What is Ransomware?

What is Ransomware?

In today’s blog, we will be going into something that most people seem to have basic or common knowledge, but you'd be surprised of how many people just don't understand or don't know what ransomware is. What is ransomware? How do we get to where we are today? We will explain a little bit about how ransomware is changing as of today, November 2022 and what the future might look like. So, without further ado, let's jump into it for today.

Ransomware, What Is It?

Ransomware, first off, it's been around for a while. It's probably going on well over 15 years now that ransomware has been a problem. It originally started off with individuals who would download a file from somewhere.

Early Days

On the early days of ransomware, experts used to see it a lot where the customer or the client of ours’ kid downloaded something to their home computer, usually through peer-to-peer file sharing services, which was very popular back in the day before things like Spotify and all the music platforms that are out there where you can get music digitally easily. There was a point in time where music was still being produced on CDs and they weren't buying into this whole internet and digital world. People just found ways to buy and steal and transfer audio files, music, and video files, being DVD movies, through these peer-to-peer networks. That's where Napster was originally born from, if you're familiar with that. But a lot of these downloads, these videos, these music files, would be downloaded and they'd be wrapped with things like malware and ransomware around them.

Back in the Day 

Also, you can get ransomware the same as you could back in the day. For example, people got ransomware through clicking on phishing links and malicious links and emails. But there's also a couple things that were different. Number one is, it wasn't as easy to get a cryptocurrency account like you can on Coinbase. It used to be a pretty extensive, or at least maybe their operations weren't as efficient as they are now. Say if you wanted to sign up for like a Coinbase account, it could take you the better part of two weeks to get that account approved before you can start buying Bitcoin in one of those platforms.

Another, not so easy process was paying the ransom like most people think it is today. People didn't want to wait that long. At the time the ransom demands were not nearly as high. Cyber criminals usually would hit people for a few hundred bucks, mainly because they were just hitting individuals on their personal computers. People were losing things like Word documents, Excel files and pictures. Not much more than that though in the early days of ransomware.

Popular Trends to Pay Ransom

Next, the most popular format or method to pay these cyber criminals back was through Western Union money telegrams. Our company remembers helping a person that got hit with ransomware back in like 2008 or 2009, and they ended up having to go to a 7- Eleven to buy a money order or Western Union money order and send that money over to the cyber criminals somewhere in the world to get the decryption key. Most of the time these criminals ended up getting their files and unlock them. That’s how it was!

Simply put, ransomware gets on your system. It's a software that runs looking for what you have on your system and encrypt those certain files. Earlier in the days, it would look for PDFs, Excel files, Office files, Word, PowerPoint. In those files the software would look for pictures and then would encrypt them so you could no longer open them. That encryption process essentially just hides that file from the normal operating system from being able to open it. When you try to click on one of these files, it's just going to generate an error saying something along the lines of, "The file's been corrupted and cannot be opened."

When this happens, you start to realize you have a problem. Now, people will start reporting that they can't open files on networks. That's a lot of what we see going on today with this ransomware. If you don't have the proper securities in place to detect this stuff, the ransomware usually isn't discovered until it's well in place when you or your employees can no longer open these files and you can no longer work with them.

What Did Ransomware Evolve to? 

Ransomware has evolved into a very lucrative criminal activity. The really good ones are run by highly organized criminal organizations, Mafia, well-funded. In some cases, state-backed criminal organizations too. Also, you have governments that are involved in deploying ransomware, whether they want to admit it or not. These hackers want to make money right now because they know these businesses are not doing enough to protect themselves from cyber-criminal threats. So, if you're not detecting this stuff, you're usually going to find it when an employee cannot work or cannot open a file or you cannot open a file. That's really where things are at today.

The difference between 15, 20 years ago and now is that these ransom demands have increased because cyber criminals have figured out how to monetize it even more. Instead of going after individuals, they go after large companies, large corporations. They do this because they can encrypt way more files, way more computers, and can ask for a bigger demand. It doesn't mean that the small stuff hasn't gone away, it just means you're going to hear more about these bigger attacks. This is because big businesses are more sensationalized, covered, or talked about in the media, especially when big companies go down.

Cyber experts recently saw this, if you're familiar with the LA County Unified School District, where their superintendent decided not to pay the ransom, and then started releasing student and teacher information on the dark web with the hopes that they would think twice and eventually pay that ransom. So, ransomware has evolved with double extortion.

Another way ransomware has evolved is with specialized cooperative of people working together. Back in the early days, you used to have these groups that would essentially get into your network and they deploy the ransomware. Well now we have different groups doing different things that they're specialized in. You have a group that's really good at breaking into networks or phishing your employees or yourself to get into your network. That's one operation and all they do is just that. They also try to break into networks through phishing, through brute force.

Once they gain access, then they sell that access to a ransomware operator who is very good at writing ransomware software, deploying that software quickly. Making sure that everything's set up from a service standpoint so you can get the information that you need so you can pay the ransom and contact their support if you need to talk to them about something or try to negotiate that ransom. This is all done by one entity who then also helps you get the files unencrypted.

How Does this Software End Up on my Computer?

It usually happens through a phishing link. Maybe you're still using peer-to-peer networks, maybe you're downloading things off unknown or unsavory websites. In some rare cases you can also get it through brute force attacks and cyber criminals taking advantage of vulnerabilities in your network. But ultimately, it's the same result. After this, you're put under pressure of time to pay this ransom demand that can range from hundreds of dollars to hundreds of millions of dollars. The average ransomware payment that experts see today hovers around $300,000. It's typically if a business gets impacted and it usually takes a company north of 180 days to figure out somebody's even in their network, potentially getting ready to deploy ransomware.

Ransomware is a big problem for individuals and businesses! Ideally, we want to bring awareness as well as educate you on what ransomware is. If you ever want to learn how to protect yourself, Xact IT has a slew of other videos on our YouTube that discusses how you can protect yourself from ransomware.

Important about Ransomware

The other important thing with ransomware is, right now, is we have a very similar practice with ransomware operators where they’re encrypting your files, which makes your files unusable. Until you pay them to unlock it or until you go to backups to recover your data.

What works in your situation, depends on a lot of things. Sometimes we see companies that need to use backups and pay the ransom to get their data back. But other times we see this thing called double extortion ransomware. This is where your data is stolen or exfiltrated off your network, then it's encrypted, and then they just say, " Hey, we just want to let you know we stole 100 gigs of your data, and if you don't pay us the ransom that we're demanding, we're going to release that to the public or your clients. We will also release it to this entity or somebody who you don't want it to fall in the hands of," and they use that as a leverage as a scare tactic to get you to pay.

Also, something to mention about how ransomware can impact you and your business from a recovery standpoint. When you get ransomware, and this is where they miss the mark, they think they can just pay the ransom and move on with life. Experts have seen this time and time again where businesses try to do this. Maybe they're not given the proper consultation from people who are trained and know how to deal with this stuff, and they just continue to run their business on the same system that was infected in the first place. There's a lot of reasons but just know that if your computer or your computer system's networks get hit with ransomware, you're more than likely going to either be wiping those machines to a factory state or to the original state that it was in when you got it. Most likely, you’re going to be replacing hardware completely depending on what happened with your attack and how these criminals got in.

This is a big deal! Because a lot of companies can get reinfected multiple times with ransomware, yes, meaning a company gets hit with ransomware two, three, four, five times. It's not just a one-time thing. If you don't handle things after the fact properly, you must plan on basically buying all new equipment and putting all new equipment in. So if you have 10 employees with 10 computers and maybe a server in your office, you are probably going to be buying 10 new computers at a new server to fully recover from this situation. Not a lot of people are aware of this when it comes to ransomware and what ransomware is and what it can do to your business.

Today and In the Future of Ransomware

The reality of it is, is ransomware is expensive to write and maintain as a software program. Also, its expensive to make sure that when you get paid by a company for your criminal activity, you’re then able to decrypt those files and give them back to them. Because let's face it, if cyber criminals didn't actually give your files back when you paid the ransom, that is going to spread like wildfire and people are going to be hesitant to even pay the ransom in the first place if there's no real guarantee that they get their files back. So, cyber criminals for almost a decade now have really lived off the fact that they do give you your files back if you pay the ransom. This is a known thing between businesses who have been infected, that they do come out and say, "Hey, yeah, we paid the ransom and we were able to get our files back, or some of them back as a result."

The business owner community fully understands and believes that if the ransom is paid that they will get a good portion, if not all, of their data back. We're seeing a change in this. Because that whole process of them being able to encrypt and decrypt is expensive for them to do, to run, to maintain. So, when decryption keys are found out, they would have to rewrite their software with different decryption keys and make sure that somebody can't decrypt this stuff for free which ultimately leaves them with no leverage.

In all, that's what cybersecurity experts are seeing right now. Basically, moving away from this encryption methodology that cyber criminals have been using for the better part of a decade and a half, to where it's not really encrypted anymore, your data is just corrupted. Which means they don't have to run a decryption on the actual files that are on your system. They would just move all the files that they copied originally back to you, so you have them. It's essentially, like restoring from backup, but your backup is in the hands of cyber criminals.

Ransomware as we know it today, is still the more prevalent way for them to hack businesses. Moving into the future, and probably into 2023, we’re going to see less and less of these encryption-type ransomware attacks. We're going to see more of these ransomware attacks that involve the corruption of data, and then you having to pay for the data that they stole or exfiltrated from your system in order for you to resume operations of your company.

If you have any questions about this, make sure to message us on social media or our website. If you've seen this new form of ransomware, we'd also love to hear about it from your perspective. If you dealt with this or had any experience with it. Hope this explained what ransomware is, a little bit of history around ransomware, and what we can do, move them forward here to protect our companies and our own data.