Ransomware – an introductory guide

It’s one of the hottest adversaries in cyber

Ransomware – an introductory guide


By Bethan Moorcraft

Ransomware is a piece of red-hot cyber jargon. Perhaps you heard about it when doing your office cybersecurity training, or maybe you read about it in the news. Perhaps you deal with it every day in your role as a cyber risk expert or, worst-case scenario, you’re one of the unlucky victims to have a dreaded pop-up burst on to your computer screen saying: ‘You’re infected. Pay now!’ Regardless of how you came to hear about one of the fastest growing beasts in the cyber sphere, it’s high time everyone understood the sharpness of its claws.

What is ransomware?

Ransomware is a type of malicious software that locks and encrypts a victim’s computer data and demands ransom payment in order to regain access. Bad actors usually give the victims a set amount of time to pay the ransom, after which they say they will provide a decryption key (although there’s no guarantee of this given the criminal nature of the transaction). Cyber criminals usually ask for payment in virtual currency, such as Bitcoin.

How does ransomware spread?

There are multiple ways through which a computer can become infected with ransomware. One of the most common methods today is phishing spam, where attackers try to trick victims into opening infected attachments and links via email. The phishing technique uses emails that often appear to originate from a trusted source or familiar brand, and at first glance the email appears authentic, resulting in a temptation for the recipient to be tricked into entering valid credentials on a counterfeit website or downloading an infected file. Once the victim falls prey to the scam, the hacker has access to their computer, where they can encrypt away.  

Another popular infection method is drive-by downloading or malvertising. This is the use of online advertising to distribute malware with little to no user interaction required. As Malwarebytes explains: “While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware.”

Then we have the more aggressive variants of ransomware. You’ve likely heard of WannaCry and NotPetya. These variants can exploit security holes to infect computers without hackers needing to use social engineering tools to trick their victims.

What are the different types of ransomware attacks?

This is a beast that comes in all shapes and sizes. Some variants are more harmful than others, but they all have one thing at their core – the ransom demand. Here are a few common types:

- Locker ransomware – These attacks lock users’ computers by stopping them from logging in. They make it impossible for victims to access any files or applications.

- Crypto ransomware – This type of ransomware typically causes the most damage. It encrypts files with randomly generated symmetric keys which require (paid for) asymmetric keys for decryption. The WannaCry ransomware attack in 2017 is the most famous example of crypto ransomware. It targeted hundreds of thousands of computers around the world and spread within corporate networks globally.

- Doxware / Leakware – A hacker using the doxware tactic will threaten to publish stolen, often personally sensitive data if the victim doesn’t pay the ransom.

- Scareware – This fake software poses as a system cleaner or antivirus tool. It will trick victims into paying a ransom to clean up their system.


Can you remove ransomware?

Ransomware can be removed from your system. For the most simple, low-key attacks a free, anti-ransomware removal tool could do the trick. These tools can remove ransomware viruses from computers and decrypt any files that have been compromised in the attack. For the more serious instances – perhaps a corporate breach involving crypto ransomware – it’s essential to engage with professional data recovery teams and cyber risk experts who can decrypt files and, if necessary, negotiate ransom demands with the cyber criminals.

How do you prevent ransomware?

Cybersecurity best practices, such as: strong password hygiene, securing back-ups, employee phishing training, conducting regular systems and software updates, and turning on multiple-factor authentication, are key in preventing ransomware attacks. As the ransomware beast continues to evolve, these measures cannot completely destroy the threat, but they can significantly mitigate it. Really, the most important weapon against ransomware is education. Especially in a corporate environment, the more employees understand the risk and how to mitigate it, the better chance they’ll have of avoiding an attack.

What do the cyber insurers say?

Ransomware is a serious top of mind concern for cyber insurance providers around the world. Why? Because ransom demands, and subsequent cyber insurance claims, are going up and up. Here are a few recent insights from cyber insurance experts around the world in 2019:

Kimberly Horn, global claims team leader, cyber & tech claims at Beazley: “Today, what we’re seeing in terms of ransomware is more targeted attacks, and the bad actors are going after middle market companies. In these cases, the ransomware is more of a parting gift. They’ve already been in the system for some time, using sophisticated banking trojans to do a reconnaissance of the company in order to figure out what the company’s worth, what data they might be able to steal and profit from, and whether they have any system back-ups … A year and a half ago, the maximum amount we paid was about US$7,500, but in many cases, we weren’t paying the ransom because we had the back-ups available to restore the data. Now we’re seeing ransomware demands regularly in the seven figures, more like US$1 million, US$2 million, and a few weeks ago we saw one for almost US$4 million.” Read more of Horn’s insights here

Daniel Tobok, CEO of cybersecurity firm Cytelligence: “This trend has been going up steadily over the past five years. You have the usual suspects – you have Russia, you have China, you have North Korea, and you have Iran, which are the top four in the category. When you look at ransomware today, outside of organized crime, there are now also state-sponsored attacks, and the reason state-sponsored attacks have gotten into it is because it’s a revenue stream for those particular countries.” Read more of Tobok’s insights here.

James Burns, cyber product leader at CFC: “The costs associated with system failure or downtime following a cyberattack, like ransomware, can be hugely detrimental to a business and shouldn’t be overlooked when purchasing a cyber insurance policy.” Read more of Burns’ insights here.

Elizabeth Geary, global head of cyber at TransRe: “Malware respects no boundaries, whether geographic, industrial or legal. As companies increase their reliance on technology, it is essential they increase their defenses against challenges such as malware, and effective cyber insurance is a critical component of that defense. Similarly, the insurance industry must also acknowledge and appreciate the potential for systemic risk, in addition to monitoring loss frequency and severity. This report seeks to quantify that systemic economic and insured impact.” Read more of Geary’s insights here.

John Moore at Delta Insurance: “Ransomware is one of the biggest emerging risks that we’ve seen over the past few years. We saw forms of traditional ransomware around 2016 – this was mostly manageable for our insureds that ran cloud backups, as they could retrieve the vast majority of their data and be up and running again quite quickly. But cybercriminals have picked up on the fact that people are running backups, so they’re now targeting organizations in manual attacks. They’ll sit and observe the system before deploying encryption, while also deleting all of the backups stored in the cloud.” Read more of Moore’s insights here.

Peter Foster, chairman of Willis Towers Watson’s Global FINEX Cyber and Cyber Risk Solutions: “It’s clear that companies are experiencing escalating impacts this year from key adversaries, including cybercriminals, malicious insiders and state-sponsored hackers, often from jurisdictions beyond the reach of local law. Establishing a continuous assessment through an integrated risk approach to cyber is critical for mitigating this ever-growing risk.” Read more of Foster’s insights here.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!