What Is Ransomware?
Ransomware is a specific and extremely harmful type of malware used by cybercriminals to extort money from individuals, organizations, and businesses. The infections block access to your data until you make a ransom payment, at which point you’re supposed to regain access.
In reality, nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later – which is why everyone must protect against ransomware.
Notorious Ransomware Types
- Bad Rabbit
Sodinokibi is allegedly distributed by attackers affiliated with those that distributed the infamous GandCrab ransomware. Sodinokibi avoids infecting computers from Iran, Russia, and other countries that were formerly part of the USSR. Sodinokibi uses an Elliptic Curve Integrated Encryption Scheme (ECIES) for Key generation and exchange (Elliptic-curve Diffie-Hellman key exchange algorithm). This ransomware uses AES and Salsa20 algorithms to encrypt session keys and user’s files respectively, AES is also used to encrypt network data that is sent to the control server. The ransomware generally demands around 0.32806964 BTC (≈ $2,500) to regain access to the encrypted files.In the News
Find out more about Sodinokibi on Acronis
- Over 20 Texas local governments hit in "coordinated ransomware attack"
- New ransomware targets US and European companies
- Dental Data Backup Firm Hit By Sodinokibi Ransomware Attack
GandCrab ransomware was discovered near the end of January 2018. It is distributed as part of Ransomware-as-a-Service (RaaS) and soon became the most popular and widespread ransomware. GandCrab is also the first ransomware that demands payment in DASH cryptocurrency and utilizes the “. bit” top level domain (TLD). This TLD is not sanctioned by ICANN and it therefore provides an extra level of secrecy to the attackers. GandCrab uses RSA-2048, AES-256 and RC4 encryption for encrypting AES keys and User’s data and Network traffic data respectively. The authors of GandCrab ransomware were very actively updating and releasing different versions of GandCrab to keep up with evolving security challenges. After a year of tremendous success for the attackers, they finally announced the shutdown of GandCrab operations around the start of January 2019. According to a post made on a hacker forum, GandCrab made $2 billion in total and the authors personally made around $150 million from the operation.Find out more about GandCrab on Acronis
Unlike many ransomware attacks, WannaCry was not spread by spam email. It became the fastest spreading attack – affecting 300,000 computers in more than 150 countries – by taking advantage of a vulnerability in Windows using an exploit leaked from the U.S. National Security Agency called EternalBlue.In the News
Remember that if you pay cybercriminals to regain access to your data, there’s no guarantee that you’ll get the decryption key. In fact, one report estimates that of victims who have paid the ransom, only 47 percent ever received the decryption key.Find out more about Petya on Acronis
Ryuk is allegedly linked to the state sponsored hacking group Lazarus and the earlier Hermes variant of ransomware. Unlike common ransomware strains that are distributed via massive spam campaigns and exploit kits, Ryuk is mostly used in targeted attacks. Ryuk’s earning crossed over $700,000 after just a few months of operation, indicating how successful their strategy has been. Ryuk uses process injection techniques to hide itself from AV solutions. Ryuk uses a three-tier encryption model where encryption keys are encrypted using RSA encryption and AES encryption is used to encrypt user’s files. Ryuk has infected very high-profile targets and demanded insanely huge ransom amounts, in the order of millions of dollars.In the News
Bad Rabbit Ransomware
Bad Rabbit is a variation of Petya (or GoldenEye) that hackers modified. Unfortunately traditional anti-virus solutions rely on “signatures” to identify ransomware, so if it’s a new strain it may not be recognized. That’s a problem since there’s a 400 percent growth in new strains each year.
Ransomware’s Connection to Cryptojacking
Cybercriminals are infecting Windows and Linux machines with malware that hijacks computing resources to mine cryptocurrencies without the user’s knowledge. Cryptojacking not only slows computer performance, increases energy costs, and damages hardware, the infection usually injects ransomware to maximize the malware’s profitability.
Thankfully, Acronis automatically detects and stops both ransomware and cryptojackers in real time – outperforming many leading endpoint cybersecurity solutions.
Our Cyber Protection Solutions Save Your Data
- For Home
True Image 2020
The world’s #1 personal cyber protection solution, independently proven to be the fastest, easiest to use, and most secure.
From £34.99Buy Now
- For Business
Delivering modern cyber protection for 20+ platforms, it’s the most secure solution for businesses of all sizes.
From £65Try Free for 30 Days
Don’t Be a Victim
How Acronis solutions safeguard your data, applications, and systems
- Detects Attacks
Using artificial intelligence, Acronis monitors your system in real time – examining the process stack to identify activities that exhibit behavior patterns that are typically seen in ransomware and cryptojacking attacks.
- Stops Encryption
If a process tries encrypting your data or injecting malicious code, Acronis immediately stops it and instantly notifies you that something suspicious was found. You can then block the activity or allow it to continue.
- Restores Affected Files
If any files are altered or encrypted before the attack is halted, Acronis Cyber Protection solutions will automatically restore those files from the backup or cache – almost immediately reversing the affects of any attack.
- Five Vectors of Cyber Protection
Modern cyber protection must ensure the safety, accessibility, privacy, authenticity, and security of all data (known as SAPAS). Only Acronis unifies all of the necessary technology – hybrid cloud, AI, encryption, and blockchain – into one easy, efficient, secure solution.
Securing the Industry
Proud member of AMTSO
As part of the Anti-Malware Testing Standards Organization (AMTSO), Acronis is helping to develop proper standards for testing security solutions, and we participate in tests that adhere to AMTSO’s standards
ML Contributor to VirusTotal
Membership in AMTSO allowed Acronis to contribute our Machine Learning engine to VirusTotal, enabling all users around the world to benefit from our technology’s ability to detect various online data threats.
“With the innovative features such as Acronis Active Protection against ransomware, we are implementing the strongest cyber protection on the market today.”
Looking for Help?
Frequently Asked Questions
- What is ransomware?
Ransomware is a type of malware used by cybercriminals to extort money from individuals, organizations, and businesses. While there are many ransomware types, a typical attack encrypts the victim’s data and then presents the user with a message that demands a ransom payment – usually in the form of digital currency like Bitcoin or Monero.
Once the ransom is paid, the criminals are supposed to provide a decryption key – although it’s important to note that nearly 40% of the victims who pay the ransom never regain access to their data.
- How to prevent ransomware?
Ransomware is commonly distributed by emails and infected websites. Most ransomware is distributed using a malware infection technique known as “phishing”, in which you receive an email that looks like it is from someone you know or trust. The idea is to trick you into opening an attachment or click on a link within the email, at which point the ransomware is injected into your system.
Being vigilant and avoiding suspicious links or attachments is the first defense, but cybercriminals are adept at fooling even the most guarded people. Having ransomware protection software defending your system is vital.
Unfortunately, traditional anti-virus solutions that look for known strains of ransomware cannot keep up with today’s ever-evolving threats. Whether you need ransomware protection for Windows 10 or Mac devices, be sure to use anti-ransomware technology that detects attacks based on suspicious activities, since behaviorally based defenses are much better at identifying and stopping zero-day attacks
- How to remove ransomware?
If you are the victim of ransomware, removal is difficult. You essentially have three options.
First, you can restore your system from a backup. You’ll need to ensure your backup hasn’t been tampered with, however, since new ransomware strains target backup files and backup software.
The second option is to reformat the hard drive, wipe out all the data (including the infection), and then reinstall the operating system and applications. Without a backup, however, you’ll lose all of your personal data and will still face the threat of future ransomware attacks.
Finally, you can pay the ransom and hope the decryption key works and your data will be restored. Just remember that 40% of those who pay never regain their data, so preventing an attack before damage is done is a much better approach.
- Who is behind ransomware?
Generally, those who develop and distribute ransomware are either organized crime groups or nation-state actors.
Organized criminals are motivated by extorting as much money as possible. Increasingly they distribute their malware as ransomware kits that anyone can use – even if they don’t have much technical expertise. This ransomware as a service (RaaS) model spreads their software rapidly. The criminals facilitate the payments, decryptions, and other operational requirements, and they take a percentage of the collected ransom.
Nation-states that rely on ransomware are generally rogue countries that are often under strict sanctions by the international community. Their use of ransomware is both to collect money from victims, and as a way to disrupt the economic, community, and governmental well-being of their rivals.
- How to decrypt files?
Given the wide array of ransomware families and the individual strains within those families, how you decrypt data following an attack varies.
In some cases, there are decrypting software packages available online for certain kinds of ransomware. They can be created either because the strain has been thoroughly studied since it appeared or because a researcher found a flaw in the encryption used by the criminals. If you can determine the type of ransomware that has encrypted your files, you can look to see if a decryptor is available.
In many cases, however, the popular ransomware strains have such strong encryption that decrypting files is not possible and, for the most part, there are no decryption options for modern ransomware families.
The better option is to restore your system from a secure backup – which recovers your files and, in the majority of cases, deletes the malware so you do not risk reinfection.
Ensuring you have a behavior-based ransomware blocker will also prevent future infections.