What is Ransomware?

Ransomware (from 'ransom') is one of the biggest current threats to data belonging to private individuals and companies. But what exactly is ransomware and what motivates the people who develop it? An overview.

What is Ransomware

Definition of Ransomware

Ransomware (also known as encryption trojan or extortion trojan) refers to a form of malware that encrypts files on infected systems to extort ransom money for decryption. Often, the ransom must be paid to the extortionists in digital currencies like Bitcoin to prevent tracking.

Ransomware spreads like a computer virus through the internet and corporate networks to as many connected computers as possible. This can lead to hundreds of thousands or millions of computers being infected within a few weeks. The owner of an infected computer then loses access to the data stored on it. Instead, they are shown a window informing them that their data has been encrypted and instructing them how to proceed to reverse the encryption. This happened with WannaCry, a ransomware that caused global concern in 2017 by infecting businesses, hospitals, and private computers in 180 countries (The Windows vulnerability that enabled the infection has since been closed by Microsoft with a subsequent patch). Learn more about WannaCry in this article.

Why is ransomware spread, who profits from it?

The creators profit from the distribution by hoping for ransom payments from desperate PC users who decide to pay the demanded sum out of necessity. This sum is often chosen to be affordable for the 'average' user, usually ranging between 20-80 USD per infected computer. Although all authorities recommend never paying the ransom under any circumstances, there have been cases where companies have paid large sums to the extortionists. This is usually out of necessity, as they inevitably needed the data for their daily operations (e.g., hospitals).

The ransom is often demanded in digital currencies like Bitcoin so that - according to the attackers' plan - the payment cannot be traced.

The image shows the message that users of WannaCry-infected computers would see. Notable are the two timers:

• The first timer shows when the ransom amount will increase
• The second timer shows when payment will no longer be possible and the data will be lost forever

Once the amount is paid, many ransomware variants effectively decrypt the data and files can be used again. However, you cannot and should not rely on this, as there is no authority to complain to. Therefore, authorities recommend never paying the ransom demand and instead waiting for decryption software from an antivirus vendor. Such a remedy is usually available within a few days and is provided free of charge by major antivirus software companies.

How can I protect myself against ransomware?

Encryption trojans enter a system through the same channels as other forms of malware. Accordingly, the protective measures are identical:

• Don't open attachments in emails from unknown sources
• Don't open files from external devices that you found, for example, on the ground
• Install an antivirus program and update it regularly
• Install regular updates for your operating system
• Be generally careful when handling downloaded files
• Disconnect your PC from the internet if it contains particularly sensitive or important data
• Disconnect external drives with backup data from your PC so that any infection cannot spread to them
• Create a backup of your data, preferably including an offsite backup

What to do if infected with ransomware?

• General rule: Do not pay the ransom! (There's no guarantee that the data will be decrypted, and you motivate the attackers to potentially target you again later as a lucrative target)
• Search online for solutions and helper programs
  • These are usually developed within a few days by major antivirus manufacturers and offered as free downloads
• Report the incident to MELANI
• Look for operating system and software updates that close the vulnerability through which the malware was introduced
• Restore your data from a backup

Looking for active protection against ransomware?

We provide it directly. Backup ONE Cyber Protect actively protects your computer and everyone in your company network from ransomware. Simply install the software and configure a protection plan. Your computers are immediately and continuously protected and scanned for suspicious activities. As soon as suspicious activity is detected, the corresponding process is immediately stopped and any encrypted data is restored from the latest backup - all without your intervention.

Learn how it works at https://www.backup.ch/cyber-protect.