Ransomware

Main types of ransomware

Illustration ransomware protection

Ransomware is a type of harmful program that hijacks control of systems and data, then demands payment to restore normal access to the ransomed content or system. The F-Secure product Countercept is trusted by the largest banks, airlines, and enterprises to deliver award-winning managed detection and response.

The cost of ransomware to businesses

Successful ransomware attacks incur a variety of costs on the victim. Aside from business disruption, ransomware infections are often very visible outside an organization, resulting in reputational damage, loss of business and fall in stock market value. Regulators and governments can impose fines or other sanctions for breaches in data privacy, for example under the EU General Data Protection Regulation.

Norsk Hydro gave invaluable insight into how organizations should tackle successful attacks, reporting a £45 million cost in June 2019. US IT services company Cognizant expected costs of between $50 million and $70 million in the quarter after falling prey to a Maze ransomware attack in April 2020.  And when travel firm CWT was attacked, it opted to pay $4.5 million ransom. Dutch telecommunications provider KPN estimated the average ransomware demand for a successful REvil infection to be $260,000.

Main types of ransomware

There are two main types of ransomware commonly seen today:

Crypto-ransomware will encrypt files on a computer, essentially 'scrambling' the file contents so that the user can't access it without a decryption key that can correctly 'unscramble' it. A ransom payment is demanded in return for the decryption key. This can affect personal computers, smartphones, servers and cloud-based services. Properly executed encryption via ransomware is virtually impossible to decrypt without the encryption key

"Police-themed" ransomware will try to cloak their actions by appearing to be a warning from a local law enforcement authority, supposedly for possessing materials that are illegally downloaded, pornographic or otherwise contraband. The ransom demand is described as "payment of a fine", or similar

Should my business pay a ransom or not?

Ransomware works on the assumption that the user will be inconvenienced enough at losing access to the files that they are willing to pay the sum demanded.

Security researchers and law enforcement authorities, in general, strongly recommend that the victims refrain from paying the ransom. In some reported ransomware cases however, the crypto-ransomware infections have been so disruptive that the affected organizations and users opted to pay the ransom to regain the data or device access. It is worth noting that some attackers will also release data belonging to the victim organization regardless of whether the ransom is paid or not, and paying a ransom does not necessarily guarantee the victim will be able to recover their data or face further demands from the attacker.

More Technical Information

For examples of crypto-ransomware and police-themed ransomware, see:

Crypto-ransomware

Threat Description: WannaCryptor

Threat Description: Petya

Threat Description: TeslaCrypt

Threat Description: CTB-Locker

Threat Description: Cryptolocker

 

Police-themed ransomware

Threat Description: Trojan:HTML/Browlock

Threat Description: Trojan:W32/Reveton

Threat Description: Trojan:W32/Ransom

 

For more technical details of ransomware, see:

Labs Weblog: F-Secure WCry: Knowns And Unknowns

Labs Weblog: Petya: Disk Encrypting Ransomware

Labs Weblog: OphionLocker: Joining in the Ransomware Race

Labs Weblog: OphionLocker: Joining in the Ransomware Race

Labs Weblog: OphionLocker: Joining in the Ransomware Race

Labs Weblog: Ransomware Race (Part 5): SynoLocker's unkept promises

Labs Weblog: Ransomware Race (Part 4): Adult Content, Browlock's Staying Power

Labs Weblog: Ransomware Race (Part 3): SynoLocker Under The Hood

Labs Weblog: Ransomware Race (part 2): Personal media the next frontier?

Labs Weblog: Ransomware Race (Part 1): CryptoWall ups the ante

Labs Weblog: On "FBI" "Ransomware" and Macs