What is ransomware?
Ransomware is a digital crime where your computer files are ‘stolen’ and encrypted, blocking you from your computer. To gain access to your files you usually have to pay a ransom, normally in bitcoin.
It takes an average of 3 seconds after clicking an infected link for ransomware to start encrypting your files at lightning speed according to Arctic Wolf Networks.
There are three steps:
- You receive a phishing email containing the ransomware link.
- The victim clicks on an infected link, the ransomware is delivered and starts encrypting files.
- A screenshot will then appear on your screen announcing the ransomware infection, how much the ransom is and how it’s to be delivered to the criminal.
Whatever, the screenshot wording says, the message is GOTCHA!
Who are the victims?
Ransomware is an international phenomenon. Although the majority of cases are heavily focused in the US.
53% of Ransomware detections came from the US in June 2018 – 2019
Canada receives 10% and the UK 9% following the trend of targeting English speaking countries according to Malwarebytes’ global detection statistics.
46% of SMBs have been targeted by ransomware, 73% have paid the ransom.
Shocking figures from Infrascale, highlighting that smaller sized businesses are certainly not targeted less because of their size.
The History of Ransomware
Ransomware has changed its nature in the last few years. About ten years ago, ransomware was a simple scam based on fake antivirus apps leading to a payment to ‘fix’ the problem.
Then, the fashion changed to ‘blockers’ or ‘lockers’ that locked the user out of their computers asking for payment to be unlocked.
Now, the fashion is for ‘crypto-ransomware’ that not only locks you out of your files but also encrypts your files. You will likely have to pay a ‘ransom’ in bitcoins to get your files back.
Bitcoin has significantly increased the success and profitability of ransomware of criminals. By using a bitcoin ‘wallet’ for each attack, then moving these wallets through chains of wallets, the movement of money is outside the traditional financial system and anonymous.
Crypto-ransomware is very effective. It generally uses unbreakable encryption and if the user has no file backups then the only solution may be to pay the ransom.
Even if you pay you may not get your files back – don’t forget you are dealing with anonymous criminals!
The near-majority of people pay the ransom. However, a significant minority of payers do not get their files restored or the restoration instructions are not complete or do not work.
The cost is also rising dramatically according to the Coveware Q2 Ransomware Marketplace Report and this trend is what we expect to continue seeing.
The average ransom payment increased by 184% from Q1 to Q2 this year, nearly tripling the cost from $12,762 to $36,295
How are ransomware attacks delivered?
Spam campaigns hit millions of users daily. Just 0.001% of these spams finding a victim still means high profits to the criminals.
A click-rate of only 0.001% (and lower) is still very profitable to the criminal – they sent out 10m spam emails. At 0.001% click-through rate, that’s over $100,000 of ransom returns!
The most common way of infection is by a person(s) simply clicking on a link in a botnet-delivered email. Some of these emails will be categorised as spam and others deleted by the recipient, however, the criminal plans on these deletions.
Ransomware criminals are now becoming more expert, innovative and audacious with their tactics.
They are finding ways to stay out of the spam folder to increase their click rate by creating more believable personalised campaigns with a higher ransom cost.
Personalised methods of attack to watch out for
1.) Social media
The newer trend is to ‘personalise’ the email using data from social media sites. The criminal collects data from sites like Facebook or LinkedIn and searches for potential candidates.
Or, they may buy or hire email lists of individuals in a certain target industry and/or profession. Sure, the criminal is spending time and money but they will get a higher click-through rate.
On a much-reduced spam email volume, they might net $250,000 or more.
2.) Impersonation of the government or a business
Further variations are emails from well-known organizations such as a delivery note from UPS, an alert from the IRS (Internal Revenue Service), a family post on social media and so on.
These infections depend on spam emails getting through. A more reliable method for criminals is to get the recipient to download an infected work-relevant file containing a macro, which in turn delivers the ransomware.
Within the download is a macro that may initiate the ransomware at a later date.
As the criminals say ‘‘job done’’, and then they wait to receive their $250,000 returns.
4.) Exploit kits
Although seemingly reliable as a source, the download leads to the ransomware being installed.
Further variations are ‘iframes’ installed on web servers and the web pages on the server. The ’iframe’ directs website visitors to the exploit server, which downloads the ransomware. Variations are particularly harmful. For example, an advert placed on a popular website is an advert that directs to the exploit kit.
Simply put, it’s based on one inadvertent and simple action. Someone clicks on an infected link on an email and/or website – stop this and you stop ransomware.
We understand that it’s not always that clear cut which is why we provide educational materials to our insureds and educational content to our followers in the hope that we can contribute to the creation of a cyber-risk aware world.