What is ransomware?

Ransomware is a type of malware that infects end user computers, as well as organisations’ servers. Once ransomware gets on to a computer, it silently encrypts all the files on the computer or just certain types of files such as databases, spreadsheets, and documents.

 

Once this process is complete the ransomware locks the computer and all the encrypted files become inaccessible. The ransomware presents a ransom note demanding a payment in cryptocurrency for the decryption key needed to restore access to all the encrypted files.

 

Most ransomware also seeks out network connections from an infected computer to other computers, so that a single infection can lead to a large number of an organisation’s computer becoming infected very quickly.

 

 

Is ransomware a big problem?

 

Ransomware exploded onto the computing scene in the mid-2000s and every year the ransomware problem gets worse. Cyber criminals behind ransomware attacks netted about $20 billion in ransoms in 2020, almost double the amount the previous year, according to cyber security company Crowdstrike.

 

But these figures are just the tip of the iceberg as far as ransomware is concerned, because many organisations choose not to pay the ransoms that are demanded. Instead they seek to disinfect their computer systems and recover their data from backups, often suffering severe disruption to their operations for days or even weeks.

 

In total, ransomware attacks costs American small businesses more than $75 billion per year in recovery costs and getting their activities up and running again, according to Datto, a security software company.

 

The UK, according to Serbus, was the second most-attacked country in the world last year for ransomware attack, costing UK businesses a total of £365 million for the year.

 

 

How does ransomware work?

 

Most ransomware uses established modern encryption algorithms to encrypt data on infected computers.

 

These algorithms are extremely effective, meaning that there is no known method of decrypting data once it has been encrypted without knowing the decryption key.

 

Since there are a huge number of possible keys, it would take millions or even billions of years to have a reasonable chance of guessing the decryption key even if you could make millions of different guesses every second.

 

The good news is that a minority of ransomware authors are not good at implementing encryption correctly into their malware. As a result, it is occasionally possible to decrypt encrypted files without the decryption key.

 

What’s more, some ransomware writers use the same decryption key every time their ransomware infects a computer. If your computer is infected with one of these strains of ransomware then it is possible to obtain the decryption key from a repository such as NoMoreRansom or Heimdal Security’s decryption tool directory.

 

 

Ransomware as a service 

 

Unfortunately, these flawed strains of ransomware are becoming less common, in part due to the rise of Ransomware as a service (RaaS). This involves a few skilled ransomware writers creating ransomware and renting it to cyber criminals to use to infect computers and collect ransoms.

 

RaaS offerings enable non tech-savvy criminals to enter the ransomware racket easily by accessing well-written ransomware. The cyber criminals can use ransomware to infect computers in any way they like, and it can be customised to change the language of the ransom note and the amount of the ransom.  

 

At the end of 2020, the average ransom demand was more than $150,000, according to ransomware recovery specialists Coveware.

 

The ransomware writers provide their malware to cyber criminals in a variety of ways including:

• For a fixed monthly fee
• For a one-time license fee
• On an affiliate basis, with criminals paying a lower monthly fee while the service provider retains about 25% of the ransoms
• On a pure profit sharing or “no ransom no fee” basis.

RaaS offerings usually provide criminals with dashboards showing them how many computers the malware they are using has infected, how many ransomware demands have been issued, and how many payments have been received.

 

 

How can you get your data back if infected with ransomware?

 

Data that has been encrypted by ransomware cannot generally be accessed from that computer without paying the ransom, and even paying the ransom does not guarantee recovery will be possible.

 

That’s because up to 40% of organisations that pay a ransom do not get a decryption key in return, according to Coveware. Even when a decryption tool is supplied by the criminals, organisations still lose more than 5% of their data, the company found.

 

But it is still possible to access the data that has been encrypted if a backup copy of this data has been made and is stored on another storage device – either attached to a seperate computer or in the cloud – that has not also been infected with the ransomware.

 

That means that the best defence against ransomware is to ensure that all your data is backed up regularly. Ideally, separate backups should be made to a local device (such as another computer or a USB drive) as well as to a storage service in the cloud.