Ransomware
Ransomware is a type of malicious software employed by cyber criminals to seize control of a user's computer or mobile device, demanding payment for its release. Attackers often utilize various tactics to extort money, such as encrypting files, threatening data deletion, or leveraging fear through fake legal claims. Initially targeting individual users, ransomware attacks have shifted towards businesses, educational institutions, and healthcare facilities, prompting increased sophistication in methods and tools used by criminals. The phenomenon of Ransomware as a Service (RaaS) has emerged, allowing individuals to buy ransomware tools and distribute them for profit.
The first known ransomware, the "AIDS Trojan," appeared in 1989, and since then, the frequency and scale of attacks have dramatically increased, particularly following the rise of anonymous payment methods like Bitcoin. Notable attacks include the global WannaCry incident in 2017, which affected hundreds of thousands of computers. Despite a brief decline in ransomware incidents in 2018, attacks surged again in 2022, with significant breaches impacting millions of individuals’ sensitive information. As cyber defenses evolve, experts emphasize that combating ransomware will require ongoing and coordinated global efforts.
On this Page
Subject Terms
Ransomware
Ransomware is a form of malicious software used by cyber criminals to hijack a user's computer or mobile device and keep it under their control until the user pays for its release. Cyber criminals use various strategies to try to extort money from unsuspecting users with ransomware, such as encrypting files saved on the user's device; threatening to erase important files; denying access to key programs and applications; and entrapping the user by linking him or her to extreme or illegal pornographic material. The user will then be instructed to submit some form of untraceable payment to the cyber criminals behind the ransomware attack, though anti-fraud authorities stress that making such a payment does not guarantee the release of the user's device.
When it first appeared as a widespread Internet phenomenon, ransomware tended to indiscriminately target individuals. However, according to a 2022 report released by the global cybersecurity company Black Fog, criminal networks most often target businesses, educational institutions, and hospitals.
Brief History
The first known example of ransomware was launched by Dr. Joseph Popp, a Harvard-educated evolutionary biologist who distributed an estimated 20,000 virus-infected floppy disks to attendees of the World Health Organization's international AIDS conference in December, 1989. Popp's program, known as the "AIDS Trojan," used a technique known as symmetric cryptography to encrypt files after users loaded the infected disks into their computers. No reason was ever given for Popp's actions, though media reports stated that Popp had been rejected for a job with the World Health Organization just prior to the attack.
A ransomware platform known as Archievus was one of the earliest such programs to be widely distributed over the Internet. Archievus first appeared in 2006 and targeted Microsoft's Windows operating system by encrypting all the files saved in the infected computer's "My Documents" directory. To secure the release of their files, victims were instructed to purchase specific products in exchange for the decryption password.
Ransomware became more prevalent with the advent of anonymous Internet-based payment-processing platforms, which made it easier for cyber criminals to extract ransoms directly from their victims. Since 2011, there has been a sharp rise in the frequency and scale of ransomware attacks, as well as in the number of malicious programs used to infect victims' computers. One particularly noteworthy campaign began in 2014 with the launch of the CryptoDefense and CryptoWall ransomware platforms. These programs infected computers and encrypted victims' saved files, using anonymity network Internet browsing and the untraceable Bitcoin cryptocurrency to secure payments. According to a 2015 report published by the Cyber Threat Alliance, the CryptoDefense and CryptoWall campaigns generated $325 million in revenues for the criminal network behind the software.
Ransomware has since extended beyond personal computing to affect smartphones and other mobile devices. Smartphone-specific forms of ransomware initially locked users out of their phones but have evolved to encrypt files and folders saved on affected devices. Advancements in cloud computing technology have also led to the rise of a malware distribution strategy known as "Ransomware as a Service," or "RaaS." RaaS first appeared in 2015, enabling individuals to purchase ransomware platforms on digital black markets. Buyers could then distribute the malicious programs on their own, sharing a percentage of their revenues with the malware's anonymous vendors.
Ransomware Today
According to statistics released by Microsoft Corporation in 2016, 50 percent of ransomware attacks detected between December 2015 and May 2016 targeted users in the United States. In its report, Microsoft also stated that the five most common ransomware families were Tescrypt (accounting for 42 percent of detected attacks), Crowti (17 percent), Fakebsod (15 percent), Brolo (9 percent), and Locky (7 percent). These malware families use a range of techniques to extort payments from users, but most fall into two broad categories known as lockscreen ransomware and encryption ransomware.
Lockscreen ransomware hijacks a user's device, displaying a full-screen message that cannot be closed, minimized, or otherwise removed. The full-screen message prevents a user from accessing files and programs on his or her device and may also use scare tactics, such as allegations that the device has been associated with illegal or extreme pornographic material, with an accompanying threat to report the activity to authorities. In other cases, ransomware appropriates the names and logos of local law enforcement agencies, claiming to represent the agency and demanding that the user submit payment to avoid fines or criminal prosecution for illegal online activity. A variant strategy sees the ransomware use sexually explicit images in the lockscreen message, claiming that the images cannot be removed unless the user complies with the criminal's demands.
Encryption ransomware targets specific files saved on the device, which the ransomware distributors often identify beforehand by employing phishing techniques to research the end user. Once the files are encrypted, the user will be instructed to submit payment in exchange for the decryption key. This technique typically targets confidential, sensitive, or important information saved on the user's device and is a favored form of ransomware for attacking businesses.
According to Symantec Corporation's comprehensive 2016 report, criminal networks using ransomware are becoming increasingly sophisticated and are displaying very high levels of expertise. The report stated that the average ransomware demand in 2016 was $679, representing a sharp year-over-year increase from 2015 demands, which averaged $294. Symantec also reported that more than one hundred new ransomware families were identified in 2015.
Users usually unwittingly install ransomware on their own devices. Cyber criminals use various strategies to spread ransomware; it may be embedded in unsafe websites or installed on a user's computer after the user is redirected to a fake website designed to mirror a legitimate one. Email, social media, and personal communication platforms are also used to distribute links that will install ransomware on a user's device if they are clicked.
While individual users are still falling afoul of ransomware distributors, there is also a growing trend toward the victimization of businesses. Attacks on businesses are usually targeted, and Symantec reports that 38 percent of ransomware infections in 2016 affected enterprises in the services sector. Manufacturing, finance, real estate, and public administration organizations were also leading targets of enterprise-oriented attacks in 2016. Between 2015 and 2016, the number of detected ransomware attacks peaked in October, 2015, when 150,000 such incidents were reported.
A major worldwide ransomware attack occurred in May 2017, using software known as WannaCry. This encryption program locked users out of many documents on their computers and demanded US$300 in Bitcoin to restore access. Within days over 300,000 computers in over 150 countries were infected, with Europe and Asia seeing higher rates than the United States. Individuals and businesses were both targeted, and the impact on major companies led to travel delays and other serious consequences. Perhaps most notable was the targeting of the National Health Service (NHS) in Great Britain, with tens of thousands of NHS computers affected and many services disrupted. The WannaCry software used a vulnerability in the Microsoft Windows operating system to infect computers. Not long after the spread of WannaCry died down, another ransomware program, NotPetya (derived from an older program known as Petya), spread by exploiting the same vulnerability. It was later revealed that the US National Security Agency (NSA) had previously discovered the vulnerability, but exploited it for its own work rather than alerting Microsoft, creating a "backdoor" known as DoublePulsar to allow them to access computers running Windows. This backdoor was stolen by hackers in 2016, and is thought to have been used in the WannaCry attack. Microsoft eventually released security updates to address this vulnerability. In addition, a computer security researcher discovered a section of the ransomware's code that was able to be used as a "kill switch," effectively slowing down the rate at which WannaCry could spread.
In June 2018, McAfee, a company that produces antivirus software, reported that ransomware attacks were down 32 percent from the previous quarter, while "cryptojacking," or infecting computers with malware that makes the target machine mine cryptocurrency (such as Bitcoin) that is then deposited into the attacker's cryptocurrency wallet. Some technology commentators have theorized that this shift is the result of low-level criminals turning from ransomware to cryptojacking as a safer way of obtaining money; ransomware by definition involves the victim knowing they have been attacked, while cryptojacking often goes undetected. However, high-profile ransomware attacks continue to occur; for example, in 2018, the computer systems of the City of Atlanta were infected with the ransomware program SamSam.
Ransomeware attacks continued to create significant problems in the 2020s. In 2021, the US government was able to stop many cyberattacks and apprehend the criminals. For example, the US Department of Justice seized $2.3 million in bitcoin that Colonial Pipeline paid to the Dark Side ransomware group. However, in 2022 the number of ransomware attacks increased by 80 percent, according to TechCrunch. For example, attackers breached Medibank, a health insurance company in Australia, accessing the personal details of 9.7 million customers as well as health claims for nearly five hundred thousand customers. Some of the information seized was sensitive, such as details about abortions and alcohol-related illnesses. Security experts contend that ending ransomware attacks will not be easy. Even if governments throughout the world work together to prevent them, it will take time to make a different.
Bibliography
Cabaj, Krzysztof and Wojciech Mazurczyk. "Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall." IEEE Network, vol. 30, no. 6, Nov.-Dec. 2016, pp. 14–20.
Fiscutean, Andrada. "A History of Ransomware: The Motives and Methods Behind These Evolving Attacks." CSO Online, 27 July 2020, www.csoonline.com/article/569617/a-history-of-ransomware-the-motives-and-methods-behind-these-evolving-attacks.html. Accessed 22 Dec. 2016.
Kharaz, Amin, et. al. "UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware." USENIX: The Advanced Computing Systems Association, 2016, www.usenix.org/system/files/conference/usenixsecurity16/sec16‗paper‗kharraz.pdf. Accessed 3 Oct. 2024.
Liska, Allan and Timothy Gallo. Ransomware: Defending Against Digital Extortion. O'Reilly Media, 2016.
Page, Carly. "Ransomware Is a Global Problem That Needs a Global Solution." TechCrunch, 18 Nov. 2022, techcrunch.com/2022/11/18/combatting-ransomware/. Accessed 3 Oct. 2024.
"What Is Ransomware?" Microsoft Corporation, 4 Sept. 2024, www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx. Accessed 3 Oct. 2024.
"Ransomware on the Rise: Norton Tips on How to Prevent Getting Infected." Norton, 8 Aug. 2018, ca.norton.com/yoursecurityresource/detail.jsp?aid=rise‗in‗ransomware. Accessed 3 Oct. 2024.
Samani, Raj. "‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks." McAfee, 26 June 2018, www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-threats-report-spotlights-innovative-attack-techniques-cryptocurrency-mining-multisector-attacks/. Accessed 3 Oct. 2024.
"The State of Ransomware 2023." BlackFog, 2023, www.blackfog.com/the-state-of-ransomware-in-2023/. Accessed 3 Oct. 2024.
Stobing, Chris. "Ransomware Is the New Hot Threat Everyone Is Talking About; What Do You Need to Know?" Digital Trends, 6 June 2015, www.digitaltrends.com/computing/what-is-ransomware-and-should-you-be-worried-about-it/. Accessed 3 Oct. 2024.
Whittaker, Zack. "Atlanta, Hit by Ransomware Attack, Also Fell Victim to Leaked NSA Exploits." ZDNet, 27 Mar. 2018, www.zdnet.com/article/atlanta-hit-by-ransomware-attack-also-fell-victim-to-leaked-nsa-exploits/. Accessed 3 Oct. 2024.
Woollaston, Victoria. "WannaCry Ransomware: What Is It and How to Protect Yourself." Wired, 22 May 2017, www.wired.co.uk/article/wannacry-ransomware-virus-patch. Accessed 3 Oct. 2024.