What is ransomware and how can you defend yourself from an attack?

Nowadays, criminals not only take people but also data and devices hostage to extort a ransom — using ransomware. Read on to learn exactly how ransomware works, how to detect and remove ransomware, and what you can do if you’re a victim. Also discover tips on what precautions you can take and how you can strengthen your defenses against ransomware, such as by using a cybersecurity solution like Avira Free Security. 

How does ransomware work?  

Ransomware, also referred to as blackmailing Trojans, is a type of malware — or more precisely, a specific form of Trojan. It prevents access to files or even the entire computer until the victim pays a ransom. Ransomware encrypts specific or even all files, and can lock the screen so the user can’t access the system. Ransomware victims are told to pay up — often in cryptocurrencies — to regain access to their computer or files.  

If they don’t, cybercriminals typically threaten to permanently delete the files and/or publish them online at a date of their choosing. But even paying the ransom is sadly no guarantee that the victims will receive the key to unlock or decrypt their files. That’s because honesty is not necessarily at the forefront of thieves’ minds…   

Ransomware is one of the biggest cyberthreats ever, causing billions of dollars in damage every year. Ransomware is constantly evolving, and new types, families, variants, and strains with their own signatures and functions are emerging all the time. Attacks are becoming more and more sophisticated and complex — and you can now also be a victim of even multiple blackmail attempts. Worse still, cybercriminals are increasingly offering ransomware-as-a-service (RaaS) options on the dark web. This means that even criminals without any technical knowledge can perform ransomware attacks.  

The first documented case of ransomware was the AIDS Trojan of 1989. The evolutionary biologist Joseph L. Popp sent 20,000 diskettes labeled “AIDS Information — Introductory Diskettes” by mail to participants of the WHO’s international AIDS conference. But they were infected with a Trojan that encrypted the files on the user’s computer. To decrypt the files and regain access, victims had to mail $189 to a post office box in Panama. Dr. Popp was arrested but declared unfit to stand trial after he began walking around with a cardboard box on his head.  

Nowadays, ransomware is no longer distributed by floppy disk but mainly online. However, ransomware can also be hidden on USB sticks and can still reach potential victims via the mail. 

Hard-hit industries and ransomware examples  

In principle, ransomware can be used against any private individual, organization, or company. Not only large corporations but also small- and mid-sized companies are targeted, as they’re often comparatively less well protected. The most common targets include national and local government agencies; educational, financial, and healthcare institutes; IT and technology providers; manufacturers and industrial companies; and retail and service providers. 

Confidential and sensitive data is particularly lucrative for ransomware attackers because victims are desperate to get it back. This makes health insurance companies, hospitals, and health ministries, among others, popular targets. In the attack on the Irish National Health Service in 2021, the criminal gang Wizard Spider shut down all services and reportedly demanded $20 million to restore them. This brought down virtually every network, and in some areas up to 80% of medical appointments were canceled.    

In 2021 again, the ransomware gang REvil compromised the network of the Taiwanese PC manufacturer Acer, demanding one of the highest ransoms of all time: $50 million. However, nobody knows if Acer paid up.  

In 2022, Costa Rica was the first ever country to be forced into calling a national emergency in response to a massive combined ransomware attack on almost 30 state institutions. The ransomware group Conti demanded $10 million (later increased to $20 million). The incident hugely impacted foreign trade, paychecks, tax and customs systems, and government spending. The government did not pay, so most of the stolen data ended up on the dark web. 

What types of ransomware are there?  

Each type of ransomware behaves slightly differently, but broadly speaking it can be divided into two categories:  

1. Locker ransomware: Non-encrypting, screen-locking ransomware
2. Crypto ransomware: Encrypting ransomware

Hybrid ransomware attacks are now also being carried out, combining both types or adding additional malware and hacking methods. These can include backdoor functions to control the infected device remotely or leakware to exfiltrate data. 

While access to the system or data can be restored after a ransom is paid (at least in theory) in a ransomware attack, this isn’t the case with whippers — also known as destructive malware. These only aim to destroy data and you can’t always tell them apart from ransomware at first. This was the case with NotPetya, which was similar to the ransomware variant Petya (hence the name). It demanded a ransom, but displayed a randomly generated Bitcoin address and so it wasn’t possible to pay it.  

Locker ransomware 

Locker ransomware is also called a desktop blocker (or blocker for short). As its name implies, it locks the infected system by restricting or disabling access to the operating system or certain system functions. 

To do this, the locker ransomware changes the operating system settings or starts a special application that places a window with a ransom demand across the entire desktop. The overlay window is often designed so it’s not easy to close or bypass, leaving the user with no way to access programs or controls such as the taskbar or Start menu.  

MBR ransomware  

With this rather rare variant, which is also known as bootlocker ransomware, the ransomware also blocks access to the system, but the difference is that it does so by overwriting, manipulating, or encrypting the master boot record (MBR) — the part of the hard drive that enables the operating system to start. This means that the ransom note appears during the computer startup process before the operating system loads.  

The ransomware variant RedBoot not only did that but also encrypted all the files. MBR ransomware can also be used in conjunction with other ransomware techniques, resulting in multi-layered attacks that are more difficult to fix. 

Crypto ransomware 

This encrypting ransomware, also referred to as a crypto Trojan, CryptoLocker, or encryption Trojan, is generally the more common of the two main ransomware types. Here, advanced encryption algorithms are used to block files or entire folder structures and drives. Victims usually find a text file with instructions for payment in the folder of files to which they no longer have access. 

Whereas older ransomware strains only encrypted certain files such as system files or personal files, more advanced ransomware can not only manipulate the MBR but also encrypt the master file table (MFT) — the hard drive’s file system table. This allows it to block access to all files and the operating system, just like the Petya ransomware did. 

Multiple blackmail attempts through leakware and the like 

In the case of single extortion the files are “only” encrypted, whereas in double extortion they are also copied and stolen. In this case, there is also a threat to publish the stolen data. This can include companies’ sensitive data or private individuals’ intimate files. This type of ransomware is also known as leakware or doxware. While in its earlier form it could only steal data and not encrypt it, today it can often do both.  

Triple extortion takes things a step further and uses a third threat. This can include an ultimatum to use the stolen data to blackmail the customers, business partners, or patients in question. Either that, or the blackmailers contact the victims directly and threaten to publish the data. Depending on the content of the stolen data, the blackmailers may expand the scope and scale of their threats (multiple extortion).  

As a fourth vector (quadruple extortion), a DDoS attack can be launched to prevent the websites from being accessible, dialing up the pressure even further.  

Mobile ransomware 

Android devices like smartphones and tablets can also get infected with ransomware, such as through drive-by downloads, fake updates, phishing attacks, malicious game plug ins, or infected apps. Typically, this involves screen locker ransomware since it’s relatively easy to restore a smartphone’s data, such as via a cloud backup, if it does get encrypted. However, the ransomware variant DoubleLocker is doubly dastardly — changing the device’s PIN and also encrypting all the data on the smartphone. 

By contrast, iPhone users are lucky since currently no ransomware for iOS exists. However, cybercriminals can pretend and use scareware to simulate a ransomware attack without actually blocking access to the device’s data or files. 

How do ransomware attacks work? 

A ransomware attack can be divided into different phases, which can vary depending on the ransomware variant and attack method. Ransomware can also become active with a delay and remain in dormant mode for weeks or months once the device is infected, such as to strike at a specific time or to be used in a coordinated attack. 

Ransomware attacks may comprise additional or fewer steps, or happen in a different sequence, but in general they work like this:  

Infection/infiltration: The first phase, also called the “initial access” phase, consists of penetrating the target system. This can be done in different ways, as we’ll explain in more detail in the next section. 

1. Installation and execution: Following infiltration, the ransomware performs its malicious actions on the infected system. This often involves downloading and executing malicious code designed to encrypt files or compromise the system. 
2. Spread: The ransomware attempts to spread and infect other systems on the network, which is also known as lateral movement or lateral spread. This can include devices such as USB sticks and external hard drives, as well as network drives and cloud storage services that synchronize their online storage with local folders.
3. Encryption & exfiltration: The ransomware now searches for valuable data or certain file types, such as documents, images, or databases, and encrypts them with a strong encryption algorithm. This makes the files unreadable and unusable for the user. Prior to encryption, data can also be exfiltrated, meaning copied and exported, to double blackmail the victim, as described above. 
4. Ransom demand: Once the files have been encrypted or the device has been locked, the victim is presented with a ransom demand. This can be done via a message on the infected system’s screen or through a text file that gives victims instructions on how to pay the ransom. Often a deadline is set, by which time the ransom must be paid to get the files back.
5. Payment and decryption (if you’re lucky): If the victim is willing to comply with the demands, they sometimes (but not always!) receive a piece of software or a key in the form of a code once they’ve paid up. The files can then be decrypted or the system unlocked using this software or key.  

How does ransomware infect a computer or system? 

Although ransomware is not a virus, it can get onto your computer in the same ways as viruses and other types of malware. The protective steps you can take are also more or less the same. Learn in detail how to protect yourself from ransomware attacks further on in this article. But before that, let’s explore some common infection methods. 

Common infection methods: 

• Social engineering: This type of social manipulation involves cybercriminals attempting to trick their victims into downloading malware such as ransomware or revealing sensitive data through targeted deception means. In the case of social engineering, various methods and strategies are used, such as phishing or scareware. Both forms of attack often use horrific scenarios to get the user to take a desired action.  

• Scareware: Whereas phishing attacks are usually performed via emails and websites, scareware usually appears in the form of pop-ups, which look like messages from the operating system or antivirus protection solution. These tell you about an issue that can supposedly be resolved by doing something, but instead leads to a problem — potentially a ransomware infection. Scareware emails are super sneaky, frightening users by employing empty threats to either extort money or inject ransomware via an infected link. 

• Malicious email attachments in spam and phishing emails: These malicious attachments in emails that appear to come from trusted senders can have various formats, such as ZIP files, EXE files, PDFs, Word documents, Excel spreadsheets, and so on. The ransomware variant CryptoLocker, for example, used this approach and at the same time wreaked havoc in a P2P file-sharing network — as did the ransomware variant TorrentLocker. You’ve been warned. 

• File sharing services: Attackers can also use file sharing services like Dropbox or Google Drive to spread ransomware, such as by sharing infected files via links or uploading ransomware files to shared folders. The ransomware group Petya, for example, used a Dropbox download link in a job application email to gain access to computer systems.  

• Infected URLs/linked malware: Malicious links can be found in emails, social media posts, and even text messages, leading to ransomware-infected websites or to the download of ransomware.  

• Drive-by downloads: Cybercriminals can set up their own websites with malicious code as well as compromise and manipulate trusted websites. As soon as you visit such a website, the ransomware is downloaded automatically as you pass by. The ransomware variant Bad Rabbit, for example, was introduced via a fake Adobe Flash Player installation file — what’s known as a dropper. Often this is also used for malvertising — a type of online advertising that can contain malicious code that leads to a drive-by download or redirects the user to a malicious website.  

• Malicious downloads: The user takes action and unknowingly downloads fake software containing ransomware from a supposedly reputable provider. Unlicensed software or pirated copies can also be infected, as the example of the STOP/DJVU ransomware family has shown.  

• USB sticks: Criminals sometimes use USB sticks to spread ransomware by mailing them disguised as promotional gifts or “losing” them in places where someone is guaranteed to find them. 

• Security vulnerabilities in programs and operating systems (exploits): Often, undiscovered or unpatched vulnerabilities in programs, operating systems, and cloud platforms are exploited to introduce ransomware. The ransomware variant WannaCry, for example, used a Windows security vulnerability as a gateway. 

How can you protect yourself from ransomware? 

Fortunately, you can protect yourself from ransomware by taking a few precautions and using an antivirus protection solution to better shield yourself from the most popular entry points. The solution also helps you detect and remove ransomware. 

Follow these tips to stay one step ahead of cyberblackmailers:  

1. Back up your data regularly
   When it comes to protecting against ransomware, it’s essential you back up your system on a regular basis. That’s because once your data is backed up, attackers can no longer blackmail you — it’s that simple. The best way is to use an external hard drive and the integrated Windows backup tool or Time Machine for Mac and/or a cloud storage service such as Windows OneDrive or Apple iCloud. Make sure your storage device is disconnected from the network by default as a ransomware infection can spread throughout the network.  

2. Update your operating system and programs regularly
   Since ransomware infections can also occur as a result of security vulnerabilities in operating systems and programs, you should update them regularly. That’s because updates often include patches that address these vulnerabilities. A software updater can come in really handy, taking the hassle out of searching for new updates from a reliable source. This way you can ensure that only “clean” updates reach your PC.  

3. Use an antivirus protection solution
   In addition to a firewall, a powerful antivirus protection solution provides improved protection against ransomware attacks on multiple levels — especially if your cybersecurity solution has the following features, just like those you get with Avira Free Security or Avira Prime. 

• • Ransomware protection: The free all-in-one solution Avira Free Security features cloud-based real-time protection to detect known online threats based on an analysis of the virus signature. Suspicious files are compared with Avira’s extensive ransomware database in the Avira Protection Cloud and blocked if there’s a match. 
  • Advanced ransomware protection: Avira Prime also performs a heuristic and behavior-based analysis. The former looks at certain characteristics, properties, or behaviors of programs and files to detect and prevent potentially malicious activities. The latter goes one step further, looking at the actual behavior of programs or files during their execution. This allows unusual actions that are typically initiated by ransomware, such as the encryption of files, to be detected and blocked. Thanks to this, new, previously unknown ransomware variants and mutations can also be discovered and blocked. 
  • Web protection: The free browser extension Avira Browser Safety and the web protection feature integrated into Avira Prime for Windows take your protection to a whole new level against harmful downloads, infected websites, and malicious online ads. Avira Prime for Windows also features mail protection. It allows you to check your emails for dangerous links and attachments infected with ransomware or other malware. You can also use it to scan USB sticks, external hard drives, and files stored in the cloud. 

4. Protect your mobile devices from ransomware too
   With Avira Antivirus Security, you can also improve the protection of your Android devices from malware such as ransomware and enjoy many other free features. In addition to antivirus protection, the solution includes a VPN so you can encrypt all the data you send and receive online over unsecured public Wi-Fi hotspots and surf more securely.
   Avira Mobile Security for iOS also includes a VPN and other useful features. The Pro version of both apps also offer web protection, so you can strengthen your defenses against malicious websites and phishing attacks. 

5. Stay on your guard

• • Never open email attachments if you do not know if the source is trustworthy. Among the steps you can take, check if the sender’s email address is correct by hovering over it with your mouse pointer. Read here to learn which other tell-tale signs will help you spot phishing emails. 
  • Be careful with links in messages, emails, or social media — and be on the safe side and check links. It’s better to check too many times than too few.   
  • Never connect USB sticks to your device if you do not know where they came from.   
  • Only download software or media files from verified sources.   

How should you respond to a ransomware attack? 

If you’ve been the victim of a ransomware attack and you don’t have a backup of your computer, the first thing to do is to stay calm and not do anything rash. 

Follow these steps: 

• Do not pay: If you’re the victim of a ransomware attack, never give in to the blackmailers’ demands. On the one hand, there’s no guarantee that they’ll actually decrypt your data or your system after payment and, on the other hand, further demands could follow.  
• File charges: Take a photo of the message from the blackmailers and contact your local police station. 
• Search the internet for decryption tools: Using special decryption tools and a bit of luck, your data can possibly be decrypted and recovered. Check out the website No More Ransom Project or other similar sites where you’ll find keys and decryption tools for many different ransomware variants as well as corresponding how-to instructions. There, you can also upload the ransom demand or your files to detect the ransomware variant. This may help identify the ransomware and check whether a decryption solution is available. 
  There are also other reputable websites that provide decryption tools and/or information about the file names of the ransom demand and the file extensions of the encrypted files to determine the ransomware variant.  

How do you detect and remove ransomware? 

Unfortunately, ransomware is usually impossible to detect until it has attacked, making it difficult to remove. Once it has struck, we’re sorry to say that your only option is to go through the above steps.  

However, a good antivirus protection tool will proactively help you detect not only ransomware but also other malware early on and prevent these nasties from completing their dastardly deeds. Avira’s real-time protection, for example, continuously monitors your system in the background. If it detects a suspicious file or activity, it blocks access or execution automatically. It’s also worth scanning your system regularly to detect and remove ransomware before it can wreak havoc.  

The all-in-one protection solution Avira Free Security also includes a software updater to close security holes, as well as the Avira Browser Safety extension to strengthen the protection of your online activities. This way, you can shield yourself better against ransomware attacks on multiple levels.