What is ransomware?
Ransomware is a type of malicious software – AKA malware – that infects and takes control of a device. It blocks access to files or even whole devices, and then sends a message demanding a ransom to grant access to those files.
This is a common form of cybercrime that has recently affected universities, hospitals and meatworks. Because it blocks vital data from being accessed, it can massively disrupt organisations that use the shared networks and/or the internet – which is, well, everyone at this point.
How does ransomware work?
Malware is infectious software that will download onto a computer, phone or other device. It can be shared though phishing emails, links in messages or other online locations, or fake download buttons. Sometimes it can be difficult to tell whether a link or button is malicious in the first place.
When the fake link is clicked, the malware automatically downloads and then hunts through the system or network to identify important data. The software can lock the device or files with a new password, or encrypt files with a secret key, preventing access.
This can be exacerbated because malware can be accompanied by social-engineering tools that trick you into granting admin access, or it can exploit security holes to dive into the important files and software on the computer without even needing to get ‘permission’.
There are many ways of encrypting files, but the point is to prevent user access with computer algorithms. Without an up-to-date backup, this data is essentially lost.
The user will then often see a ransom note in the form of a message demanding (usually) money to lift the password or encryption.
Of course, paying the ransom doesn’t mean the cyber-criminal will actually lift the encryption, and if you have paid up once, there is incentive for the criminal to do it again.
The real kicker here is that the infectious software can gain access to a whole network of connected devices, even if it has been downloaded on just one computer – which means businesses that have shared data can be completely prevented for accessing anything, including saved files, emails and user profiles.
There is no simple explanation of how the programming works – it is complex software engineering that can be continuously updated, and there are different examples that can be spread and downloaded in ways the suit the attacker.
What does ransomware look like?
Because malware can pop up in almost anywhere, it is often hard to identify.
A lot of ransomware is designed to look like something real, such as a casual email attachment, something shared via social media, or a website that looks almost like a real website you wanted to visit, but has a few different letters in the URL.
in one sneaky approach, the attacker can even pretend to be somebody from law enforcement who is “stopping another cybercrime” that they accuse you of, and then demand a fine from you – but there are easier ways to get access to a device.
The main thing to remember is that a lot of phishing can be prevented by not clicking suspicious links. Just a little life hack on how not to get hacked.
Who is committing ransomware cybercrimes?
More seriously, this in an increasingly big business – between ransoms paid, loss of data and downtime, costs of recovery, and other security and investigations, ransomware attacks cost the world $5 billion in 2017.
Cybercriminals are often individuals or work in teams or networks, but there are also crimeware-as-a-service groups that essentially operate as a business.
What cybersecurity measures need to be in place?
Technology develops so quickly that defenders and attackers can get stuck in an arms race, so cybersecurity and trained professionals are absolutely essential to an online world, especially as we begin to incorporate more AI and machine learning into our manufacturing. Once ransomware is in a network, it’s extremely hard to remove.
How ransomware incidents go as a thread, for those who haven’t dealt with them, day 1 versus day 14:— Kevin Beaumont (@GossiTheDog) June 1, 2021
“We will restore from backup!”
“nobody knows how to restore from backup without Active Directory. Also, we have no backup server or tape library drivers.. or working backups”
First and foremost, keep backups. If all your files get encrypted but you have another offline backup, it’s simple to restore your data.
Always keep your malware security up to date. Attackers obviously try to get around this security, but it is a whole lot better than having none at all. Many companies test their systems with white hat hackers, who attempt to hack their systems to recognise – and fix – the security flaws.
Teaching people to recognise phishing emails and be cautious about suspicious sites and links is also necessary, but it can only go so far, because phishing material is constantly being ‘improved’ to blend in better. Don’t click on links or open attachments if you don’t know the sender of the email. A lot of these emails suggest you need to make a payment, have breached some sort of contract, or pretend to have blocked access to an account.
Because ransomware secretly searches your device, there can be a delay between when a link is clicked and when files are encrypted. There is a rise in predictive analytics and machine learning to help detect this suspicious behaviour and shut it down early.
And finally, if you do get attacked, don’t pay up, because it’s likely to make you seem like an easy target in the future.
Q&A with a cybersecurity expert
We asked Diep Ngyuen, Senior Lecturer in the Faculty of Engineering and Information Technology at UTS, for a little more depth. This is what they said
How can a cyber-attack effect a whole network?
Cyber attacks target either to bring down networks/systems (make them malfunction) or to compromise the information access authority or integrity.
Although the former is often closer and easier to understand to most people, the latter is more popular and the major target of most daily life cyber attacks.
For example, DoS (Denial-of-Service) attacks can make a network or service inaccessible for some time, disrupting corporates’ functioning or business. These types of attacks can be easily detected.
However, cybercrimes often target high-value information and attempt to illegally access it or even alter the information.
The information authority or integrity attacks are more difficult to be detected but their consequences can be very damaging, even much worse than the DoS attacks.
What are some common cybersecurity precautions?
To prevent or reduce risks from cyber attacks, IT core engineers/experts and daily users can take different approaches. However, these approaches all aim to early detect cyber threats, then effectively protect or cure the systems when the attacks really happen.
One of the most common precautions [is] to avoid using services/websites, apps, hardware from non-certified or low-reputation sources/providers. These systems often have back doors or vulnerable loopholes that can be leveraged by cybercrimes.
The second precaution would be to update and follow security recommendations from governments and experts, e.g., using multi-factor authentication methods, not to share or be cautious on sharing personal/private information like Date of Birth, photos, [etc] on open platforms (even social media).
The last, but not least, is to become more aware of cyber threats/risks before deciding to take any action (e.g., do you understand the risk of using Apple pay or using activity trackers?).
How has cyber security changed over the last decade?
Cyber security landscape has been changing dramatically over the last 10 years. This is because of the penetration of IT to every corner of our daily life, from working, entertaining, to sleeping.
This is also because of the ever-growing advances in attacks and their countermeasures. In comparison with 10 years ago, the number of connecting devices today has been increased by multiple times.On average, each person now would have more than a few connecting devices (e.g., phones, activity trackers, laptops, sensors at home).
These devices, [while they] bring us lots of conveniences, are making us more vulnerable to cyber threats when they are attacked or compromised. More importantly, most of these newly added devices (e.g., in Internet of Things) are limited in computing and storage capability or referred to as low-end devices in cyber security. They are more susceptible to cyber threats.
The advances in machine learning and AI also empower cybercrimes, allowing them to launch larger scale and more damaging attacks.
Originally published by Cosmos as What is ransomware and how is it dealt with?
Deborah Devis is a science journalist at Cosmos. She has a Bachelor of Liberal Arts and Science (Honours) in biology and philosophy from the University of Sydney, and a PhD in plant molecular genetics from the University of Adelaide.
Read science facts, not fiction...
There’s never been a more important time to explain the facts, cherish evidence-based knowledge and to showcase the latest scientific, technological and engineering breakthroughs. Cosmos is published by The Royal Institution of Australia, a charity dedicated to connecting people with the world of science. Financial contributions, however big or small, help us provide access to trusted science information at a time when the world needs it most. Please support us by making a donation or purchasing a subscription today.