Ransomware, also known as extortion Trojans, blackmail software, crypto Trojans or encryption Trojans, are malicious programs that enable an intruder to prevent the computer owner from accessing data, using it or the entire computer system. In this process, private data on the foreign computer is encrypted or access to it is prevented in order to demand a ransom for decryption or release.
The term is composed of ransom, the English word for ransom, and ware, according to the naming scheme commonly used for different types of computer programs (software, malware, etc.). According to a report by SonicWall, around 623 million ransomware attacks took place in 2021. A study published in 2022 puts the amount of extorted ransomware at $256.8 million in 2022, compared to $756.6 million in 2021.
The first known ransomware AIDS was sent as a letter
The idea dates back to 1989, when the Trojan horse AIDS was sent on floppy disks by mail to numerous research institutions. After some time, the program encrypted the data on the hard drive. According to the on-screen message, the license had expired. The name of a company was given, and a P.O. Box address in Panama to which one should send a check to purchase a license key and have the data released again. The scheme was thus not immediately recognizable as extortion. The perpetrator, the American biologist Joseph L. Popp Jr. could be convicted. Due to a mental illness, the investigations against him were discontinued.
The first malware ever to encrypt files was the boot sector virus Disk Killer. However, the malicious program was not designed for extortion, but to cause data loss on server systems. It also appeared in 1989, according to its signature, it was written before the AIDS Trojan. Not all ransomware encrypts data, simpler programs of this type lock the computer using different methods.
One of the first known attempts to spread ransomware over the Internet was carried out by cybercriminals in 2005 with the TROJ_PGPCODER.A Trojan. The victims were supposed to pay several hundred US dollars for the decryption of the data. Since cryptocurrencies have become established, transferring money has become much easier and less risky for the perpetrators. Therefore, there was a massive increase in crimes with ransomware almost worldwide starting around 2010.
In the police crime report of the state of Saxony-Anhalt from 2011, one case is mentioned as an example. A perpetrator had infected 831 computers in this federal state with extortion software.
Since about 2012, there have been frequent incidents with different variants of the BKA Trojan. He pretended to have locked the computer on behalf of a law enforcement agency for illegal activities. A fine was to be paid to unlock it. These Trojans usually did not encrypt any data, but only locked the system. In most cases, the damage could be easily repaired. Victims who paid the demanded sum also received no response or instructions on how to unlock the system.
In the meantime, paid as well as free construction kits, so-called crimeware kits, have appeared on underground forums, which can be used to create ransomware.
In October 2013, the CryptoLocker ransomware became known, which demanded payment in Bitcoin for the first time.
In 2016, the Locky crypto Trojan emerged, which infected tens of thousands of PCs and, among others, the Fraunhofer Institute in Bayreuth. The Tesla X3 cryptovirus attacked computers at the city hall in Rheine, among others, in February 2016. According to the North Rhine-Westphalian State Criminal Police Office, 156 reports of attacks by ransomware were filed between December 1, 2015, and February 29, 2016; the number of unreported cases is believed to be far higher. Affected were 113 companies and institutions, including quite a few clinics and the Ministry of the Interior and Municipal Affairs of the state of North Rhine-Westphalia in Düsseldorf, which suffered an attack in December 2015.
In March 2016, KeRanger was found, a variant of a crypto Trojan for OS X. At the beginning of June 2016, the Fraunhofer Institute for Secure Information Technology informed that smartphones could also be affected by ransomware, especially if they were equipped with security apps containing vulnerabilities such as those found by the Fraunhofer Institute in all of the seven applications tested as examples and reported to the respective manufacturer for remediation.
In May 2017, the WannaCry computer worm attacked, among others, several globally active large companies in a very short period of time; over 230,000 computers in 150 countries were infected. Due to these proportions, the European Police Office called the outbreak an unprecedented event. In addition to spreading primarily as an email attachment, WannaCry also has characteristics of a network worm, and attempts to actively infect other computers via vulnerabilities in operating systems without user intervention. Systems at the current update level (April 2017 from Microsoft) had not been affected. Certain file and printer services must be released, with which WannaCry succeeded in spreading, especially in internal corporate data networks with computer systems that were sometimes faulty for a long time. Paying the claim was pointless in this case as well, because the ransomware was programmed incorrectly. It was therefore not possible to decrypt the data without any problems.
Since 2019, cell phones have increasingly become victims of ransomware attacks. According to a study by research institute Check Point, the number of cyberattacks on smartphones and tablets increased by fifty percent in the first half of 2019 compared to the previous year.
In July 2021, cybercriminals exploited a vulnerability in a software for VSA servers from the company Kaseya. The remote maintenance software was manipulated to inject the Sodinokibi.N Trojan. This was used to encrypt data on the network. The Russian hacker association REvil claimed responsibility for the cyberattack. In 2022, the ransomware HIVE was discovered and rendered harmless.In 2023, the Russian ransomware group Indrik Spider was exposed, which, among other things, carried out a ransomware attack on the University Hospital in Düsseldorf, Germany, in which one person died. In 2023, the Play ransomware group carried out a wave of extortion attacks on private as well as state-owned companies in Switzerland.
Meanwhile, ransomware criminals have moved on to not only encrypting their victims’ systems and demanding a ransom for decryption (“single extortion”), but also exfiltrating sensitive customer and company data and threatening to release it (“double extortion”). Extortion translates into German as blackmail. In international terminology, a distinction is made between single extortion, double extortion, and multiple extortion. The second type of extortion in double extortion is characterized by the explicit or implicit demand for money from the perpetrator for refraining from publishing the spied-out data.
An example of Double Extortion is the CONTI ransomware series. Under the name “Conti News,” the perpetrator set up a blog on a dark web page on the Tor network. The site was also accessible to anyone on the ordinary Internet via clear web proxies. From August 2020 to July 2022, some 859 to 869 entries were posted on it regarding affected individuals whose data had been encrypted by the CONTI ransomware. Some of these were larger companies that paid claims in the millions. On a digital wallet primarily attributed to CONTI – called a wallet for short – for the cryptocurrency Bitcoin (BTC), a total of 65,498.197 BTC was received in the period from April 21, 2017 to February 28, 2022. The value of cryptocurrencies is subject to wide fluctuations. In one estimate, without tracking individual entries and exits, 65,000 BTC would have been worth around two to two and a half billion euros in February 2022. About 53 of those Conti published were companies based in Germany, and others had German ties. The perpetrators offered parts of spied-out data for download on their blog. Experts call this type of Internet presence, on which spied-out data is offered, leak sites. In the period of one year, between July 2020 and September 2021, researchers estimate that the amount of data offered publicly by CONTI alone exceeded 18.7 terabytes. This figure is to be interpreted Mooreanly. That is, it describes a large amount of data according to the understanding at the time the acts occurred. Technological advancements will change the subjective perception of when a quantity of data is large. In the future, that number will then be understood to be smaller. By publishing on a leak site, the perpetrators hope to coerce those affected into paying. Personal data is often published for this purpose, along with low-value data garbage. Some also monetize the stolen data on marketplaces on the dark web.
The principle of double extortion can be extended even further. To do this, the perpetrator uses stolen data and OSINT searches to locate third parties who are dependent on the data or access to it. The third parties are then blackmailed based on their dependencies. One example of this is the so-called supply chain attack. Triple and quadruple extortion are manifestations of this type of extortion. Depending on the content of the spied-out data, the perpetrators have further options for action. This circumstance leads to the term Multiple Extortion, for all further possibilities that may arise for them. Using CONTI as an example, it was demonstrated that a structure comparable to that of a software company was created in the underground economy for the organization of the offenses.
Concrete examples of German terms for individual manifestations of ransomware are ransomware, hush money, or protection money extortion. The ransomware stands for single extortion and the hush money extortion for double extortion. The protection extortion can be described as follows: the perpetrator causes a Denial of Service in another attack. Denial of Service is another form of computer sabotage. This prevents the accessibility of systems of affected persons on the Internet. This is an additional means of coercing the victims who are already under pressure because of the encryption.
Ransomware can enter a computer in the same ways as a computer virus. These ways include prepared email attachments, exploiting vulnerabilities in web browsers or via data services such as Dropbox.
For example, emails are sent pretending that an attached ZIP file contains an invoice or a delivery bill for ordered goods.Also, it is sometimes claimed that the Federal Criminal Police Office, the Federal Police, GEMA or Microsoft have detected illegal activity on the computer and locked it as a result.
Infiltration of systems and exfiltration of data
Before, during and after a ransomware encrypts data, several dangerous processes can take place. In the case of manually operated ransomware, the attackers connected to the compromised system attempt to move around the compromised system and connected networks (infiltration). For an idealized idea of how the attackers proceed, it helps to think of a remote maintenance software – even though the attacks can be technically much more sophisticated. The movement in the invaded system is called lateral movement in English terminology. Even after the data of individual computers has already been encrypted, without countermeasures there is a risk that further encryptions in connected systems will follow. If the intruders find data that looks interesting and valuable, they spy on it. Using partly covert and anonymized channels, they transfer the data from a private network or the network of an organization to the Internet, to data stores controlled by them (exfiltration). After sifting and assessing the value of the stolen data, they decide on its further use for extortion or sale to third parties.
Blocking the system
An infected computer can be blocked in different ways. Simpler and more harmless extortion attempts manifest themselves only in a notification window that appears at every regular system startup and cannot be closed. The Task Manager is also blocked. Inexperienced PC users do not know how to stop this blockade. The only way out seems to be to pay the ransom, for example, by buying a Paysafecard or Ukash card. The amount is credited to the extortionist by entering the payment system’s voucher number on the compromised PC, which electronically communicates it to the perpetrator. Bitcoin cryptocurrency is used as another anonymous payment method.
Encryption of documents
Particularly malicious variants of ransomware have a greater malicious potential: they encrypt files on the computer; preferably files that can be assumed to be very important for the computer’s owner and possibly irrecoverable. Therefore, on Windows systems, ransomware usually starts in the My Documents folder and prefers documents created with Office applications there, as well as emails, databases, archives and photos, among others. Without a decryption password, the user no longer has access to their contents. Thus, unlike spyware, it does not move large amounts of data.
In order to decrypt the data encrypted by the ransomware, the intruder asks the victim to pay a ransom in order to receive the decryption software or the required password. Sometimes, the user is first asked to contact the ransomware creator separately, for example, by sending an email to a certain email address, by visiting a certain website or by filling out a form. The criminals often threaten that all data will be destroyed if the police are contacted.
The infected computer may be further manipulated and monitored by the malware; therefore, it must not be used for further work, especially activities that require a password. Transferring the ransom from the affected computer via online banking is considered gross negligence.
In some cases, the possibility of decrypting the encrypted files is not even provided for on the part of the attacker, so these files are irrevocably lost unless a backup copy of the encrypted files exists.
Protection and countermeasures
The National Cyber Security Center of the Swiss Federal Administration has published recommendations for private users as well as for companies on its website:
Regularly back up data to an external medium that is only connected to the computer during the backup process. If the backup drive remains connected, the active ransomware can also destroy the backup.
Keep the operating system up to date, install updates quickly.
Beware of emails that come from an unknown sender. Links may lead to websites with malware, attached files may contain a malicious program.
Install an antivirus and update it regularly.
Use a firewall.
The German Federal Office for Information Security has published a situation analysis, which also includes extensive recommendations for protection and countermeasures, as well as the recommended course of action in the event of an incident. The analysis is aimed at professional users and IT managers in companies, public authorities and other institutions. The No More Ransom website is an initiative of the National High Tech Crime Unit of the Dutch police, Europol’s European Cybercrime Center and two cyber security companies with the aim of explaining ransomware to users, recommending countermeasures to effectively prevent infection, and helping ransomware victims decrypt it.
Another countermeasure is to use appropriate file systems that do not remove the original data immediately or at all by overwriting it. This can be either a versioning file system like NILFS on Linux. Another possibility is the use of system services such as Volume Shadow Copy Service (VSSS) under Windows which continuously create snapshots of files when they are changed and thus store the version history. Furthermore, there is the possibility to use extensive file systems like ZFS on storage systems. ZFS offers the possibility also with very large file systems periodically and in short intervals of some minutes write-protected snapshots of the complete file system to provide and these snapshots in the file system write-protected to store. When configured appropriately, file systems such as ZFS are largely immune to ransomware.
Recovering encrypted data
In the case of the malware that was widespread in the period from 2011 to February 2012, access to the data was prevented, but no encryption took place. Commercially available antivirus programs were able to remove some of these malware. Free programs, for example Malwarebytes Anti-Malware or Avira, were sufficient for this purpose. All cleaning, decryption and other measures must be carried out from a “clean system” – never “from within the affected operating system itself”.
In some cases, security researchers succeed in cracking ransomware and providing decryption tools that can then be used to decrypt the encrypted data again. In February 2016, for example, it was possible to break the encryption of TeslaCrypt 2 up to version 2.2.0. In April 2016, the encryption of the Petya extortion Trojan (version up to December 2016) was temporarily cracked. The hack-petya software generated a key with which the data could be decrypted again.
In some cases, data recovery is possible even after encryption is complete:
Some ransomware only encrypts the beginning of the files. Reconstruction of affected files is still possible in many cases, especially for files with larger capacity (for example, databases or archive files).
In some cases, computer forensic methods can still find the key for the encryption used on the data medium and thus decrypt the data.
The reconstruction of deleted files is possible in many cases. Especially when editing documents, temporary files are often created and then deleted. Deleted documents are not usually encrypted by ransomware to date.
Data backups on NAS, although claimed, are not encrypted by Ransomware in many cases, but only deleted areas are overwritten with random data. Data recovery is usually possible here as well.
Origin of the ransomware groups
The ransomware groups often operate from abroad. The head of the UK’s National Cyber Security Centre said in 2021 that cybercriminals from Russia and its neighboring countries are behind most online extortion against UK companies.
A 2021 study by U.S.-based Chainalysis found that 74% of all money captured through ransomware extortion (≈ $400 million) was highly likely to go to cybercriminals with a connection to Russia. Much of the money captured through extortion also went through Russian crypto companies, which are based in the capital, Moscow. To identify each ransomware group, the analysts used a list of characteristic indicators, including
Language of the malware and documents, as well as language of the forums where the cybercriminals were traveling
Programming code, which did not execute if the infected victim was from the CIS countries (part of the former states of the Soviet Union)
Connections to other cybercriminal groups, the origin of which has already been proven.
How Cloud Backup Protects Against Ransomware
Ransomware comes in two main “flavors”. The system is either encrypted automatically or system access is granted to a criminal, who then gathers important information from your IT systems before blackmailing the company. Cloud backup is a form of a data copy that is not accessible, even from the source system. The only exception is, if the criminal gets access to the cloud backup account login information, which could be stored on the victim’s PC, and then proceeds to destroy all data in the cloud account by hand.
If installed and operated correctly, cloud backup forms an isolated, unreachable offsite copy that no one can reach. Neither criminals nor automated ransomware software can access your data that was copied into a cloud backup account.