Ransomware

Ransomware is malware that infects computers and displays messages threatening to either prevent a victim from accessing data, or in some cases, threatens to publish a victim’s data publicly. Ransomware authors have been heavily influenced by legitimate SaaS (software as a service) companies like Dropbox, Slack, or MailChimp in recent years, and some have even begun offering ransomware subscription services or RaaS (ransomware as a service), providing technically inept cybercriminals with the ability to launch devastating ransomware attacks.

The most rudimentary form of ransomware (often called scareware) relies solely on intimidating its victims into believing it’s a credible threat, and it lacks the capacity to actually manipulate a victim’s data. However, more sophisticated forms of ransomware have the ability to remotely lock users out of their systems (although these attacks are often reversible).

That said, the most advanced and dangerous ransomware employs a method called cryptoviral extortion. Crytoviral extortion attacks use ransomware that can encrypt files, making them extremely difficult to retrieve without the encryption keys, and then the attackers offer the key in exchange for ransom paid.

How Ransomware Works

As with many other types of malware, ransomware frequently gains access to a victim’s computer from seemingly benign email attachments that arrive in a victim’s inbox as part of malspam or phishing campaigns. Alternately, many users fall victim to malvertising campaigns through fake websites that contain exploit kits which infect computers via drive-by-downloads without a user ever knowing. Once ransomware finds its way onto a system, there’s a variety of ways it might behave depending on its level of sophistication.

Scareware, the simplest form of ransomware, uses intimidation tactics alone to dupe victims into paying ransoms. Often, scareware scams include phony antivirus software messages that will appear on a victim’s computer and claim that their system has been compromised, and then prompt users with an easy online payment solution to eliminate the threat. While these may appear to be serious security threats, this form of ransomware does generally directly affect a user’s data.

Screen lockers are another, more advanced form of ransomware that can freeze users out of their computers completely. When booting a computer infected with screen locker ransomware, users are often met with an official-looking pop-up window that suggests that the system (and its user) have been implicated in illegal cyber activity, and then prompts the user to pay a fine to regain access to their computer. While more serious than a scareware infection, (depending on the specific variant of screen locker), these infections are generally not difficult to address, and some can be diffused by rebooting the system in safe mode and running a common antivirus program.

Encryption ransomware (or cryptoviral extortion), finally, is the most sophisticated form of ransomware attack. Once it infects a system, it scrambles or encrypts data using complicated algorithms. While the data is technically never deleted from the system, users are not able to read it without either attempting to decrypt the data or being provided with the key in exchange for a ransom.

One of the most famous examples of this was the WannaCry Ransomware attack in 2018, which infected over 200,000 computers in 150 countries. WannaCry demanded $300 in Bitcoin to decrypt each computer.

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR