Understanding Ransomware and Protecting Yourself from an Attack

What is a ransomware cyberattack?

A ransomware attack, as its name suggests, involves a ransom demand.

Ransomware: a definition

According to a guidance article by the NCSC, ransomware “is a type of malware that prevents you from accessing your computer (or the data that is stored on it).” Ransomware can infect your computer when you visit certain websites. It can also be activated during a hacker intrusion on your device.

This same NCSC article points out that ransomware belongs to the category of “malicious software”, also called “malware”. This kind of malware has the specificity of encrypting files on a computer or other computing devices, including the files saved in a shared folder such as the ones hosted on a cloud drive. Ransomware can also prevent any access to the computer.

The purpose of ransomware is to extort money from you by promising to restore your access to locked devices or encrypted data. In some instances, however, hackers have no other goal than to compromise your IT. This often means their motivations are therefore unfair competition or political attacks. Through ransomware attacks cybercriminals can damage the operation and harm the reputation of your company.

Typology of ransomware attacks

There are two main categories of ransomware: data encryption and locking ransomware. In addition to those two classic types of malware, there are new ones, such as Ransomware-as-a-Service (RaaS) or scareware. It is important for you to learn how to recognise those different cyber attacks in order to take efficient protective measures.

Locking ransomware

This type of ransomware outright blocks access to the interface of computers or tablets and smartphones. The device becomes unusable and a message from the hacker appears on the screen, specifying the terms of payment of the ransom.

Some hackers even go so far as to use social engineering in their messages. They try to make the user believe the ransom is actually a fine. They thus take advantage of the panic reflexes of their victim.

This type of ransomware is not the most common because, fortunately, it only blocks access to the interface, without compromising the files. Once it has been deleted, the user retrieves all his files left intact.

Encrypting ransomware

Encrypting ransomware, also known as “data blockers” or “cryptolocker ransomware” is far more dangerous than screen locking ransomware. This kind of ransomware can target the most critical files on your device and change their extension. Hackers often look for financial data, pictures, videos, confidential projects or personal data.

Under those circumstances, it becomes impossible to read or access files without a decryption key. Just like with locking ransomware, the victim often receives a message that looks legit or even official. This could be a brand spoofing message posing as Apple, Gmail, a bank or Paypal.

The hacker is also able to limit your access to your computer, by locking certain keys on the keyboard, for example. In this case, you are then forced to communicate with the hacker.

Once the ransom has been demanded, either you pay and regain access to your files held hostage or you have to use a professional ransomware decryption software. This solution remains the best one because many cyber criminals do not restitute the files in their initial state.

Several large-scale cyberattacks examples fall under the category of data encryption ransomware:

• Ryuk ransomware, which we have analyzed regarding its fallout, has been operating at full speed since 2020. It is the weapon of choice in numerous cyber attacks against French hospitals during the COVID-19 pandemic.
• WannaCry is an encrypting ransomware that has operated on over 250,000 Windows operating system computers around the world. Hackers made a 150,000 USD profit with it.
• CryptoLocker has infected half a million computers, it generated a 3.000.000 USD profit for the criminals..
• Petya, renamed Not-Petya, went so far as to delete the victims' files after payment. This devastating ransomware has damaged large numbers of computer networks around the world, including those of Ukrainian banks and public transportation.

‍

New types of ransomware

New types of ransomware have emerged over the past years, especially in 2020:

• Scareware disguised as antivirus. The victim receives a seemingly legitimate alert informing them of contamination. Acting out of panic, they download the so-called antivirus software. Thus, the cybercriminal is granted full access to the victim's personal data.
• Ransomware-as-a-Service (RaaS): hackers go through a “supplier” to create ransomware. Once the ransom has been collected, that “supplier” receives its share of the spoils.
• Doxware comes from the abbreviation “docs” for “documents”. It is sometimes also called "leakware". Through doxware, hackers intend to cause panic among their victims by threatening to disclose confidential information.

Who are the targets of ransomware attacks?

In a ransomware fact sheet, the FBI says “attacks can impact all sectors”.

Indeed, private companies, and public services can experience this type of cyber attack on all types of devices. Also, all operating systems are targeted: iOS, Windows, Linux, Mac and Android.

However, in a recent article, the cybersecurity news website Cybereason points out that the sectors most affected by ransomware are healthcare, education and the industrial sector. One may add that IT companies also constitute a prime target for ransomware cyberattacks.

Ransomware attack: consequences

Additionally to the financial losses due to the payment of ransoms, ransomware also has economic, industrial and social repercussions. This is particularly the case with “Big Game Hunting” attacks that have been raging on since 2014. Those attacks target large companies or institutions capable of paying vast amounts of money.

In its analysis of the consequences of ransomware, the French government agency ANSSI (National Agency for the Security of Information Systems) lists the following types of adverse consequences on companies:

• drop in productivity provoking heavy financial losses;
• suspension of user services;
• remediation costs;
• ransom costs ranging from several hundred euros for individuals up to millions of euros for businesses;
• delays in pending procedures;
• publication of personal data, yet subject to GDPR regulations.

‍

‍