Malware

What is ransomware and how to help prevent ransomware attacks

The idea behind ransomware, a form of malicious software, is simple: Lock and encrypt a victim’s computer or device data, then demand a ransom to restore access.

In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever. And since malware attacks are often deployed by cyberthieves, paying the ransom doesn’t ensure access will be restored.

Ransomware holds your personal files hostage, keeping you from your documents, photos, and financial information. Those files are still on your computer, but the malware has encrypted your device, making the data stored on your computer or mobile device inaccessible.

While the idea behind ransomware may be simple, fighting back when you’re the victim of a malicious ransomware attack can be more complex. And if the attackers don’t give you the decryption key, you may be unable to regain access to your data or device.

Knowing the types of ransomware out there, along with some of the dos and don’ts surrounding these attacks, can go a long way toward helping protect yourself from becoming a victim of ransomware.

Types of ransomware

Ransomware attacks can be deployed in different forms. Some variants may be more harmful than others, but they all have one thing in common: a ransom. Here are seven common types of ransomware.

  • Crypto malware. This form of ransomware can cause a lot of damage because it encrypts things like your files, folders, and hard-drives. One of the most familiar examples is the destructive 2017 WannaCry ransomware attack. It targeted thousands of computer systems around the world that were running Windows OS and spread itself within corporate networks globally. Victims were asked to pay ransom in Bitcoin to retrieve their data.
  • Lockers. Locker-ransomware is known for infecting your operating system to completely lock you out of your computer or devices, making it impossible to access any of your files or applications. This type of ransomware is most often Android-based.
  • Scareware. Scareware is fake software that acts like an antivirus or a cleaning tool. Scareware often claims to have found issues on your computer, demanding money to resolve the problems. Some types of scareware lock your computer. Others flood your screen with annoying alerts and pop-up messages.
  • Doxware. Commonly referred to as leakware or extortionware, doxware threatens to publish your stolen information online if you don’t pay the ransom. As more people store sensitive files and personal photos on their computers, it’s understandable that some people panic and pay the ransom when their files have been hijacked.
  • RaaS. Otherwise known as “Ransomware as a service,” RaaS is a type of malware hosted anonymously by a hacker. These cybercriminals handle everything from distributing the ransomware and collecting payments to managing decryptors — software that restores data access — in exchange for their cut of the ransom.
  • Mac ransomware. Mac operating systems were infiltrated by their first ransomware in 2016. Known as KeRanger, this malicious software infected Apple user systems through an app called Transmission, which was able to encrypt its victims’ files after being launched.
  • Ransomware on mobile devices. Ransomware began infiltrating mobile devices on a larger scale in 2014. What happens? Mobile ransomware often is delivered via a malicious app, which leaves a message on your device that says it has been locked due to illegal activity.

The origins of ransomware

How did ransomware get started? While initially targeting individuals, later ransomware attacks have been tailored toward larger groups like businesses with the intent of yielding bigger payouts. Here are some notable dates on the ransomware timeline that show how it got its start, how it progressed, and where ransomware is now.

  • PC Cyborg, also known as the AIDS Trojan, in the late 1980s. This was the first ransomware, released by AIDS researcher Joseph Popp. Popp carried out his attack by distributing 20,000 floppy disks to other AIDS researchers. Little did the researchers know, these disks contained malware that would encrypt their C: directory files after 90 reboots and demand payment.
  • GpCode in 2004. This threat implemented a weak form of RSA encryption on victims’ personal files until they paid the ransom.
  • WinLock in 2007. Rather than encrypting files, this form of ransomware locked its victims out of their desktops and then displayed pornographic images on their screens. In order to remove the images, victims had to pay a ransom with a paid SMS.
  • Reveton in 2012. This so-called law enforcement ransomware locked its victims out of their desktops while showing what appeared to be a page from an enforcement agency such as the FBI. This fake page accused victims of committing crimes and told them to pay a fine with a prepaid card.
  • CryptoLocker in 2013. Ransomware tactics continued to progress, especially by 2013 with this military-grade encryption that used key storage on a remote server. These attacks infiltrated over 250,000 systems and reaped $3 million before being taken offline.
  • Locky in 2016. So-called Locky ransomware used social engineering to deliver itself via email. When it was first released, potential victims were enticed to click on an attached Microsoft Word document, thinking the attachment was an invoice that needed to be paid. But the attachment contained malicious macros. More recent Locky ransomware has evolved into the use of JavaScript files, which are smaller files that can more easily evade anti-malware products.
  • WannaCry in 2017. These more recent attacks are examples of encrypting ransomware, which was able to spread anonymously between computers and disrupt businesses worldwide.
  • Sodinokibi in 2019. The cybercriminals who created this ransomware used managed service providers (MSPs) like dental offices to infiltrate victims on a larger scale.

Ransomware remains a popular means of attack, and continues to evolve as new ransomware families are discovered.

Who are the targets of ransomware attacks?

Ransomware can spread across the Internet without specific targets. But the nature of this file-encrypting malware means that cybercriminals also are able to choose their targets. This targeting ability enables cybercriminals to go after those who can — and are more likely to — pay larger ransoms.

Here are four target groups and how each may be impacted.

  • Groups that are perceived as having smaller security teams. Universities fall into this category because they often have less security along with a high level of file-sharing.
  • Organizations that can and will pay quickly. Government agencies, banks, medical facilities, and similar groups constitute this group, because they need immediate access to their files — and may be willing to pay quickly to get them.
  • Firms that hold sensitive data. Law firms and similar organizations may be targeted, because cybercriminals bank on the legal controversies that could ensue if the data being held for ransom is leaked.
  • Businesses in the Western markets. Cybercriminals go for the bigger payouts, which means targeting corporate entities. Part of this involves focusing on the United Kingdom, the United States, and Canada due to greater wealth and personal-computer use.

Dos and don’ts of ransomware

Ransomware is a profitable market for cybercriminals and can be difficult to stop. Prevention is the most important aspect of protecting your personal data. To deter cybercriminals and help protect yourself from a ransomware attack, keep in mind these eight dos and don’ts.

1. Do use security software. To help protect your data, install and use a trusted security suite that offers more than just antivirus features. For instance, Norton 360 With LifeLock Select can help detect and protect against threats to your identity and your devices, including your mobile phones.

2. Do keep your security software up to date. New ransomware variants continue to appear, so having up-to-date internet security software will help protect you against cyberattacks.

3. Do update your operating system and other software. Software updates frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.

4. Don’t automatically open email attachments. Email is one of the main methods for delivering ransomware. Avoid opening emails and attachments from unfamiliar or untrusted sources. Phishing spam in particular can fool you into clicking on a legitimate-looking link in an email that actually contains malicious code. The malware then prevents you from accessing your data, holds that data hostage, and demands ransom.

5. Do be wary of any email attachment that advises you to enable macros to view its content. Once enabled, macro malware can infect multiple files. Unless you are absolutely sure the email is genuine and from a trusted source, delete the email.

6. Do back up important data to an external hard drive. Attackers can gain leverage over their victims by encrypting valuable files and making them inaccessible. If the victim has backup copies, the cybercriminal loses some advantage. Backup files allow victims to restore their files once the infection has been cleaned up. Ensure that backups are protected or stored offline so that attackers can’t access them.

7. Do use cloud services. This can help mitigate a ransomware infection, since many cloud services retain previous versions of files, allowing you to “roll back” to the unencrypted form.

8. Don’t pay the ransom. Keep in mind, you may not get your files back even if you pay a ransom. A cybercriminal could ask you to pay again and again, extorting money from you but never releasing your data.

With new ransomware variants appearing, it’s a good idea to do what you can to minimize your exposure. By knowing what ransomware is and following these dos and don’ts, you can help protect your computer data and personal information from being ransomware’s next target.

Get NEW Norton 360 with LifeLock for up to 60% off*

NEW Norton 360 with LifeLock. An all-in-one membership for your Cyber Safety.


Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2019 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.

No one can prevent all identity theft or cybercrime.  Not all products, services and features are available on all devices or operating systems. System requirement information on norton.com.

*Important Subscription, Pricing and Offer Details:

  • The price quoted today may include an introductory offer. After that, your membership will automatically renew and be billed at the applicable monthly or annual renewal price found here.
  • You can cancel your subscription at my.norton.com or by contacting Member Services & Support. For more details, please visit the Refund Policy.
  • Your subscription may include product, service and /or protection updates and features may be added, modified or removed subject to the acceptance of the Customer Agreement.

The number of supported devices allowed under your plan are primarily for personal or household use only. Not for commercial use. If you have issues adding a device, please contact Member Services & Support.

§ Dark Web Monitoring in Norton 360 plans defaults to monitor your email address only. Please login to the portal to review if you can add additional information for monitoring purposes.