Ransomware is a form of malicious code or malware that hackers use to lock or encrypt data on an individual computer or entire network to extort money. Ransomware has become a favorite tactic of cybercriminals in recent years because it’s a relatively easy way to extract money from victims, often with little risk. Ransomware attacks usually start with a fraudulent “phishing” email that injects malicious software into the computer or network, encrypting the victim’s files until they pay anywhere from $1,000 to millions of dollars for a decryption key.
Ransomware has become even more common in the past year or so, affecting critical sectors, such as the food industry and oil pipelines and local governments, schools, and hospitals – sometimes with devastating consequences. The good news is that there are ways to limit the risk of ransomware infection and mitigate its impact. This guide explains more about ransomware and how to protect yourself.
The History of Ransomware
Ransomware has been around since the 1980s. One of the first known cases was the so-called AIDS Trojan or PC Cyborg Virus, distributed on a floppy disk and requiring victims to send the ransom to a postal box in Panama, according to the digital security firm CrowdStrike. More recently, ransomware gangs have taken advantage of our increasingly connected world and the emergence of cryptocurrencies to ramp up attacks.
The landscape shifted in 2013 with CryptoLocker, the first ransomware to demand payment in bitcoin. This malware variant used advanced encryption and was delivered over botnets along with the GameOver Zeus banking Trojan. This development led to the creation of a global law enforcement task force known as Operation Tovar.
The surge in ransomware during the COVID-19 pandemic has come largely from an alliance of cybercriminals seeking a quick payoff as well as nation-state entities that “benefit from the disruption and chaos that results from both targeted and widespread attacks on the critical infrastructures of their geopolitical rivals,” according to a report from the Institute for Critical Infrastructure Technology, a Washington think tank.
How Does Ransomware Work?
Ransomware works when an unsuspecting victim clicks on a link or opens an email attachment that installs the malicious code. After that, an individual PC user’s screen typically freezes and a message appears saying something like “Your computer has been locked.” The message also provides instructions for paying a ransom to recover the encrypted files on the victim’s hard drive or network, or regain access to their system. An organization or business may see their network go down and receive a message with a ransom demand.
The software and security firm Datto says the two main forms of ransomware are crypto ransomware, which encrypts a user’s data and files, and locker ransomware, which simply locks users out of their systems. According to the antivirus software firm Norton, other kinds of ransomware attacks involve “scareware,” which threatens users with spyware or other malicious software, and “doxware,” which involves the threat of release of sensitive personal information.
Ransomware has become even more common in the past year or so, infecting critical sectors such as the food industry and oil pipelines, as well as local governments, schools, and hospitals – sometimes with devastating consequences.
In some cases, ransomware can be combined with other types of cyberattacks, including those that use other forms of malware like spyware or adware. Companies can face denial-of-service attacks that shut down a computer or an entire network if they refuse the ransom demands.
Cybercriminals can automate ransomware attacks by “bundling” the malware with pirated versions of commercial software. This can victimize individual PC users, often in developing countries.
“It’s like spam. It costs next to nothing to launch these attacks, so they don’t need a huge number of people to pay,” says Brett Callow, a threat analyst at Emsisoft, a security firm specializing in ransomware.
More sophisticated attacks target companies and organizations with ransom demands in the millions of dollars. Cybercriminals may not even need the technical skills to write their own ransomware, as they can buy it on dark web forums, according to experts.
Some cybercriminals do write their encryption software and “basically they have a sales channel,” says Rick Holland, chief information security officer at Digital Shadows. This allows for “affiliates” to license the malware for a fee. “It makes it very easy for bad guys to get in the game” by becoming affiliates and getting 70 to 80% of a ransomware take, he says.
New strains of ransomware have cropped up in recent years, including the following.
CryptoLocker was ransomware that raked in an estimated $27 million in 2013 and spurred a global law enforcement response that eventually shut down the botnet controlled by the hackers in 2014, according to the Department of Justice.
The WannaCry ransomware outbreak in 2017 attacked the Windows operating system and impacted hospitals, banks, and communications networks around the world. It infected an estimated 200,000 computers in 150 countries until British researcher Marcus Hutchins found a “kill switch” to bring the virus under control.
Shortly after WannaCry, another ransomware variant called NotPetya made headlines. This was designed to look like ransomware but was later found to be a “wiper” that made it impossible to decrypt files, according to McAfee. Many analysts believe this strain and its predecessor Petya were politically motivated tools deployed by Russia against Ukraine, along with another variant of this strain known as Bad Rabbit.
A costly ransomware strain known as Ryuk, attributed to the Russian hacker group Wizard Spider, hit computer networks of governments, academic institutions, health, and manufacturing and technology firms. It netted an estimated $150 million from 2018 to 2020, Trend Micro says.
A ransomware gang suspected of ties to Russia known as REvil began recruiting “affiliates” to distribute ransomware. REvil delivered a $70 million ransom demand after a devastating attack on the managed software firm Kaseya in 2021 that impacted 1,500 businesses. However, according to Emsisoft, Kaseya was able to obtain a decryption key without paying the ransom.
Another high-profile ransomware attack in 2021 came from a gang known as DarkSide, which shut down the Colonial Pipeline for six days and demanded a ransom of more than $4 million. The FBI recovered at least $2.3 million of that amount after the ransom was paid.
Who Does Ransomware Target and What Harm Does it Cause?
Ransomware gangs typically target organizations that can pay hefty ransom demands, including local governments, schools, hospitals, and a wide range of companies. However, anyone with an internet-connected device can be a victim. There are even examples of mobile ransomware on Android mobile phones and tablets.
Ransomware can have devastating consequences both for organizations and individuals. For example, medical appointments and surgeries had to be canceled following ransomware attacks affecting the UK’s National Health Service in 2017 and Ireland’s in 2021. Other ransomware attacks have hit a major US oil pipeline and meatpacking firm.
Ransomware gangs typically target organizations that can pay hefty ransom demands, including local governments, schools, hospitals, and a wide range of companies. However, anyone with an internet-connected device can be a victim.
Individuals without adequate data backups can lose important files. In addition, ransomware gangs can steal personal data to sell on the dark web or use to commit identity theft. This can include personal, medical, and financial data held by organizations, which victimizes people who have their data stored on the computer systems of corporate targets. “Ransomware can lead to the release of a myriad of data online, and other criminals can download and use it for their own nefarious purposes,” Callow says.
Importantly, ransomware can be combined with other forms of malware like spyware or adware – often used in phishing attempts – to encrypt, steal, or destroy data. Victims who unwittingly install ransomware also may become part of a command-and-control botnet that distributes viruses and ransomware that can encrypt or steal data on other computers.
How to Detect and Prevent Ransomware Attacks
As with any kind of security, prevention and mitigation plans are important. “Most ransomware attacks succeed because of basic security failings,” said Callow. Organizations should use multifactor authentication, properly manage user credentials, and segment their networks, “so if the bad guys get in, they can’t move laterally and bring the whole system down,” Callow says.
The following steps will also help protect against ransomware.
Antivirus software – which is usually updated to include protection against a range of threats from spyware to adware and more – can be the first line of defense, alerting you to suspicious activities, links, and emails. Antivirus software can also detect infections of internet-connected devices, like your home security system or security camera, or smart appliances, like a refrigerator, washer, or dryer. Some security firms offer scans and defense specifically for ransomware.
Intrusion Detection Systems
Companies and networks may rely on more sophisticated intrusion detection systems. Some third-party security platforms use artificial intelligence and behavioral indicators of attack to identify and block ransomware. The Cybersecurity & Infrastructure Security Agency, part of the Department of Homeland Security, highlights the importance of regular vulnerability scanning to protect systems and offers a no-cost vulnerability assessment tool.
Companies should teach employees not to click on malicious software links even if they appear genuine. If a ransomware attack succeeds because of a misstep by an employee, “you can’t blame that person,” Callow says. “You have to say it was security planning.”
Good backups are critical for security for both companies and individuals. If you’re able to recover and restore your data from the cloud, you may not need to pay the ransom. For this reason, CISA advises network administrators to maintain offline, encrypted backups of data, and regularly test them. But remember, that doesn’t prevent hackers from releasing or selling your data to other cybercriminals.
What to Do if You’re a Victim of Ransomware
Given the devastating consequences of ransomware, victims need to respond quickly and make some difficult choices. Follow the steps below.
Don’t Pay the Ransom
Most security experts and law enforcement officials advise against paying ransom demands. The FBI points out that there’s no guarantee you will recover your data or avoid further demands or attacks. However, many organizations end up paying ransoms instead of dealing with lost data and having to rebuild their networks.
“My advice would always be never to pay, but I’m not looking at losing all my business data and having my business systems locked up indefinitely,” Callow says. “Unfortunately ransomware exists for one reason only: Organizations keep paying the demands. If nobody did, there would be no more ransomware.”
Isolate the Affected Device(s)
Organizations and individuals hit by ransomware should rapidly assess the infection, isolate any affected devices, and determine if affected data can be restored from a backup. In many cases, it may be useful to call on a professional security service to help.
Callow notes that segmentation can also help contain an outbreak. “Some endpoints may be encrypted but it shouldn’t be a companywide failure,” he says.
“Organizations keep paying the demands,” Callow says. “If nobody did, there would be no more ransomware.”
Identify the Ransomware
Identifying the ransomware – usually with professional help – may be useful. Companies like Emsisoft can help those who decline to pay the ransom recover from more than a dozen ransomware strains by finding bugs in the malware.
Report the Attack
The FBI recommends reporting ransomware to its local field offices or the Internet Crime Complaint Center. Even an attack on one person can be part of a wider operation and even linked to global cybercriminals.
Restore Your System if You Have a Backup
The goal for any victim is to restore an individual laptop or tablet, or an entire network. Ideally this would be done from an internal backup if available or, in the worst-case scenario, after paying a ransom. Outside professional help may be needed in either case, according to Callow, and can help speed the recovery process.
Related 360 Reviews
Why You Can Trust Us
At U.S. News & World Report, we rank the Best Hospitals, Best Colleges, and Best Cars to guide readers through some of life’s most complicated decisions. Our 360 Reviews team draws on this same unbiased approach to rate tech products that you use every day. The team doesn’t keep samples, gifts, or loans of products or services we review. In addition, we maintain a separate business team that has no influence over our methodology or recommendations.