Ransomware is a special type of malware, i.e., malicious software, that attacks user computer, gains illegal access to file system and either locks the files or encrypts the contents of the files so that it become completely inaccessible to the user. The person behind this attack, i.e., the hacker, then asks the user for paying a ransom. After paying the ransom, the user gets a decryption key from the hacker by using which the original files could be retrieved.
Encryption is a technology that uses a mathematical function called encryption key which converts any data into a coded data which has totally different appearance than that of the original data. The coded data is known as encrypted data and is impossible to use as the meaning of the data is not understood. In order to retrieve the original data from the encrypted data, another mathematical function, called decryption key, is required. The encryption is a well-known security technique that is often used to protect sensitive and confidential user data while being transmitted over internet. Ransomware uses this technique for extorting money from organizations or individuals in exchange of their private and confidential data.
The ransomware is downloaded in user machines (i.e., desktops, laptops, mobile devices or servers) through a variety of mediums such as spam mails, malvertisements (malicious advertising messages downloaded from internet), PDFs or files downloaded from unknown sources, unknown URLs etc. Whenever any of these are clicked (or opened) by the user, the ransomware software consisting of the encryption key gets downloaded and starts encrypting important files residing in the system. The encrypted files become unusable and gradually all the important files such as databases, word documents, JPG files, Excel sheets etc. become useless. Subsequently the user gets a mail from the sender of the ransomware that demands payment of a ransom amount after which the decryption key will be sent so that the user could retrieve the original files. In order to evade law enforcement authorities, the payment is often asked to be paid in Bitcoin, i.e., in cryptocurrencies so that the trail of the payment transactions could not be traced. Cryptocurrencies work in a de-centralized mode and there is no regulatory authority responsible for the payment transactions and hence the payment trail remains untraceable. For this reason, the ransomware payment is usually made through Bitcoin.
Sometimes, ransomware dealers pose as police agents and declare that some pornographic or illegal activities are detected in user computer and hence the contents are blocked. The user is ordered to pay a fine (i.e., the ransom amount) in order to unlock the system. Sometimes ransomware threatens the user to delete the entire data or publicize the sensitive data if the ransom is not paid. Often, the ransom amount increases with time, i.e., doubles in each three days, in order to put pressure on the user to pay the ransom. For these reasons, ransomware is sometimes called scareware as it scares the user in paying the ransom. The most common target of ransomware is hospitals, educational institutes, financial organizations and various government departments. These organizations deal with sensitive public records and in order to protect public interests they are forced to pay the ransom.
Ransomware-As-A-Service (R-A-A-S): This is a service offered by hackers who provide ransomware software along with encryption & decryption keys to criminals who use them for making ransomware attacks. Thus, ransomware dealers need not be tech savvy and they can get the technology from knowledgeable hackers.
No More Ransom (NMR): This is a service offered by a consortium (consisting of European Cybercrime Centre, Netherland’s Police Department & McAfee) who offer free decryption keys to people affected by ransomware attacks. The user can apply the decryption key to the affected files and sometimes the files get decrypted and are unlocked. This is a noble attempt to prevent the spread of ransomware.
Some Famous Ransomware Attacks:
How to Prevent Ransomware
In order to protect important data from ransomware attacks the following steps should be followed:
1. Install Anti-Ransomware Software: In order to prevent ransomware attacks, antiransomware software should be installed in the computer/server/laptop/smartphone. All major security vendors such as McAfee, Kaspersky, Bitdefender, Panda etc., offer antiransomware software that can detect arrival of ransomware software and generate alarm to prevent any further damage to the file system.
2. Regular Backup of Files: The user must take regular backups of their files in multiple devices such as portable hard disc, cloud server or USB. If up-to-date back ups are available in other devices, if a ransomware attack happens, user can delete all the infected files, format the hard disc, remove the ransomware software and reload the file system from the backup device. Thus, the loss of files could be minimized without paying the ransom.
3. Regular Update of Operating System: All the operating systems such as Windows 10, Mac OS, Android, iOS make arrangements to handle and block ransomware attacks. Regular updates in the form of patches in the OS are published. Users need to regularly update their OS in order to combat the ransomware attacks.
4. Download only from Trusted Sources: In most cases, ransomware software is downloaded directly through various files/images/URLs, webpages from internet. While downloading files from internet, users must be careful to click only known and trustworthy links as clicking files from unknown links may result into download of ransomware.
How to Remove Ransomware
On the event of ransomware attack, following procedures are to be followed in order to restore the file system and remove the ransomware software:
1. Reboot the System: First of all, the computer should be shut down and reboot in safe mode.
2. Scan and Remove the Ransomware Software: Next, if there is antiransomware software installed, the hard disc should be scanned and the ransomware software is deleted.
3. Delete all Encrypted Files: Next, all the encrypted files are deleted and the hard disc is formatted.
4. Restore Original Files from Backup: Then, the original files are restored in the hard disc from the backup device.
5. Do not Pay the Ransom: The ransom amount should not be paid as there is no guarantee that the criminals would send the decryption key after getting the payment. They may just vanish after getting the payment. Also, if the user pays the ransom, there is a chance of a repeat attack demanding more ransom. So, it is advisable not to pay the ransom.
Written by: Prof. Karabi Bandyopadhyay Faculty, IT & Systems, ISB&M, Kolkata
Make an
Request To 
Get a
Apply
BLOG