BlogHacking28TH JUN 2024
AuthorHana Salman
8 min read
Hacking

Data held hostage: Ransomware Explained

Twitter
Facebook
WhatsApp
Email
LinkedIn
Feature image about ransomware

As you tirelessly browse through useless Instagram reels, an email notification pops up on your computer screen regarding a matter of dire urgency - a warning about changing your bank account credentials due to a breach they faced.

As panic enters your system, you rapidly click on the attachment provided with the email. The screen goes black. You’re greeted with a message announcing that all your data is now being held hostage.

Scared, you try to click on a document on your computer, only to see a password prompt locking access to your file. Clicking on other important files serves up the same prompt.

Unfortunately, you have fallen victim to a malicious cyber attack known as ransomware.

What Is Ransomware?


Ransomware is malware designed to hold your data hostage via encryption until a certain sum of money is paid by the individual or group it belongs to. In some cases, failure to pay can wipe your data completely.

Attackers also use crypto-ransomware - a encryption key is provided to the victim to regain access to their data in exchange for a ransom amount. 

On rarer occasions, a screen-locking software can disable a victim’s entire device until the amount is paid.

What are the different types of ransomware?

Multiple types of ransomware are used to obtain information: 

  1. Doxware is when attackers threaten to expose victims’ personal data.

  2. Destructive ransomware or wipers, is when data destruction is threatened. In some cases even if the victim pays the ransom, the data is destroyed. These cases are rare, however, as they are generally used by hacktivists rather than ordinary cybercriminals that are motivated solely by monetary gain.

  3. Mobile ransomware is any ransomware that targets mobile devices.

  4. Scareware is ransomware that scares victims into payment, whether through the method of coercing the user to download the malware or the actual method in which the victim’s device is locked or their data encrypted.

How can ransomware be delivered?

The process of infecting a target with ransomware usually occurs in five stages: 

The stages of ransomware explained

Stage 1

In the first stage, an attack vector is used to gain access to data.

  • Vectors include social engineering methods such as phishing where fraudulent emails, text messages or phone calls are used to lure users. 

  • Attackers can also take advantage of vulnerabilities and weak systems as well as use credential theft and drive-by downloads (compromised websites) in order to seize users’ data.

Stage 2

In the second stage, cybercriminals may use malware such as remote access tools (RAT) to secure their access to the data

Stage 3

Stage three includes the hacker understanding the system they have gained access to. That way they can expand their efforts by gaining control of other interconnected systems. 

Stage 4

Step four of a ransomware attack includes data collection and exportation. Cybercriminals will do this by downloading a copy of the victim’s valuable information, may it be passwords, credentials or intellectual property - nothing is safe from the hacker anymore.

Last Stage

In the last and final stage, files are either identified and encrypted or the user’s device is locked. 

Alternatively, the device may be flooded with pop-ups to the point that the device is rendered unusable. 

The dreaded ransom note is then sent out via a pop-up window or .txt file.

List of Notorious Ransomware Variants 

Octapharma Plasma Ransomware

A particularly dangerous case of ransomware happened in April 2024. A ransomware gang ‘BlackSuit’ launched an attack on a healthcare company Octapharma Plasma.

In the attack, sensitive data belonging to donors - including their addresses and social security numbers, financial data, laboratory data and business data alike was stolen by the cybercriminals. Although little is known about BlackSuit’s ransom demands or negotiations, Octapharma began reopening some of its 180 centers after nearly a week, indicating a possible agreement between the two parties.

Fulton County Ransomware

The Fulton County ransomware incident occurred in January 2024. Fulton County’s government services were temporarily non-operational as a cybercrime group LockBit launched a ransomware attack against them, threatening to dump highly sensitive information online. 

LockBit also claimed to have former President Donald Trump’s criminal case record for attempting to tamper with the 2020 elections. 

Jeff Disantis, a spokesperson for the District Attorney’s Office, confirmed the hacking attempt. He said:

All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult, if not impossible.”

LockBit claimed that the information they had could potentially affect upcoming elections but eventually removed the county from their leak site, claiming that a ransom had been paid. The claim of ransom being paid was firmly denied by Fulton County chairman Robb Pitts, who claimed they did not know why LockBit removed the data. 

Following the removal of ransomware, systems were slowly restored by Fulton County.

Other infamous ransom variants

  • Cryptolocker - A ransomware variant that has been estimated to have extorted a whopping $3 million.

  • Wannacry - Responsible for around $4 billion in damages after infecting an estimated 300,000 devices. 

  • Ryuk - Targeted larger-scale businesses and companies and demanded an average of $1 million per attack. FBI estimates it extorted $61 million from 2018-2019.

Ransomware demands over the years

Ransom payments differ from case to case. The Kaseya ransomware for instance demanded a startling $70 million for 1,500 businesses.

There has been a drastic fall recently in the proportion of victims that give in to the ransom demands. This could be credited towards the recent increase in awareness and preparedness when it comes to dealing with cybercrime such as data backups and even threat prevention and detection technology.

Although paying ransoms to cybercriminals is heavily discouraged by US federal law enforcement, in some cases, it can be illegal. 

The US Office of Foreign Assets Control (OFAC) has stated that penalties such as criminal charges could be faced by individuals who pay a ransom to attackers from countries under US economic sanctions.

How to Protect From Ransomware

Although the threat of ransomware is terrifying and dangerous for most, there are ways in which individuals can protect themselves from this digital crime.

Here’s what you need to do:

  • Sensitive or personal data should always be backed up, 

  • Access control policies should be rolled out to limit damage as well as access to sensitive files.

  • Multifactor authentication methods should be implemented

  • Formal incident response plans should be drawn up by security and IT teams to obstruct breaches early on.

Conclusion

As technology rapidly becomes more sophisticated, netizens face a constant struggle between the propagation and prevention of digital crimes that threaten to ruin our lives. Taking measures to educate yourself and spreading awareness about best cybersecurity practices can help keep you and the people around you safe from falling for online traps such as ransomware. 

Hana Salman / Freelance Contributor
Hana enjoys content writing and learning about new topics such as cybersecurity. She plans to someday be a psychologist to understand people better as well as help them understand themselves.
FAQsFrequently Asked Questions
Ransomware attacks can result in data loss, financial losses, operational disruptions, and reputational damage. Depending on the severity of the attack and the importance of the encrypted data, organizations and individuals may face significant consequences.
Experts generally advise against paying the ransom. Paying does not guarantee the safe return of your files, and it funds criminal activities. It's recommended to report the incident to law enforcement and seek assistance from cybersecurity professionals.