Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. While some people might think “a virus locked my computer,” ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses, and organizations of all kinds. Some ransomware authors sell the service to other cybercriminals, which is known as Ransomware-as-a-Service or RaaS.
How exactly does a threat actor carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilize the malware needed to encrypt, or lock up, your device and data. There are several different ways that ransomware can infect your computer
How do I get ransomware?
Malspam: To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and “takes the bait,” so to speak. Malicious spam, or malspam, is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.
Malvertising: Another popular infection method is malvertising. Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware. Malvertising often uses an infected iframe, or invisible webpage element, to do its work. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via exploit kit. All this happens without the user’s knowledge, which is why it’s often referred to as a drive-by-download.
Spear phishing: A more targeted means to a ransomware attack is through spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking you to take an important employee survey, or the HR department is requiring you to download and read a new policy. The term “whaling” is used to describe such methods targeted toward high-level decision makers in an organization, such as the CEO or other executives.
Social engineering: Malspam, malvertising, and spear phishing can, and often do, contain elements of social engineering. Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate—whether that’s by seeming to be from a trusted institution or a friend. Cybercriminals use social engineering in other types of ransomware attacks, such as posing as the FBI in order to scare users into paying them a sum of money to unlock their files. Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you visit often, your job, etc., and using some of that information to send you a message that looks familiar to you, hoping you’ll click before you realize it’s not legitimate.
Types of ransomware
Three main types of ransomware include scareware, screen lockers, and encrypting ransomware:
Scareware: Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate cybersecurity software program would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed—you’ve already paid for the software to do that very job.
Screen lockers: Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you’re frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography, or other cybercrimes, they would go through the appropriate legal channels.
Encrypting ransomware: This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cybercriminals get ahold of your files, no security software or system restore can return them to you. Unless you pay the ransom—for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cybercriminals will give you those files back.