Ransomware: Definition, Types, Recovery, And Prevention

What is ransomware?

Ransomware is a type of malware that prevents users from accessing their data or using their device. In most cases, it encrypts the files and offers a decryption key in return for a ransom.

Types of ransomware:

By the effect on system:

• Scareware makes users believe that there’s a virus on their computer and they need to purchase special software to remove it.
• Locker terminates operations on a PC preventing users from accessing files and programs.
  • Mobile locker acts the same but instead of PC files blocks the mobile device.
• Crypto encrypts all the files. A user can access a file, but the information within it is corrupted.
• Leakware doesn’t harm the user’s files. Instead, it collects the information and sends it to a cybercriminal. The ultimate goal is to blackmail the user threatening the leak the data.

By the target technology:

• On-prem: infects PCs.
• Ransomcloud: infects cloud productivity and collaboration systems like Google Workspace or Microsoft Office 365.

By effect on previous file versions:

• No effect
• The malware encrypts all the versions of a file

Ransomware examples:

Cerber, Locky, CryLocker, CryptoLocker, Jigsaw, Ryuk, Spider, Petya, NotPetya, GoldenEye

Read about the recent examples of ransomware.

How ransomware works

On-prem:

Trick human into downloading a file> Infect > Encrypt > Demand ransom

Cloud:

Trick human into giving access to their cloud drive > Infect > Encrypt > Demand ransom

Read more about ransomware in action.

Channels of ransomware spread:

1. Emails with links or file attachments:
   • Spam emails are sent to hundreds of people. They are usually of low quality and contain many mistakes.
   • Spoofing is pretending to be a trustworthy sender (mostly well-known and trusted organization like Amazon, Google, or Microsoft)
   • Spear phishing is pretending to be the authority of the recipient’s organization (e.g., a CEO).
2. Posts on social networking websites that contain a link to malicious software
3. Botnets. A computer that has previously been infected and becomes a part of a botnet can be an easy target for ransomware.
4. Malvertising is advertising on a trusted website that redirects to a malicious website.
5. Compromised websites. Cybercriminals look for vulnerabilities in trusted resources and inject malicious code. Alternatively, they create their own websites, often with prohibited content.
6. Applications and programs from trusted developers can contain vulnerabilities. Hackers would look for them and exploit them to inject malicious code.
7. Infected hardware, for example, removable media.

How to remove and recover from ransomware:

If you don’t have a backup follow the steps below:

1. Isolate your device from the network and other devices
2. Make screenshots and copy the ransom demand note
3. Report the crime to authorities
4. Check if previous versions of your files are also encrypted.
5. If no:
   • Run the antivirus software to eliminate ransomware.
   • Then restore files.
6. If your file versions are also corrupted:
   • Use online tools to determine your type of ransomware
   • Look for and download decryption keys
7. If your ransomware is new and there are no decryption keys, estimate the consequences of paying ransom vs. deleting your files and act accordingly.
8. Take the necessary steps to prevent getting ransomware in the future.

Keep in mind that these steps do not guarantee the recovery of your files unless you have backup or DLP.

How to prevent a ransomware attack

There are multiple strategies to defend against this type of malware. Here are four simple measures:

1. Educate your employees about social engineering techniques
2. Purchase backup tools
3. Purchase anti-ransomware software
4. Alternatively, purchase a tool that backs up your data and eliminates ransomware at the same time.