The growing threat of ransomware

What is ransomware?

Ransomware is a real and growing threat. Although it has been around for many years, it is only more recently that ransomware has become more prominent. The release and rapid spread of the ransomware program Cryptolocker in 2013 was primarily responsible, although there are now a variety of imitators.

What is ransomware? As the name suggests, it is software that attempts to extort money from its victims, generally by encrypting their computer's files so they are inaccessible. It is normally spread by infected attachments to emails.

How does it work?

When ransomware such as Cryptolocker infects a machine, it starts encrypting files via public key encryption. The encryption key is obtained from a server controlled by the perpetrators, and the same server keeps the decryption key (the private key).

Once encryption of a computer's files is complete, Cryptolocker displays a message informing the user that their files have been encrypted, and demands a fee of 400 USD or Euro to restore the files. The fee must be paid using bitcoins or an anonymous pre-paid card, so it is untraceable. Once the fee is paid, the files are usually decrypted.

Do you have to pay?

What options does a user whose files have been encrypted by a program like Cryptolocker have? Unless they have an offline backup, the only realistic option is to pay the fee. There is no known way of decrypting the files without the decryption key. According to a University of Kent survey, 41% opt to do so.

Hospitals targeted

During 2016, ransomware incidents have become far more worrying. It is unpleasant for consumers to experience these kind of attackers, but it is disastrous when organisations such as hospitals are targeted. A number have paid ransoms for their data in recent months. One Los Angeles hospital paid almost $17,000 to retrieve their data.

Unfortunately, many public institutions such as hospitals use legacy software that is at greater risk of these kinds of attacks. They are also heavily reliant 24/7 on patient data, and so there is considerable urgency when it is encrypted via an attack.

Low risk high reward

The rewards for cyber-criminals can be substantial. ZDNet estimated that $27 million was extorted in the 100 days after Cryptolocker was released. Because ransoms are paid via anonymous payment systems such as bitcoins, it is almost impossible to catch those responsible. Ransomware servers are also difficult to trace, so the risk is minimal.

Given the risk-reward ratio, it seems inevitable that ransomware attacks will increase in the future.


How can such attacks be prevented? Apart from training user to be cautious with email attachments, there are practical steps Windows system administrators can take to prevent certain executables being run.

Most importantly, though, is the need for regular backups that are stored off-line. Ransomware only works because you are prevented from accessing your own data. If the same data can be rapidly retrieved from off-line backups, the situation is under control and no ransom need be paid.

Posted by John Faulds in