What is ransomware?
Malicious software on the computer system allows these frauds to encrypt all data on the computer system. Victims get a popup that tells them how to contact the frauds to pay the ransom and recover the data. Payments are almost always made through bitcoin, and the frauds walk victims into the steps in making payments.
McAfee Video explains how ransomware works
How often does happen? Is it going to get worse?
The number of ransomware attacks is clearly growing rapidly. It appears most ransomware victims do not complain to the FBI. But internet security companies do keep track and release reports showing that this is a large and growing problem. One study found that such attacks quadrupled in 2016. Symantec tracked 463,000 ransomware attacks. Another report found 5600 ransomware attacks every day.
In addition, a new report from Trend Micro says the number of Ransomware “families” increased over 700% in 2016. Symantec found that the number of malware families tripled in 2016.
How is this industry structured?
Some ransomware operations perform the full range of “services,” installing malware, encrypting files and collecting the ransom. But we have now seen an increase in ransomware as a services (Raas). Thus one set of parties develop the encryption software and may handle receiving the ransom and decrypting files. But the ability to spread the malware is being franchised. The encryption enterprise just takes 30% of the ransom that is paid. This allows far more enterprises to attack computers.
In addition, many believe that some governments are affirmatively developing and employing ransomware as a cyber attack. Thus the goal of the ransomware may not even really be designed to collect ransom. For example, Symantec says it is “highly likely” North Korea was behind the WannaCry ransomware attack. As of May 18, total money paid as ransom in WannaCry attack, may be only $85,000 – despite billions in damage done. Experts believe Petya ransomware was an attack – not really an effort to obtain ransom.
Are some types of businesses more likely to be victimized?
It does seem clear that the frauds are bending some of their efforts to hospitals and medical clinics (we don’t know why). Some reports that law firms are also a special target.
Doesn’t ransomware mostly hit large corporations or those with big computer systems?
No – This fraud is also having a huge effect on small and medium sized businesses. Malware Bytes surveyed 1000 small and medium businesses and found that one third of them had a ransomware attack in the last year.
In addition to the cost of the ransom many of these businesses suffered several days with their computer systems down. This resulted in 22% of them going out of business.
Are phones and personal computers subject to ransomware?
Personal computers and even cell phones are at risk as well – so backing up your devices weekly to a backup that is not connected to your system or the internet is a good idea.
See: Ransomware variant of WannaCry now hitting android phones and Chinese police arrest two men who developed variant of WannaCry designed for Android phones; hidden in plugin for popular video game.
An FTC video suggests backing up data and avoiding ransomware on your PC
How do computers get infected?
Ransomware may occasionally be installed by hacking, but the vast majority of it comes from someone opening an email that has malicious content. Many people seem to assume that it is spread by internet jokes and other common types of email. And at times that may be true. But Symantec says that ransomware is generally hidden in emails that look like routine invoices or delivery notifications; attachments have malware in them.
Some Ransomware is now being spread through voicemail attachments to emails and phishing emails sometimes hide in an attachment to an attachment. Ransomware software is also often downloaded by opening fake Adobe Flash updater.
Most companies require that employees take regular training in Internet security to avoid opening phishing emails. But many times CEO’s themselves do not take this training, and they are often the target of phishing email.
What do I do if I’m hit with an attack?
Of course one thing to do is to make sure it really is a ransomware attack. One UK study found that 2 out of every 5 victims paid ransom even when the request was simply a bluff. Similarly, tech support frauds often employ popups that freeze the browser, possibly even the computer, and display a phone number to call to get the problem fixed. This is a tech support fraud aimed at tricking victims into paying for services in “fixing” computer problems. Simply rebooting the computer will solve the problem
After that, it is probably a good idea to turn to a professional organization that can help. And there are some free tools available for unlocking files encrypted by ransomware. For example, the Dutch police, Europol, Kaspersky and McAfee have a free site to unlock ransomware. There is also a new free tool for decrypting Petya ransomware.
Here is a blog with a step by step guide on what to do
How can I prevent ransomware?
Regular backups of the system data can allow an organization to restore its systems without paying the ransom. Note that the backup system must be disconnected from the system after backing up, or it will be encrypted as well.
It is also important to keep computers up to date with the latest security patches. The WannaCry ransomware attack that recently shut down computers across the world was not effective against companies that had up to date operating systems designed to prevent such attacks.
How much is the ransom?
Symantec reports that the average ransom demands in ransomware went up from $294 to $1077 in 2016. They may be increasing. There are reports that one South Korean business paid a million dollar ransom.
How do you pay the ransom?
After a ransomware attack the frauds need to communicate with the victim and tell them how to pay. Payment is almost invariably by bitcoin because the money is extremely difficult to trace.
If I pay the ransom will I get data back?
Paying the ransom may not solve the problem. The goal of the ransomware enterprises are collecting money, after all, and they may not really care if the system is restored. One study says small businesses that pay ransomware only get their files restored half the time.
Paying can have other risks. Some have found that organizations hit by ransomware likely to be victimized again.
What is law enforcement doing?
This is a difficult issue for law enforcement to address, but there have been some considerable worldwide efforts to deal with it. In December 2016 DOJ and Europol announced the results of Operation Avalanche, which seized 39 servers and shut down 221 more. In July 2016 police in the Ukraine seized servers to head off ransomware attacks.
In July 2017 a Russian was arrested in Greece for laundering bitcoin payments that went to BTC-E, the account where 95% of ransomware payments were cashed out. He is wanted for extradition to the U.S.
On December 20th Five arrested in Romania for ransomware fraud; Europol effort included work with FBI as well as UK and Dutch enforcers