Ransomware

  • Fabian Sinner
  • May 2, 2023

Table of content

    Ransomware

    Ransomware: A Tool for Cyber Blackmail

    Blackmail by anonymous cybercriminals is an acute threat to companies of all sizes. Hackers also target administrations and government authorities. Only a comprehensive approach to IT security can offer reliable protection against the pervasive danger posed by ransomware.

    What is ransomware?

    The word “ransomware’ is a portmanteau that combines the words “ransom” and “software”. It follows that ransomware is a type of malicious software (malware) criminals use to access data or entire networks to block access by legitimate users. Network data is either encrypted or moved to a password-protected area so the hackers can extort ransom payments from the network owner.

    Criminals often demand ransoms in the form of cryptocurrencies such as Bitcoin to cover their digital tracks. The problem for cyber-blackmail victims is that there’s no guarantee that the perpetrators will restore network access, even if the ransom is paid.

    Crimes committed with the help of ransomware are considered to be cybercrime.

    What types of ransomware are out there?

    There is no single definition for ransomware because individual variants can differ greatly in complexity. That said, ransomware typically works in two ways:

    Access blocking

    In most cases, unsophisticated technology is behind the blackmail attempt. This means the targeted data is not encrypted; instead, the malicious program inserts a digital lock that makes further access impossible. In some cases, IT specialists can open the access lock without the perpetrator’s approval.

    In such attacks, the perpetrators often pretend to be a security authority. Logos and formal-sounding language are used to give the target the impression that the hostile network takeover is legal.

    The unsuspecting targets don’t recognize the blockage as a criminal act, pay the “fine”, and don’t report the seemingly legitimate transaction to the police.

    Data encryption

    The more “professional” ransomware attacks encrypt data within the hijacked network. This is why these attacks are said to use “crypto-ransomware”. This type of malware is usually more dangerous, since decrypting it is more complex or even impossible.

    In the worst cases, the perpetrators don’t restore the data after the ransom payment is made, and the data is lost.

    Known examples of ransomware

    • UmbreCrypt
    • Ryuk
    • WannaCry
    • GandCrab

    How does ransomware enter a system?

    The blackmailer’s software usually accesses networks via infected attachments or when a user clicks on a seemingly harmless link in an email, which initiates a download. Once the hackers have access to the system, the necessary malware is downloaded to the computer in the background and the program searches for weak points (exploits).

    Many forms of malware can gain access to an entire network via a single infected computer, so small vulnerabilities often have a fatal effect. Ransomware that can delete existing system backups is particularly dangerous.

    How should victims react to a ransomware attack?

    • Ignore the ransom demand
    • Report the attack to the responsible police authority
    • Search for support (e.g., at nomoreransom.org)
    • Review possible courses of action: e.g., recovery through backups, or break the password barrier using decryption tools

    As a rule, police authorities such as the Cybersecurity & Infrastructure Security Agency (CISA) in the U.S. and other federal law enforcement groups advise against reacting to blackmail attempts by paying the ransom, because it doesn’t guarantee the data will be decrypted or that the systems or data will no longer be compromised.

    This means the core problem remains present for the ransomware victims – on top of the financial damage they incur by paying the ransom. The British National Cyber Security Centre and the British government raise another important point: paying the ransom only supports a growing criminal business model.

    Since many attacks are offered as a service (cybercrime as a service), every successful blackmail campaign motivates the expansion of the ransomware market.

    Generally, cybercriminals choose their ransom amount wisely. They set a sum they think the victim can afford. This provides a strong incentive for the targeted organization to make a quick payment without having to involve law enforcement agencies or expensive IT experts. This is exactly what the perpetrators want.

    Ransom payments are liable to prosecution under U.S. law

    Victims of a ransomware attack often feel they should simply pay whatever the hackers demand. But this approach could end badly if the company is subject to U.S. law. In October 2020, the U.S. Treasury Department warned that victims who respond to ransom demands may themselves be liable to prosecution.

    The same applies to third parties such as financial institutions, cyber insurance companies, and companies involved in digital forensics and incident response.

    The threat of prosecution doesn’t just apply to the payment of a ransom for hard-disk encryption. It can apply to any extortion payment, such as in the case of DDoS extortion.

    What are DDoS attacks

    High fines and imprisonment possible

    As a matter of principle, ransom payments require the approval of the Office of Foreign Assets Control (OFAC). The reason why victims can be criminalized is that ransom payments often go to states or persons against which sanctions or embargoes have been imposed such as Syria, North Korea, Iran, Cuba or the Crimea, and the authors of the ransomware Cryptolocker, SamSam, WannaCry, and Dridex, whose identities are known.

    The US Department of Treasury explains the new guidelines in its new Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments:

    “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks.”

    Failure to comply with sanctions could result in heavy fines and long prison sentences. Anyone who reports attempted extortion before an illegal ransom payment is made can hope for a significantly reduced penalty. However, an “independent, prompt and complete report” of the incident is required.

    Who is behind ransomware attacks?

    The offer of compact, easy-to-deploy, and scalable ransomware kits makes it possible for more and more criminals, who themselves do not have sound IT knowledge, to launch an extortion scheme. Unfortunately, anyone searching for such offers no longer has to go all the way to the darknet.

    Source codes with appropriate instructions can also be found on the publicly accessible Internet (Clearnet) – for example, on the developer platform GitHub.

    It’s not unusual for personal conflicts to be taken online via the engagement of cybercriminals. Anyone who searches the web using the term “Cybercrime as a Service” can find programs and instructions, provided they can locate the relevant marketplaces.

    The illicit service is often paid for by giving the malware seller a share of the extorted ransom. There’s even an established affiliate system through which several groups of offenders – programmers, operators, and encrypters – share the loot.

    Covid-19 pandemic increases risks for SMBs

    Ransomware attacks have seen a great upswing during the Covid-19 pandemic. Europol’s Cybercrime Report released in October notes that this trend has been noticeable in Europe since March 2020. In recent months, ransomware blackmailers have been targeting SMBs at an increasing rate, possibly because IT security in SMBs is often less sophisticated and therefore more vulnerable than that of large companies.

    As a result, long failures or damage that could threaten their existence are more likely. For these reasons, the incentive to pay the requested sum tacitly could be even stronger than for cyber-resilient companies.

    The operators of critical infrastructure are particularly at risk of cyberattack. For this reason, separate legal requirements for IT security apply to them.

    Strategic attacks on the rise

    Instead of spreading infected mails and files widely, criminals are choosing their victims carefully and using more complex malware. This development confirms that the cyber blackmail business is run by professionals and so profitable that they’re willing to accept higher penalties.

    According to the German Federal Office of Criminal Investigation (BKA), there is a specialization that is rightly a cause for concern: Double Extortion. In this type of attack, before the encryption and ransom demand takes place, sensitive business and private information of one or more targeted persons is unearthed.

    Only then is the actual ransomware attack carried out. The perpetrators threaten to publish the sensitive data, thus increasing the pressure on the victim to pay the ransom as quietly as possible.

    USA and Germany are popular victims

    A global study of cybersecurity by Sophos shows that U.S. and German companies are more likely than average to be infected by ransomware. In the U.S. and Germany, 59% and 57% respectively of IT managers reported that they were victims of a ransom attack.

    Emails with malicious links and file downloads are the number-one IT vulnerability (29%). However, it’s not only companies that are struggling with the growing threat of blackmailer attacks; private individuals are also victims. The hackers’ goal with the latter is to encrypt personal images and documents.

    Cities and utilities come under fire

    The perpetrators’ greed for profit is reflected in their targets. Entire cities are being paralyzed by ransomware attacks: in July 2019, Lake City in Florida was attacked and, after a 14-day administrative failure, paid half a million U.S. dollars to its blackmailers.

    In the same month, City Power, the electricity supplier of the South African city of Johannesburg, fell victim to ransomware. The attack had far-reaching consequences for the city’s power supply. In February 2020, an American gas pipeline operator was attacked, although the firm’s name was not mentioned by name in the press.

    Nevertheless, it is known that the company was forced to shut down its facilities for two days. In this case, an e-mail was the entry point for the malware.

    In Germany, the Duesseldorf University Hospital fell in September 2020 victim to a ransomware attack called DoppelPaymer. The ransomware invaded 30 servers, crashed systems, and forced the hospital to turn away emergency patients.

    As a result, according to German authorities, a woman in a life-threatening condition was sent to a hospital 20 miles away and died from treatment delays. According to the Ministry of Justice, the trail led to a Russian hacker group.

    Only a month later, the German company Software AG reported another case, in which the perpetrators demanded a record sum of 20 million U.S. dollars. The hackers published stolen data online after negotiations failed.


    Sources mentioned:

    • Banking & Financial Services Cyber Threat Landscape Report, Intsights, April 2019
    • National Situations Report on Cybercrime 2019, BKA, September 2019
    • Internet Organised Crime Threat Assessment (IOCTA) 2020, Europol, October 2020,
    • The State of Ransomware, Sophos, May 2020
    New High-Volume Vector: Memcached Reflection Amplification Attacks
    How To Protect Your Business Website from Bad Bots
    X