Ransomware
What is ransomware? How can you protect against Ransomware?
The word “ransomware” comes from the English language and contains the term “ransom”, which translated means “held hostage for money”. Ransomware is a malicious program for computers, which ensures that the computer is locked for the user, and can only be unlocked again by paying a ransom. How exactly does ransomware work? How big is the danger of ransomware? How you can protect yourself against ransomware? We will explain in this article!
What is ransomware?
Ransomware is a malware that is installed unnoticed on the PC of a stranger. The difference of ransomware to normal malware, is that ransomware comes into direct contact with the user of the affected system. The malware encrypts either the files or the entire computer. The hacker has control over the computer, and demands a ransom. As long as the victim does not pay the ransom, the device stays encrypted.
If the infected device is in a network, such as in a company, the malware can spread to the entire network and encrypt all devices on that network. This can shut down entire companies, hospitals and universities.
What is the difference between ransomware and malware?
Is ransomware a virus?
No, ransomware is not a virus. Although viruses and ransomware are both malware, they are different. Viruses infect data and replicate themselves. Ransomware on the other hand encrypts files. For this reason, the name “cryptovirus” does not correlate exactly with the malware.
What is a Cryptolocker / Cryptotrojan?
A cryptolocker is part of the ransomware family. The goal is to get a ransom from the hacked victim. The cryptolocker infects the user’s documents and forces him to pay a ransom.
Ransomware attacks by cryptotrojans can have serious (financial) consequences for companies. Cryptotrojans have even threatened the existence of some companies, and driven them into bankruptcy in some cases. It is the horror scenario par excellence: An employee of a company catches a cryptotrojan on his work computer. It does not take long for the malware to spread across the entire company network.
How big is the danger of ransomware?
The danger of ransomware is greater than one might think. Companies in particular should be on guard against infected emails. By 2018, cybercriminals had already stolen 8 billion euros. A considerable sum, but in 2019 even more was hijacked: The damage generated in 2019 has more than tripled compared to the previous year, of approximately 24 billion euros.
What is the reason for this rapid increase in successful ransomware attacks? Hackers have found the right niche. Sophisticated techniques and a little information about a company’s employees (social engineering) enable hackers to infect the IT infrastructure with a simple malicious email. Hospitals have been the most frequent victims of encryption attacks.
How does ransomware work?
Once everything is encrypted, a notification appears on the victim’s screen. Here the hacker demands a ransom to remove the ransomware. Once this process is complete, the attackers only have to wait for the victim to pay the ransom. Linking the ransom demand to a deadline is an effective way for cybercriminals to increase the pressure on the victims. If the owners of the systems have not made a payment by the deadline, either the ransom demand will increase or the process of deleting data will begin.
Ransomware attacks can cause great damage, especially to companies. Experts and authorities usually advise against paying a ransom. Often the victims have no choice but to hope for the good-naturedness of the hackers after the payment. Often, the decryption after the payment of the ransom is not carried out.
How to protect against ransomware?
With one of the highest detection rates on the market (99.99%), 18 different virus scanners check email traffic. A contaminated attachment, which has been packed several times and made unrecognizable, is recognized by the virus scanner of Hornetsecurity and categorized as spam.
Advanced Threat Protection goes one step further and reliably detects ransomware attacks as well as various types of malware that are still unknown. Hornetsecurity Advanced Threat Protection (ATP) offers solutions on a broad basis. These include URL rewriting and URL scanning.
If an attack is successful, it is important to have up-to-date backups available. In this way an older version without infection can be uploaded. This keeps data loss as low as possible. The backup can be done manually or automatically. A cloud solution for companies would be a great possibility for data backup.
For ransomware attacks the email is primarily used. Well camouflaged, emails get to the computer of the employee in the target company as PDF, EXE or JPEG files. The display of file extensions is deactivated by default in most email clients, which is why the user usually cannot recognize the format of the file at first glance.
Unintentionally, the infected files are opened and the ransomware is executed. Therefore, it is important that you enable the viewing of file extensions in your email client settings.
Closing vulnerabilities is also very important. Microsoft’s Remote Desktop protocol is often used as a vulnerability. This feature allows ransomware to spread within the local network in individual cases. This way the malware distributes itself in the network within a very short time. Updating the systems is also absolutely necessary. The older the software, the more entry points are known and available. If you are still using Windows 7 or even Windows XP today, you should not be surprised if your computer is infected and encrypted. So WannaCry used a gap in outdated Windows systems (EternalBlue). It was simply ignored by many companies. Updates or patches were not applied. This resulted in a large number of successful ransomware attacks on companies.
Are ransomware scanners available?
How to remove Ransomware?
Once the ransomware is on the computer and has infected it, there is usually no good way out. Either you pay the ransom (the police advise against it) or you set up the computer new (with the hope of an up-to-date backup). For some ransomware attacks, however, there are decryption tools. Just visit the site https://www.nomoreransom.org/crypto-sheriff.php?lang=en for this. No More Ransom provides ransomware decryption for over 50 different ransomware types.
What types of ransomware exist?
An example of a ransomware attack – Emotet
Emotet is one of the best known ransomware variations and even made it into the daily media coverage. Our Security Lab has taken a closer look at Emotet and examined it. In a detailed knowledge base page you will learn exactly how Emotet works:
Risk of ransomware for companies
The danger for companies through ransomware is enormous. If a private computer is encrypted by ransomware this is annoying, but usually no reason for private insolvency. If a company computer is infected, this can lead to the companies bankruptcy. Often ransomware spreads throughout the entire network and infects all devices that are in this network. The result: entire companies can no longer operate. Files are lost, working time is lost, work cannot continue. In a 15-minute article, our IT expert Dr. Yvonne Bernard explains in detail how ransomware like Emotet can take a company apart and destroy it (The video is in german).
Which ransomware is in use in 2020?
It is early 2020, and the first ransomware wave is already in full swing. The daily reports on Greta Thunberg and Fridays for Future are now also being used by criminals. They are sending emails in the name of the young activist. The Hornetsecurity Security Lab has intercepted emails in which cyber criminals ask the recipients for support in a large demonstration in favour of climate protection. The time and address of the global strike can allegedly be found in the attached file. When the recipient opens the attachment, an encrypted document appears. The user is asked to activate the editing and content of the document. Following this instruction, a macro is executed which downloads the malicious malware.
Should I pay the ransom for a ransomware attack?
No, experts and investigating authorities advise against paying the ransom. Often the data is not decrypted despite payment and the computer is still not usable. Therefore, anti-ransomware solutions should rather be used and preventive measures should be taken so that paying ransom does not become an option in the first place.