How Does Ransomware Work?

Ransomware is a fast-growing cyber threat. Chances are, it’s already affected someone you know. One of the most notorious ransomware attacks was the WannaCry worm, which infected more than 200,000 computers across 150 countries in just 4 days. Some estimates of the damages exceed one billion dollars, taking into account data loss, service outages, disrupted operations, and recovery.

So what is ransomware and why is it so dangerous?

The idea behind ransomware is that our data is important to us. Imagine losing your family photos, or emails, or important business files. As the name suggests, ransomware takes data on your computer or other device and holds it ransom—you receive a demand for money in order to get it back, or in order to prevent your private files from being made public.

Sometimes the files on an infected computer are encrypted, so they are still there but unreadable without the right decryption key. Other times, the files are uploaded to an attacker’s server and then deleted from the infected computer.

Most of the time this is done for financial gain by criminal organisations but sometimes it can be used as an act of terrorism to cause widespread economic disruption. Experts believe WannaCry originated in North Korea, so there may have been political motives, although North Korea denies involvement.

Unfortunately, just like in real life hostage situations, you can’t be sure the attacker will actually release your information when you pay up. In fact, sometimes the information is already gone, either due to attacker carelessness or because the attacker hasn’t taken the trouble to make the information retrievable. Thus many people don’t give in to attackers’ demands. However, since these attacks are generally automated and can affect a huge number of computers, only a small percentage of victims need to pay a ransom for an attacker to make a large sum of money. WannaCry brought its attackers $180,000 in payments, while CryptoLocker made over $4 million.

What happens when you are infected?

The first thing that happens after an infection is that files are encrypted, deleted, or uploaded. Then, the user is typically notified of it with a prominent message that is designed to cause panic.

Many ransomware attacks demand payment in cryptocurrencies like Bitcoin because they are impossible to trace. It is reasonably easy for a victim to purchase $300 worth of Bitcoin and transfer it to the attacker.

Some ransomware does not perform anything sophisticated, simply hiding or moving files, which someone with technical expertise can easily reverse. Nonetheless people with little technical skills (who are also less likely to keep backups) will not know what to do, and may pay the ransom.

More sophisticated ransomware uses encryption. Simple encryption algorithms use the same encryption and decryption key, thus if the program that performed the encryption can be analysed, the decryption key can be found within. However, the strongest ransomware uses public/private key cryptography. By using separate keys for encryption and decryption, the infected computer never has the decryption key—unless the attacker provides it once the ransom is paid.

How does ransomware spread, and how can I stay safe?

Ransomware uses a variety of techniques. They range from tricking people into opening infected attachments (e.g. CryptoLocker), to exploiting operating system vulnerabilities (e.g. WannaCry). Ransomware which exploits OS vulnerabilities can spread like wildfire because it does not require human interaction to spread. Like other malware, ransomware can access your email address book and email all your contacts, impersonating you.

It is crucial to make sure all software is patched, to use properly configured firewalls, to keep regular backups and to make sure people are trained to be wary of potentially harmful files. However, the best defence is to have trained cyber security professionals to regularly test an organisation’s defences, and keep those defences as strong as possible as the cybersecurity landscape evolves.

There is a shortage of cyber defence skills because cyber threats are evolving so rapidly. Ransomware is a big threat now, but who knows what new kind of attacks are around the corner?