Protects Malwarebytes from ransomware


Everything about ransomware

Ever wondered what all the fuss about ransomware is about? You may have heard about it at work or on the news. Or, right now, a message will appear on your computer screen warning you of a ransomware infection. So if you are curious and want to know everything about ransomware, you have come to the right place. We explain the different forms of ransomware, how they get on your computer, where they come from, who they are directed against and how you can protect yourself from them.

What is ransomware?

Ransomware is a form of malware that prevents users from accessing their system files or personal files and demands a ransom in order to restore that access. The earliest variants of ransomware were developed in the late 1980s and the ransom still had to be paid by post. Nowadays, ransomware writers require ransom payment via cryptocurrency or credit card.

How do you get infected with ransomware?

Ransomware can infect your computer in a number of ways. Some of the most common methods these days are malicious spam, or MalSpam, that is. H. in unsolicited e-mails with which the malware is smuggled. This email can contain manipulated attachments such as PDFs or Word documents or links to malicious websites.

MalSpam uses social engineering to trick people with real-looking email - that appears to be from a trusted institution or a friend - into opening attachments or clicking links. Cyber ​​criminals also use social engineering for other types of ransomware attacks. For example, they pretend to be with the FBI to scare users into paying ransom to share their files.

Another popular infection method that peaked in 2016 is malvertising. Malvertising, or malicious advertising, is the use of online advertising that distributes malware through minimal or no user interaction. While surfing the Internet, even trusted sites can redirect users to criminal servers without ever clicking an advertisement. These servers catalog details of the attacked computers and their location, and then select the most appropriate malware. Often this malware is ransomware.

Malvertising and ransomware infographic.

Malvertising often uses an infected iframe or invisible website element. The iframe element redirects to an exploit target page, and malicious code attacks the system from the target page using an exploit kit. All of this happens without the knowledge of the user, which is why we often speak of a drive-by download.

Types of ransomware

There are three main types of ransomware, the severity of which can range from mildly irritating to the potential danger of a Cuban Missile Crisis. The following types can be distinguished:


In the end, scareware isn't quite as "scary" as it sounds. It occurs in the form of fake security software or disguises itself as technical support. You may see a message on your computer claiming that malware has been found and that the only way to remove it is to make a monetary payment. If you don't act on this, you will likely be bombarded with pop-up messages like this forever, but your files are essentially safe.

A reputable cybersecurity software program would not attract customers in this way. If the company's software program isn't already installed on your computer, it wouldn't check for ransomware infection. And if you have security software, you wouldn't have to pay to clean the infection because you already paid for the software to do just that.

Screen locker

For this type of ransomware we have already reached the attack level "orange". If lock screen ransomware gets on your computer, you will no longer have any access to your PC. When you start your computer, you'll see a window that fills the screen, often with an official seal from the FBI or the US Department of Justice. There is also a message stating that illegal activity has been detected on your computer and that you will have to pay a fine. However, the FBI would never lock you out of your computer or ask you to be fined for any illegal activity. If the FBI suspects you of piracy, child pornography, or any other form of cybercrime, they would take legal action.

Encryption ransomware

Now we have come to the really mean things: There are attackers who take hold of your files and encrypt them. They then charge a fee to decrypt the files and return them to you. This type of ransomware is extremely dangerous for the following reason: once the cybercriminals have your files, there is no way to get them back using security software or system restore. If you don't pay, most of the data is irretrievably lost. And even if you pay, there is no guarantee that the cybercriminals will return these files to you.

Recent ransomware attacks

History of ransomware

The first ransomware, known as PC Cyborg or AIDS, emerged in the late 1980s. After 90 reboots, PC Cyborg encrypted all files in the C: directory and then asked the user to renew their license by mailing US $ 189 to PC Cyborg Corp. sent. However, the encryption used was simple and could be broken again, so this ransomware would not pose a great threat to those familiar with the computer.

Variants kept popping up over the next decade, but the real ransomware threat didn't emerge until 2004 when GpCode used weak RSA encryption to lock personal files until a ransom was paid.

In 2007, WinLock was a new type of ransomware that no longer encrypted individual files, but locked users out of their desktops. WinLock hijacked the victim's screen and displayed pornographic images on it. It then demanded a ransom payment via a chargeable SMS in order to remove these images.

With the development of the new Reveton ransomware family, another new type emerged in 2012: ransomware pretending to be a message from a law enforcement agency. Victims are locked out of their desktops and see a page that looks like the official page with the credentials of a law enforcement agency (FBI or Interpol). The ransomware claims that the user has committed a criminal offense such as a hacker attack, downloaded illegal files, or even been involved in child pornography. Most families of ransomware masquerading as law enforcement agencies have requested payment of a fine of $ 100 to $ 3,000 using a prepaid card such as UKash or PaySafeCard.

The average user did not know what to do with this report and believed that law enforcement was actually investigating him. This social engineering tactic, now known as "implied guilt," leads the user to question their innocence. Instead of being confronted about an activity the user is not proud of, they prefer to pay the fine to put an end to it.

In 2013, CryptoLocker once again threatened the world with encryption ransomware. Only this time it was far more dangerous: CryptoLocker used encryption based on military standards and stored the key required to decrypt the locked files on a remote server. It was virtually impossible for users to get their data back without paying a ransom. This type of encryption ransomware is still in use because it has proven to be an incredibly effective tool for cybercriminals to make money. Major ransomware outbreaks like WannaCry in May 2017 and Petya in June 2017 used encryption ransomware to blackmail users and businesses around the world.

At the end of 2018, the ransomware Ryuk emerged, with the help of which the American news media and the Onslow Water and Sewer Authority of the US state of North Carolina were attacked. A new tactic was used. The Trojans Emotet or TrickBot were not only used to steal information from infected target systems, but now also to smuggle in malware such as Ryuk. According to Adam Kujawa, director of Malwarebytes Labs, Emotet and TrickBot attacks are particularly focused on high-value targets. After a system has been infected and marked as a good target for ransomware, Emotet or TrickBot reloads the ransomware Ryuk into the system.

Mac ransomware

Learn more about KeRanger, the first true Mac ransomware.

When it comes to ransomware, the authors of Mac malware did not want to be left out and launched the first ransomware for Mac operating systems in 2016. It went by the name of KeRanger and infected an app called Transmission, which at startup copied malicious files that ran silently in the background for three days until they detonated and encrypted files. Fortunately, shortly after the ransomware was discovered, Apple's built-in anti-malware program XProtect released an update that prevented user systems from being infected. Mac ransomware is no longer just a theory.

Ransomware on mobile devices

Ransomware on mobile devices did not emerge on a larger scale until 2014 in connection with the infamous CryptoLocker and other similar families. Ransomware on mobile devices usually displays a message that the device has been locked due to some illegal activity and that the phone will be unlocked after paying a fee. Ransomware on mobile devices is often introduced through malicious apps. In such a case, the user has to restart the phone in safe mode and delete the infected app in order to regain access to his mobile device.

Who is ransomware aimed at?

When ransomware was first introduced (and later reintroduced), it was initially targeted at the computer systems of individuals (i.e., "common" users). However, cybercriminals saw their full, untapped potential and extended ransomware to businesses. Ransomware has been extremely successful with businesses. It reduced productivity and led to data loss and lost revenue, which is why the authors directed the majority of their attacks against companies. At the end of 2016, 12.3 percent of attacks against companies detected worldwide were ransomware, but only 1.8 percent of ransomware attacks detected worldwide were against private users. By 2017, 35 percent of small and medium-sized businesses had experienced a ransomware attack.

Small and Medium Business Ransomware Report.

Geographically, ransomware attacks are still concentrated in western markets, with the UK, US and Canada taking the top three spots. Like other threat actors, ransomware writers follow the money and focus on regions where high PC density is combined with relative wealth. And while economic growth is accelerating in the emerging economies of Asia and South America, an increase in ransomware (and other forms of malware) must be expected there too.

What to do in the event of an infection

If you discover a ransomware infection, the top priority is never to pay a ransom. (This advice is now also endorsed by the FBI.) Because such a payment only encourages cybercriminals to launch further attacks against yourself or against someone else. You may be able to recover some encrypted files by using a free decryption tool.

Let's be more precise: decryption tools have not been created for all ransomware families because in many cases the ransomware uses advanced and complex encryption algorithms. And even if there is a decryption tool, there is no guarantee that it is suitable for the specific version of the malware. You certainly don't want to encrypt your files any further by using an unsuitable decryption script. Therefore, you need to read the notification of the ransomware carefully and possibly seek the advice of a security or IT specialist before attempting to decrypt it.

Other methods of dealing with a ransomware infection are to download a security product known to clean up the malware and run a scan to remove the threat. You may not get your files back, but you can rest assured that the infection will be cleaned up. For screen lock ransomware, it might make sense to do a full system restore. If that doesn't work, you can try running a scan from a bootable CD or USB stick.

If you are trying to thwart an ongoing encryption ransomware infection live, you need to be extra vigilant. If you find that your system is slowing down for no apparent reason, you should shut it down and disconnect it from the internet. If the malware is still active after the restart, it can no longer send or receive instructions to the Command & Control server. Without a key or the ability to request payment, the malware may be dormant. At this point, download and install a security product and run a full scan.

Protection against ransomware

Security experts agree: The best protection against ransomware is to make sure that it does not get infected with ransomware in the first place.

Read on to learn the best ways to prevent ransomware infection.

While there are several ways to combat a ransomware infection, they are imperfect at best. Often times, they also require technical knowledge that goes far beyond the knowledge of the average computer user. Below you can read what we recommend to avoid an outage due to a ransomware attack.

The first step in preventing ransomware is to invest in really good cybersecurity; H. into a real-time protection program designed to thwart complex malware attacks such as ransomware. In addition, there should be functions that protect vulnerable programs from threats (anti-exploit technology) and prevent ransomware from capturing files (anti-ransomware component). For example, customers using the premium version of Malwarebytes for Windows were protected from all major ransomware attacks in 2017.

Next, you need to regularly take secure backups of your files, even if it is a hassle. Our recommendation is to use cloud storage that uses high-level encryption and multi-factor authentication. However, you can also purchase USB sticks or an external hard drive to store new or updated files. However, be sure to physically disconnect these devices from your computer after the backup, otherwise they can also be infected with ransomware.

Also, make sure to update your systems and software regularly. A vulnerability in Microsoft software was exploited during the WannaCry ransomware outbreak. Although Microsoft had already released a patch for the security hole in March 2017, many people did not install the update and were therefore not protected from the attack. We know it's hard to keep track of the ever-growing list of updates for an ever-increasing number of software programs and applications that you use every day. We therefore recommend that you change your settings so that automatic updates are carried out.

And the last point is: stay informed. Social engineering is one of the most common methods of infecting computers with ransomware. Familiarize yourself (and your employees if you are a business owner) with how to spot MalSpam, suspicious websites, and other scams. And above all, use your common sense. If something strikes you as suspicious, it probably is.

Stay up to date on the latest ransomware news with Malwarebytes Labs.