You’re working on your laptop and suddenly, you can’t access any of your files. Photos, MP3s, documents, spreadsheets – they’re all encrypted! A message pops up with a ransom demand: unless you pay a certain amount of money by a certain time, all your files will be destroyed, or will remain encrypted forever. You will lose everything, all of your files, images and memories. What do you do? What can you do?
This is ransomware, an integral – and growing – part of the cybercriminals’ toolkit. They have one thing in mind – to extort money from their victims. If the victims don’t have a backup, the impact could be disastrous. So it’s unsurprising that many people choose to pay up.
Ransomware spreads in the same way as other malware. Often, it’s delivered as an email attachment or link: once the attachment is opened, or once the victim clicks on the link, the malware is installed on their system. But a victim might also be infected by visiting a compromised website – in a so-called ‘drive-by download’.
> See also: How Chimera changes the ransomware game
CoinVault is a classic example of ransomware. This malware campaign started in May 2014 and continued into 2015, targeting victims in more than 20 countries, with the majority of victims in the Netherlands, Germany, the United States, France and Great Britain.
The cybercriminals behind the campaign successfully encrypted files on more than 1,500 Windows-based computers, demanding payment in bitcoin to decrypt data.
In April 2015, Kaspersky Lab and the Dutch National High Tech Crime Unit (NHTCU) launched a website to act as a repository of decryption keys discovered during a joint investigation into the attacks.
In addition, Kaspersky Lab also made available online a decryption tool to help victims recover their data without having to pay the ransom. Then in May 2015, the Dutch police arrested two men for suspected involvement in the CoinVault malware campaign.
However, if this closes the case on CoinVault, it doesn’t end the growing problem of ransomware. In 2015, we detected ransomware on 753,684 computers around the globe (an under-estimate, because it doesn’t include the infections we blocked based on their behavior).
Cybercriminals continue to develop ransomware programs (including ransomware apps targeting smartphones – in 2015, 17% of ransomware infections were on Android devices), exploiting the fact that individuals and businesses don’t make regular backups of their data. What should these victims do?
Like other forms of malware, ransomware programs try to be as stealthy as possible, showing no impact on the system until they have blocked access to the system or have encrypted the data stored on it.
It is only when an unwelcome message appears on the screen, demanding payment of hundreds or thousands of pounds (or its equivalent in other local currencies, or in bitcoin) that a victim realises that something is wrong. Cybercriminals often apply additional pressure to their victims by setting a time limit for payment – after which the data will be deleted for good.
> See also: How to avoid ransomware attacks
Paying the ransom is unwise. There’s no guarantee the cybercriminals will decrypt the data – they could simply take the money and run. Additionally if the ransom is paid it only validates their business model, so they will continue to develop ransomware programs to exploit individuals and businesses (around 20 per cent of attacks were in the corporate sector).
If you have already been infected, and there is no backup or preventive technology in place, there is very little that you can do. So, before the worst happens, consumers and businesses alike must make themselves aware of the tricks cybercriminals use to entice their victims into installing ransomware, put measures in place to block ransomware and make regular backups of their data to offline storage (if your backup device is connected, the data stored on it will be encrypted too!).
Sourced from David Emm, principal security researcher, Kaspersky Lab