that have appeared over the last few years. Criminal malware continues to grow at an explosive rate, and employees need to be given effective security awareness training so that they know before they click.

Free Ransomware Simulator Tool

Is your network effective in blocking ransomware attacks?

Cybercriminals are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s RanSim gives you a quick look at the effectiveness of your existing network protection. RanSim simulates 22 ransomware infection scenarios and 1 cryptomining scenario and will show you if your workstation is vulnerable.

Frequently Asked Questions

How did I get infected?
Email Vector By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives a phishing email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.

Drive-by-Download Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third party application can infect a machine. The compromised website runs an exploit kit (EK) which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.

Free Software Vector Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! An example is a ransomware attack which exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.

One method cybercriminals will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser all the way to an unpatched, outdated operating system.
Why is ransomware so effective?
The main event that created the fifth and current generation of cybercrime was the formation of an active underground economy, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly.

Some examples of this specialization are:
• Cybercrime has its own social networks with escrow services
• Malware can be licensed and receive tech support
• You can rent botnets by the hour, for your own crime spree
• Pay-for-play malware infection services have appeared that quickly create botnets
• A lively market for zero-day exploits (unknown software vulnerabilities) has been established

The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five increases malware quality, speeds up the criminal ‘supply chain’ and effectively spreads risk among these thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems.

Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like the miscreants have done over the last 10 years.
Which strain am I infected with?
There is a website called ID Ransomware that allows you to upload your ransom note and a sample encrypted file. The tool will identify the particular strain you are dealing with and if available, download decryption tools to recover your files and/or whole network shares if your backups have failed. It's a good idea to know which type you have as there is no 'one-size-fits-all' method to get rid of ransomware.
What is a Bitcoin and why do I have to pay with it?
Bitcoin is an untraceable crypto-currency network that uses peer-to-peer technology to handle transactions with no central authority - that means no banks or government agencies either. All transactions are public, however the people holding these digital wallets remains completely anonymous. This makes Bitcoin very attractive to cybercriminals and is therefore the payment method most often requested to get files decrypted.

We have seen certain actors demand ransom in things like Amazon and iTunes gift cards, but the vast majority ask for Bitcoin.
Does paying ransom mean the malware is gone?
It is important to note that just because a person pays to unlock the computer; it doesn’t mean that the malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of malware, which includes password stealers and which can also disable security software.
Where can I report ransomware?

If you are infected you should always report it to the FBI’s Internet Crime Complaint Center (IC3). You will need to provide all relevant information including the e-mail with header information and Bitcoin address if available.

How effective is Security Awareness Training in combating ransomware?

Since most ransomware is delivered via malware found in phishing emails, users need to be trained to not click on those emails. We have seen the percentage of 'phish-prone users' decrease from an average 31.4% to 4.8% over the course of a year of using our training platform.

How To Check For Ransomware

Symptoms

It’s fairly straightforward to find out if you are affected by a ransomware virus. The symptoms are as follows:

  • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
  • An alarming message has been set to your desktop background with instructions on how to pay to unlock your files.
  • The ransomware program or a related website warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.
  • A window has opened to a ransomware program and you cannot close it.
  • You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.

Here is an example of a ransomware screen, the infamous Sodinokibi:

Example of a Ransomware attack, Sodinokibi

Here is an example of a ransomware webpage, threatening data exposure:

Example of a Ransomware webpage, threatening data exposure

Infection Vectors

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how cybercriminals do it:

Checkmark
Email Vector
By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives a phishing email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.
Checkmark
Drive-by Download
Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third-party application can infect a machine. The compromised website runs an exploit kit (EK) which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.
Checkmark
Free Software Vector
Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! An example is a ransomware attack which exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.

One method cyber criminals will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser all the way to an unpatched, outdated operating system.
Checkmark
Remote Desktop Protocol (RDP)
Internet-exposed Remote Desktop Protocol (RDP) sessions are another very common means of infecting networks. RDP sessions are used to remotely log in to Windows computers and allow the user to control that computer as if they were sitting in front of it. The technology typically uses port 3389 to communicate, and many organizations allow traffic from the internet through their firewall, so people can remotely access the computer. Hackers have become increasingly skilled at attacking these exposed computers and using them to spread malware within a network. RDP is exploited either due to an unpatched vulnerability or due to password guessing because the victims chose very weak passwords and/or did not enable account lockout protections.

Ransomware Prevention Tips

The best way to prevent an infection is to not rely on just one solution, but to use multiple, layered solutions for the best possible protection.

1. Security Awareness Training
It’s easier to prevent malware infections if you know what to look for. If you understand the latest techniques cybercriminals are using, the easier it will be to avoid. Know your enemy! Take an active approach to educating yourself by taking a security awareness training course.

2. Internet Security Products
There are many commercial products that will help you avoid all malware infections, but understand that none of them are 100% effective. The cyber criminals are always looking for weaknesses in security products and promptly take advantage of them.

3. Antivirus Software
While antivirus is highly recommended, you should have multiple layers of protection in place. It is not wise to solely rely on antivirus software to keep your PC secure, as it cannot prevent infections from zero-day or newly emerging threats.

The list of antivirus products below was proven the most effective at preventing malware from AV-Test.org 

Avira Antivirus Pro
Kaspersky Internet Security
Bitdefender Internet Security
Norton Security
Trend Micro Internet Security

4. Anti-Malware Software
Most anti-malware software like MalwareBytes is designed to run alongside Antivirus products, and it’s recommended you have both in place.

5. Whitelisting Software
Whitelisting offers the best protection against malware and virus attacks. Whitelisting software allows only known good software that you approve to run or execute on your system. All other applications are prevented from running or executing.

6. Backup Solutions
In the event of a catastrophic attack or complete system failure, it’s essential to have your data backed up. Many have been able to quickly and fully recover from an attack because their data was backed up and safe. We recommend using one of the following online storage services and an external hard drive (that you disconnect after the backup) at the same time as the best possible backup solutions like:

Ransomware-Hostage-Rescue-Manual

Hostage Rescue Manual

This free manual is packed with actionable info that you need to prevent infections, and what to do when you get hit.

You will also receive an Attack Response Checklist and a Prevention Checklist. You will learn more about:

  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources

Don’t be taken hostage. Download your 26-page rescue manual now.

How to Remove Ransomware

Because all strains are different, there isn’t one set of removal instructions that works across the board. Below are steps to take to begin the removal process from a Windows PC, which may work completely for some but not all if you have a really nasty infection. However, if you don't remove it, you will be unable to decrypt your encrypted files so they will be gone forever!

1. Malware Scan. It’s recommended to use MalwareBytes to detect and remove the malware. First download the free version of MalwareBytes. If you are unable to run a MalwareBytes scan, restart your PC in safe mode and try to run the MalwareBytes scan this way.

To enter safe mode: as your computer restarts but before Windows launches, press F8. Use the arrow keys to highlight the appropriate safe mode option, then press ENTER.

2. System Restore. Some strains will prevent you from entering Windows or running programs, if this is the case you can try to use System Restore to roll Windows back in time before the infection. Restore your system using the System Restore settings by restarting your PC and hitting the F8 key when the PC begins to boot up.

3. Recovery Disk. Use your Windows disc to access recovery tools by selecting “Repair your Computer” on the main menu. If you don’t have your Windows disc, you can create one from another PC running the same version of Windows.

4. Antivirus Rescue Disc. If a system restore doesn’t help and you still can’t access Windows, try running a virus scan from a bootable disc or USB drive. You could try using creating a Bitdefender Rescue CD.

5. Factory Restore. If the above steps have not worked, the last resort is a Factory Restore. PC World has comprehensive instructions for performing a factory restore.
If you manage to remove the infection from your PC using any of the steps above (except the factory restore) your next task will be to recover your files.

Unhiding Files
If you are lucky, hopefully your data didn't get encrypted but instead hid your icons, shortcuts, and files, you can easily show hidden files: Open Computer, navigate to C:\Users\, and open the folder of your Windows account name. Then right-click each folder that’s hidden, open Properties, uncheck the Hidden attribute, and click OK. You should be good to go from here.

Encrypted Files
If you followed the steps above to unhide your files and this didn’t work and you still can’t find any of your data, this means that your files have been malware-encrypted. This is not good. Unfortunately it isn’t possible to decrypt or unlock your hostage files, because the decryption key is typically stored on the cybercriminal’s server. From here you have 2 options:

Option 1: Restore your files from a backup. If you have a backup system in place, and they haven’t been encrypted as well, you should be able to restore all your files this way. If you don’t have a backup system in place, you might be able to recover some of your files from Shadow Volume Copies, but most definitely not all your personal files. To use shadow volume copies, right-click Select files/folders and open Properties to view the Previous Versions list, or use a program called Shadow Explorer.

Option 2: Pay the Ransom. Most authors will deliver the decryption key and return your files once you pay, but keep in mind, there is no guarantee. You may pay the ransom and get nothing in return, after all you are dealing with thieves.

Free Decryptors List

Ransomware decryption is an uphill battle for security professionals. As new strains are discovered, decryptors are created, then cybercriminals update their malware to get past decryption methods. It's a never-ending cycle!

All Ransomware Resources