What is ransomware?
The term ransomware refers to a specific type of malicious software used for extortion. During a ransomware attack, the malware accesses and encrypts data stored on the disk, rendering it inaccessible, and often locks the screen as well. The victim then receives a demand for money in return for access.
Ransomware is usually distributed via email attachments, links in social media messages or downloads from compromised websites.
It’s become increasingly common: According to the CyberRisk Alliance, a business falls victim to a ransomware attack every 40 seconds, adding up to a projected $11.5B in damages as of 2019. And ransomware cases continue to increase— the insurance firm Beazley reported a 25% uptick in Q1 2020 alone.
Read more
Types of ransomware
- Diskcoder ransomware encrypts the whole disk and prevents the user from accessing the operating system.
- Screen locker blocks the access to the device’s screen.
- Crypto-ransomware encrypts data stored on victim’s disk.
- PIN locker targets Android devices and change their access codes to lock out their users.
All the above-mentioned kinds of ransomware demand payment, generally to be paid with bitcoins or other hard-to-trace cryptocurrency. In return, its operators promise to decrypt the data or restore access to the affected device.
However, there’s no guarantee that cybercriminals will deliver on their side of the bargain. Security experts recommend that you don’t pay up, as it simply encourages more attacks. You should also reach out to your IT security provider tech support team to see what possibilities exist for decryption.
Examples of ransomware
In May 2017, a notorious ransomware attack known as WannaCry spread rapidly across the globe. Targeting computers running Windows OS, WannaCry encrypted files to make them impossible to access—then demanded a ransom in bitcoins in order to decrypt them.
Hundreds of thousands of computers were affected, impacting government offices, railway networks and businesses worldwide. In the UK, hospitals were knocked offline and the National Health Service had to turn away non-critical emergency patients.
Another example is 2013’s CryptoLocker, which infected more than 250,000 systems and was believed to have earned more than $3 million for its inventors.
Why do you need protection from ransomware?
Obviously, losing access to all your data will have wide-ranging consequences. Businesses like hospitals—where being unable to access vital information can be life-threatening—and financial institutions that depend on instant access to records and funds are especially vulnerable to harm.
But even small businesses are popular targets, as they may lack the security or training to prevent attacks and are seen as easy marks by criminals.
Protection and prevention are key, because even if you pay a ransom, there’s no guarantee that your data will ever be restored to you.
How to protect against ransomware
- Use a reliable, multilayered security solution
- Use a Virtual Private Network (VPN)
- Regularly train your staff to recognize and deal with phishing attacks
- Back up your data on a regular basis—and keep at least one full backup off-line, in case you do fall victim to ransomware
- Keep all your software, including operating system, patched and up to date
Because ransomware is often distributed via innocent looking email attachments or web links, it’s extremely difficult to detect. Your best defense is advanced detection and analysis via cloud-based sandboxing.
ESET LiveGuard Advanced (ELGA)
ELGA detects and blocks threats, including ransomware, by analyzing new files in a cloud sandbox to fully understand their behaviors. When a suspicious email or file that may be carrying ransomware is received, ELGA isolates it immediately. Your entire organization is protected as soon as the file is submitted, so malware never reaches your users, network and endpoints.
Via machine learning and behavioral analysis, ELGA will identify the file's true purpose while keeping it quarantined. Based on its behavior, the file will either be released or deleted—all within minutes of the initial detection.