Ransomware is a digital crime where your computer files are ‘stolen’ and encrypted, blocking you from your computer. To gain access to your files you usually have to pay a ransom, normally in bitcoin.
It takes an average of 3 seconds after clicking an infected link for ransomware to start encrypting your files at lightning speed according to Arctic Wolf Networks.
There are three steps:
Whatever, the screenshot wording says, the message is GOTCHA!
Ransomware is an international phenomenon. Although the majority of cases are heavily focused in the US.
53% of Ransomware detections came from the US in June 2018 – 2019
Canada receives 10% and the UK 9% following the trend of targeting English speaking countries according to Malwarebytes’ global detection statistics.
46% of SMBs have been targeted by ransomware, 73% have paid the ransom.
Shocking figures from Infrascale, highlighting that smaller sized businesses are certainly not targeted less because of their size.
Ransomware has changed its nature in the last few years. About ten years ago, ransomware was a simple scam based on fake antivirus apps leading to a payment to ‘fix’ the problem.
Then, the fashion changed to ‘blockers’ or ‘lockers’ that locked the user out of their computers asking for payment to be unlocked.
Now, the fashion is for ‘crypto-ransomware’ that not only locks you out of your files but also encrypts your files. You will likely have to pay a ‘ransom’ in bitcoins to get your files back.
Bitcoin has significantly increased the success and profitability of ransomware of criminals. By using a bitcoin ‘wallet’ for each attack, then moving these wallets through chains of wallets, the movement of money is outside the traditional financial system and anonymous.
Crypto-ransomware is very effective. It generally uses unbreakable encryption and if the user has no file backups then the only solution may be to pay the ransom.
Even if you pay you may not get your files back – don’t forget you are dealing with anonymous criminals!
The near-majority of people pay the ransom. However, a significant minority of payers do not get their files restored or the restoration instructions are not complete or do not work.
The cost is also rising dramatically according to the Coveware Q2 Ransomware Marketplace Report and this trend is what we expect to continue seeing.
The average ransom payment increased by 184% from Q1 to Q2 this year, nearly tripling the cost from $12,762 to $36,295
Spam campaigns hit millions of users daily. Just 0.001% of these spams finding a victim still means high profits to the criminals.
A click-rate of only 0.001% (and lower) is still very profitable to the criminal – they sent out 10m spam emails. At 0.001% click-through rate, that’s over $100,000 of ransom returns!
The most common way of infection is by a person(s) simply clicking on a link in a botnet-delivered email. Some of these emails will be categorised as spam and others deleted by the recipient, however, the criminal plans on these deletions.
Ransomware criminals are now becoming more expert, innovative and audacious with their tactics.
They are finding ways to stay out of the spam folder to increase their click rate by creating more believable personalised campaigns with a higher ransom cost.
1.) Social media
The newer trend is to ‘personalise’ the email using data from social media sites. The criminal collects data from sites like Facebook or LinkedIn and searches for potential candidates.
Or, they may buy or hire email lists of individuals in a certain target industry and/or profession. Sure, the criminal is spending time and money but they will get a higher click-through rate.
On a much-reduced spam email volume, they might net $250,000 or more.
2.) Impersonation of the government or a business
Further variations are emails from well-known organizations such as a delivery note from UPS, an alert from the IRS (Internal Revenue Service), a family post on social media and so on.
These infections depend on spam emails getting through. A more reliable method for criminals is to get the recipient to download an infected work-relevant file containing a macro, which in turn delivers the ransomware.
Within the download is a macro that may initiate the ransomware at a later date.
As the criminals say ‘‘job done’’, and then they wait to receive their $250,000 returns.
4.) Exploit kits
Although seemingly reliable as a source, the download leads to the ransomware being installed.
Further variations are ‘iframes’ installed on web servers and the web pages on the server. The ’iframe’ directs website visitors to the exploit server, which downloads the ransomware. Variations are particularly harmful. For example, an advert placed on a popular website is an advert that directs to the exploit kit.
Simply put, it’s based on one inadvertent and simple action. Someone clicks on an infected link on an email and/or website – stop this and you stop ransomware.
We understand that it’s not always that clear cut which is why we provide educational materials to our insureds and educational content to our followers in the hope that we can contribute to the creation of a cyber-risk aware world.
We provide leading comprehensive insurance coverage combined with essential cybersecurity prevention and detection tools.
Interested in Cyber Insurance?