Ransomware are malicious programs that can be used by an intruder to prevent the computer owner from accessing data, using it or the entire computer system. This involves encrypting data on the foreign computer or preventing access to it in order to demand a ransom for decryption or release. In recent years, ransomware has emerged as one of the most pervasive and damaging cyber threats facing individuals, businesses, and organizations worldwide. Ransomware attacks have inflicted significant financial losses and operational disruptions across various sectors.
Known Incidences of Ransomware Attacks
The idea dates back to September 1989, when the Trojan horse AIDS was sent on floppy disks by mail to numerous research institutions. After some time, the program encrypted the data on the hard drive. According to the on-screen message, the license had expired. The name of a company was mentioned, and a P.O. Box address in Panama to which a check was to be sent to purchase a license key and release the data. The action was therefore not immediately recognisable as blackmail.
The first malware ever capable of encrypting files was the boot sector virus Disk Killer. However, the malicious program was not designed for blackmail, but was intended to cause data loss on server systems. It was also published in 1989, according to the signature, it was written before the AIDS Trojan. Not all ransomware encrypts data, simpler programs of this type lock the computer using different methods.
---
One of the first known attempts to spread ransomware over the Internet was TROJ_PGPCODER by cybercriminals in 2005 with the Trojan. A. For the decryption of the data, those affected should pay several hundred US dollars. Since cryptocurrencies have become established, transferring money has become much easier and less risky for the perpetrators. As a result, from around 2010 onwards, there was a massive increase in ransomware crimes almost worldwide.
Since about 2012, there have been frequent incidents with different variants of the BKA Trojan. It claimed to have locked the computer on behalf of a law enforcement agency for illegal activities. A fine should be paid for unblocking. These Trojans usually did not encrypt any data, but only locked the system. In most cases, the damage was easily repaired. Victims who paid the demanded sum also received no response or instructions on how to unlock the system.
In the meantime, paid and free modular systems, so-called crimeware kits, have appeared in underground forums, with the help of which ransomware can be created. In October 2013, the CryptoLocker ransomware became known, which demanded payment in Bitcoin for the first time. In May 2017, the WannaCry computer worm infected, among other things, several large global companies in a very short period of time; over 230,000 computers in 150 countries have been infected. Due to this magnitude, the European Police Office described the outbreak as an unprecedented event. In addition to its main distribution as an e-mail attachment, WannaCry also has the characteristics of a network worm and tries to infect other computers via security vulnerabilities in operating systems actively and without user intervention. The systems that were up to date (April 2017 at Microsoft) were not affected. Certain file and printer services must be approved, which allowed WannaCry to spread primarily in company-internal data networks, some of which were error-prone for a long time. Paying the claim was pointless in this case as well, as the ransomware was programmed incorrectly. A problem-free decryption of the data was therefore not possible.
Since 2019, mobile phones have become increasingly frequent victims of ransomware attacks. According to a study by the research institute, the number of cyberattacks on smartphones and tablets increased by fifty percent in the first half of 2019 compared to the previous year.
Common Attack Vectors
Ransomware attacks can occur through various vectors, with cybercriminals employing increasingly sophisticated tactics to infiltrate systems and networks. Phishing remains a prevalent method for delivering ransomware payloads, with attackers masquerading as legitimate entities to trick users into clicking malicious links or downloading infected attachments.
Cybercriminals exploit vulnerabilities in software and operating systems to deliver ransomware payloads through exploit kits, which automate the process of infecting vulnerable systems. Attackers can exploit weak or default credentials to gain unauthorized access to systems via Remote Desktop Protocol, enabling them to deploy ransomware payloads and encrypt valuable data. By visiting compromised websites or downloading pirated software can expose users to ransomware infections, as attackers leverage drive-by downloads and malicious advertisements to distribute malware.
What Ransomware Do
Ransomware can enter a computer in the same way as a computer virus. These ways include crafted email attachments, the exploitation of security vulnerabilities in web browsers or via data services such as Dropbox.
For example, e-mails are sent pretending that an attached ZIP file contains an invoice or delivery note for ordered goods. It is also sometimes claimed that the Police Office or Microsoft detected illegal activities on the computer and subsequently blocked it.
Infiltration of systems and exfiltration of data
Before, during, and after ransomware encrypts data, several dangerous processes can take place. In the case of manually operated ransomware, the attackers connected to the attacked system try to move around the infected system and connected networks (infiltration). To get an idealized idea of how the attackers operate, it helps to think of remote maintenance software – even if the attacks can be much more sophisticated from a technical point of view. Locomotion in the invaded system is referred to as lateral movement in English terminology. Even after the data of individual computers has already been encrypted, there is a risk that further encryptions in connected systems will follow without countermeasures. If the intruders find data that looks interesting and valuable, they spy on it. Via partly covert and anonymized channels, they transmit the data from a private network or the network of an organization to the Internet, to data storage systems controlled by them (exfiltration). After reviewing and assessing the value of the stolen data, they decide whether to use it for extortion or sale to third parties.
Blocking the system
An infected computer can be blocked in a number of ways. Simpler and more harmless blackmail attempts only manifest themselves in a notification window that appears at every regular system start and cannot be closed. The Task Manager will also be blocked. Inexperienced PC users don’t know how to end this blockage. There seems to be only one way out to pay the ransom. The amount is credited to the blackmailer by entering details on the infected PC, which communicates it electronically to the perpetrator. Another anonymous payment method used is the cryptocurrency Bitcoin.
Document encryption
Particularly malicious variants of the ransomware have a greater potential for damage: they encrypt files on the computer; preferably files that can be assumed to be very important to the owner of the computer and may be irretrievable. On Windows systems, ransomware usually starts in the My Documents folder and prefers documents created with Office applications, as well as emails, databases, archives, and photos, among others. Without a decryption password, the user will no longer have access to their contents. So, unlike spyware, it doesn’t move large amounts of data.
In order to be able to decrypt the data encrypted by the ransomware, the intruder asks the injured user to pay a ransom in order to receive decryption software or the required password. In some cases, the user is first asked to contact the ransomware producer separately, for example by e-mail to a specific e-mail address, by calling up a specific website or via a form mask. The criminals often threaten that if they contact the police, all data will be destroyed.
The infected computer may be further manipulated and monitored by the malware; it may therefore not be used for further work, in particular not for activities that require a password. Transferring the ransom money from the affected computer via online banking is to be regarded as gross negligence.
In some cases, the attacker does not even provide for the possibility of decrypting the encrypted files, so these files are irrevocably lost unless there is a backup copy of the encrypted files.
Impact on Victims
The impact of ransomware attacks can be devastating, resulting in financial losses, reputational damage, and operational disruptions for victims. When ransomware encrypts critical data, organizations may face prolonged downtime, loss of productivity, and potential legal and regulatory consequences. Moreover, paying the ransom does not guarantee the recovery of encrypted files and may embolden attackers to target victims repeatedly.
