Article

What is ransomware? A guide to malware-driven cyber extortion

F-Secure
F-Secure
|
Mar 28, 2022
|
5 min read

Ransom­ware is among the most harmful forms of cyber extortion and malware. Picture this: one moment, you’re working on an important project, and the next, you’re confronted with a menacing message demanding payment to regain access to your files. This is the harsh reality of ransom­ware attacks, which have become one of the most insidious forms of cyber extortion. But don’t worry — under­standing what ransom­ware is and learning how to protect your­self can empower you. Dive into this article to uncover essential insights on this malware threat and effective strategies to protect yourself.

Want to stay safe from malware?

F-Secure Total protects you from ransom­ware, viruses, and more.

Ransomware meaning and definition

Ransomware is a type of malicious software (malware) that encrypts a victim’s data, effectively holding it hostage until a ransom is paid. Beyond just locking files, a ransomware attack can lead to data breaches, exposing sensitive information to unauthorized parties.

This form of cyber extortion can spread through various means, including phishing emails, infected software down­loads, and exploited vulnerabilities in your operating system. Ransom­ware can target anyone — from individuals to large organizations — resulting in significant financial losses and disruption of daily operations. Once the malicious code encrypts critical data, it becomes inaccessible until the victim pays the ransom.

Types of ransomware attacks

Ransomware attacks come in several forms, each with a unique method of causing havoc:

  • Encrypting ransomware encrypts files on the victim’s device, rendering it inaccessible until a decryption key is provided.

  • Locking ransomware locks the victim’s device or screen, preventing access to any data until the ransom is paid.

  • DDoS ransomware threatens to launch a distributed denial-of-service (DDoS) attack on the victim’s web­site or network, rendering it inaccessible or causing performance issues, unless a ransom is paid.

How do ransom­ware attacks work?

Ransomware encrypts all files on your device, making them inaccessible without a decryption key, and can also completely lock your device. These types of ransom­ware are categorized as crypto-ransom­ware and locker ransom­ware. After infecting your device, criminals typically demand a ransom of $300 to $500 in Bitcoin per device, promising the decryption key for access. How­ever, paying the ransom does not guarantee file recovery.

Ensuring strong network security can help prevent the initial infection of ransom­ware. Ransom­ware payments are a significant financial burden for victims, often leading to extensive financial losses and operational disruptions.

Typical attack process

Ransomware attacks usually follow a multi-step process, where attackers infiltrate a victim’s device or network, encrypt their data, and then demand a ransom for the decryption key. Here’s a break­down of how these attacks typically unfold:

  1. Initial infection: attackers use various methods, such as phishing emails, drive-by down­loads, or soft­ware vulnerabilities, to infect a victim's device. These tactics trick the victim into unknowingly down­loading malicious software.

  2. Malware deployment: once the device is compromised, ransom­ware is deployed, scanning for critical files to encrypt. It targets essential data that the victim cannot afford to lose.

  3. File encryption: the malware uses advanced encryption algorithms to lock the victim’s files, rendering them inaccessible. This process happens quickly and can affect a wide range of file types, including documents, photos, and databases.

  4. Ransom demand: after encrypting the files, the attacker delivers a ransom demand, usually through a note on the victim’s screen. The victim is instructed to pay the ransom — typically in crypto­currency — to receive the decryption key, keeping the attacker anonymous.

  5. Data exfiltration: in some cases, attackers may also steal sensitive data, using it as additional leverage. They may threaten to publicly release the stolen data if the ransom is not paid.

Impacts of ransomware attacks

Ransomware attacks can devastate individuals and businesses alike, resulting in severe consequences such as:

  • Financial losses: beyond the ransom itself, victims face significant expenses from lost productivity, damaged reputation, and recovery efforts. These costs can escalate quickly, placing victims in a financially vulnerable position.

  • Data loss: critical data, including sensitive information and intellectual property, may be irretrievably lost if the ransom isn’t paid or the decryption key fails to work. Although back­ups can some­times aid recovery, they’re not fool­proof, leaving many in a desperate struggle to regain access to their data.

  • Operational disruption: business operations can come to a complete stand­still, causing delays and extensive productivity losses. This disruption can ripple across all areas, from customer service to project dead­lines, significantly impacting overall business performance.

Industries targeted by ransomware attacks

While ransomware can affect any sector, certain industries are more vulnerable due to the critical nature of their data. Key targets include:

  • Healthcare: hospitals and medical facilities are high-priority targets due to the sensitive patient data they manage. Cyber criminals know the urgent need for uninterrupted access, making health­care organizations more likely to pay ransoms quickly.

  • Finance: banks, credit unions, and financial institutions are attractive targets for their valuable financial records. A successful attack can result in substantial monetary rewards for attackers while inflicting serious financial damage on institutions and their customers.

  • Government: federal, state, and local agencies are common ransom­ware victims due to the confidential information they store. Disrupting essential government services adds pressure on these entities to meet ransom demands.

  • Education: schools, colleges, and universities manage large volumes of personal data for both students and staff. A breach can have wide­spread consequences, making educational institutions particularly susceptible to ransom­ware attacks.

  • Manufacturing: industries like auto­motive and aero­space are targeted for their proprietary information and operational data, both of which are critical for maintaining business continuity and a competitive advantage.

How ransom­ware infects devices

Ransomware can infiltrate your devices through various methods, often without your know­ledge. Computer viruses, including various types of ransom­ware and trojans, typically require manual down­load by accident or may be installed automatically along­side other malware. Ransom­ware can be introduced through multiple vectors, including:

  • Phishing emails: cyber criminals frequently use phishing emails to entice victims into down­loading malicious attachments or clicking on links that lead to compromised web­sites or malicious down­loads. These emails often mimic legitimate sources, tricking recipients into falling for the scam.

  • Drive-by downloads: simply visiting a compromised web­site or clicking on malicious advertisements can trigger drive-by down­loads, which silently install ransom­ware on your device. These down­loads happen with­out any user interaction, making them particularly dangerous.

  • Exploiting software vulnerabilities: ransomware attackers often target weaknesses in software — such as operating systems and applications — to gain unauthorized access to your device. Regularly updating your soft­ware is vital for defending against these attacks.

  • Infected software down­loads: down­loading applications or software from untrust­worthy sources can also result in ransom­ware infections. Always ensure that you obtain soft­ware from reputable sites and verify its authenticity before installation.

To combat this growing threat, implementing robust ransom­ware prevention strategies is essential. This includes monitoring for suspicious activity, assessing affected systems, deploying protective tools, and utilizing resources from trusted organizations. By under­standing these infection methods, you can take pro­active measures to protect your devices from ransom­ware attacks.

Can ransom­ware infect mobile devices?

Yes, ransomware can infect mobile devices, affecting both iOS and Android. This threat is particularly concerning given the vast number of people using smart­phones today. One common method criminals employ to compromise mobile devices is through smishing attacks, where fraudulent text messages trick users into clicking malicious links. Fortunately, there are mobile anti­virus apps available that can help protect your Android or iOS device from mobile malware.

Removing ransom­ware infections

Removing ransom­ware can be tricky, and in some cases, it may even be impossible once it has infected your device. That's why ransom­ware protection begins with trust­worthy anti­virus soft­ware designed to prevent infections. Regularly backing up your data is also crucial; in the event of an attack, you can restore your files from these backups.

If ransomware does infect your device, immediately disconnect from the internet to prevent it from spreading to other devices or communicating with the attacker’s server. Next, shut down your device to minimize further damage. Finally, consult a cyber security expert or a professional ransom­ware removal service. They possess the tools and expertise necessary to handle complex ransom­ware attacks effectively.

Should you pay a ransom?

If you fall victim to a ransom­ware attack, paying the ransom might seem like the quickest way to regain access to your encrypted files or locked device. How­ever, there’s no guarantee the attackers will follow through on their promise to restore your data after payment. Worse yet, paying the ransom encourages them to target more victims who are likely to comply. Paying the ransom effectively finances these criminals.

Despite this, many large organizations have opted to pay the ransom when faced with the costs and operational disruptions associated with an attack. For these companies, the expense of down­time and loss of productivity often out­weighs the ransom itself.

Why do ransom­ware attackers want bitcoin?

Bitcoin is a common ransom payment method in ransom­ware attacks, along with other crypto­currencies. But why do attackers insist on using crypto­currency? The primary reason is that trans­actions in bitcoin and similar currencies offer a high level of anonymity, making it difficult to trace payments back to the criminals. Additionally, attackers typically set up crypto­currency wallets to receive payments, allowing them quick access to the funds.

Here are the key reasons why ransom­ware attackers favor Bitcoin:

  • Anonymity: bitcoin trans­actions are not tied to real-world identities, making it difficult to trace the attacker. This level of privacy provides cyber criminals with a major advantage in avoiding detection.

  • Decentralization: since Bitcoin operates on a decentralized network without over­sight from a central authority, it becomes harder for law enforcement agencies to track or control trans­actions.

  • Irreversibility: bitcoin trans­actions are final and cannot be undone once completed. This guarantees that attackers receive their payment without the risk of a refund or reversal.

  • Liquidity: Bitcoin can be quickly and easily converted into other currencies, allowing attackers to swiftly exchange the ransom into traditional currency or alternative crypto­currencies.

What is ransom­ware-as-a-service (RaaS)?

In addition to crypto-ransomware, which encrypts files, and locker ransom­ware, which locks devices, there’s a growing threat known as “Ransomware-as-a-Service” (RaaS). This model allows cyber criminals to provide malware and the necessary infra­structure to other attackers, making it easier for those without technical skills to launch their own ransom­ware attacks.

In a RaaS setup, the entity supplying the ransom­ware program is known as the RaaS operator, while those who pay for these services are referred to as RaaS affiliates. This structure has led to a surge in ransom­ware attacks, as it lowers the barrier to entry for aspiring cyber criminals.

High-profile ransomware attacks

The frequency and variety of ransom­ware attacks have surged in recent years. Attackers not only encrypt a victim’s files to extort payment but also threaten to release stolen data if the ransom isn’t paid. Many of these high-profile attacks capture national and global head­lines due to their wide­spread impact. Here’s a notable example:

Attacks on the NHS

In 2017, one of the most notorious ransom­ware attacks hit the UK’s National Health Service (NHS). The WannaCry attack inflicted an estimated £92 million in damages, forcing the cancellation of 19,000 appointments. The NHS wasn’t the only victim — globally, WannaCry caused an estimated $4 billion in financial losses.

The ransomware encrypted data on infected computers, with attackers demanding payment in bitcoin for the decryption key. This attack highlights how ransom­ware frequently targets large organizations, particularly those in critical sectors like health­care and major corporations. WannaCry under­scores the persistent threat ransom­ware poses and the critical need for robust cyber security measures to mitigate such risks.

In 2024, the NHS faced another high-profile ransom­ware attack. This time, Synnovis — a pathology laboratory that processes blood­work for the NHS — had patient data stolen by the Russian cyber criminal group, Qilin. It’s unclear how much money was demanded, how­ever, after their ransom went unpaid, the group released almost 400GB of patient data on the dark web, including names, dates of birth, NHS numbers, and blood test details.

5 simple ransom­ware prevention tips

  1. Make sure you’re running an effective online security program on all your devices.

  2. Take regular backups of your data. Store them offline so they can’t get infected.

  3. Keep your soft­ware and operating systems up to date. Enable automatic updates to always have them updated.

  4. Be skeptical of email links and attachments. Type links into your browser rather than clicking from the email. Be extra careful with attachments requesting you to enable or allow some­­thing macros, editing, content, etc.

  5. Disable commonly exploited browser plugins such as Flash Player and Silver­light when you’re not using them. You can do this through your web browser under the plugin settings.

By following these tips, you can mitigate ransomware attacks by reducing vulnerabilities and enhancing your overall security posture. Implementing these cyber security best practices will help keep your devices and data safe.

total app on different devices

Protect your devices from ransomware with F‑Secure Total

Ransom­ware removal is harder than ransom­ware prevention, making reliable anti­virus and cyber security software invaluable. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award-winning antivirus and malware protection

  • Online browsing, banking, and shopping protection

  • 24/7 online identity and data breach monitoring

  • Unlimited VPN service to safeguard your privacy

  • Password manager with private data protection

Read more about Total