Ransomware is a type of malware that can be covertly installed on a computer without the knowledge or intention of the user that restricts access to the infected computer system in some way and demands that the user pay a ransom to the malware operators to remove the restriction. The crypto virology form of the attack has ransomware systematically encrypting files on the system’s hard drive, which becomes difficult or impossible to decrypt without paying the ransom for the decryption key. Other attacks may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan, whose payload is disguised as a seemingly legitimate file.

While initially popular in Russia, the use of ransomware scams has grown internationally; in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012. Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities, and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.

Operation

Ransomware typically propagates as a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program then runs a payload, which typically takes the form of a scareware program. Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and “pirated” media, or runs a non-genuine version of Microsoft Windows.

Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired. The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim’s files in such a way that only the malware author has the needed decryption key.

Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files or by sending an unlock code that undoes the payload’s changes. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods has been used, including wire transfer, premium-rate text messages, online payment vouchers services such as Ukash or Paysafecard, and the digital currency Bitcoin.

Ransom Prices and Payment

Ransom prices vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoins. Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards. It should be noted, however, that paying for the ransom does not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system hostage files.

Ransomware Infection and Behavior

Users may encounter this threat through a variety of means. Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware is known to be delivered as attachments from spammed emails, downloaded from malicious pages through advertisements, or dropped by exploit kits onto vulnerable systems.

Once executed in the system, ransomware can either lock the computer screen or, in the case of crypto-ransomware, encrypt predetermined files. In the first scenario, a full-screen image or notification is displayed on the infected system’s screen, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware prevents access to files to potentially critical or valuable files like documents and spreadsheets.

University of Calgary hands over $16,000 in ransomware attack

The University of Calgary has become the latest victim in a recent string of ransomware attacks. According to a statement released Wednesday morning, University computer systems were affected for 10 days while the IT team worked to remedy the issue. Ultimately, the University paid around $16,000 ($20,000 Canadian) to recover its data, with no guarantee that it was even possible to restore it.

“Ransomware attacks and the payment of ransoms are becoming increasingly common around the world,” the University’s VP of Finance and Services Linda Dalgetty wrote in her statement. “The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”

The University also says it is working with Calgary Police to investigate the hack, although other such investigations have come up empty-handed in the past. Regarding the payment, Dalgetty told the Globe and Mail, “We are conducting world-class research daily and we don’t know what we don’t know in terms of who’s been impacted and the last thing we want to do is lose someone’s life’s work.” (That’s work like building neurochips out of silicon and human brain cells, or creating one-handed iPhone gestures, by the way.)

In another recent case, Kansas Heart Hospital paid “a small amount” in ransom money, only to have the hacker turn around and ask for even more cash. In May, a ransomware attack on the United States Congress was thankfully averted. And on one, slightly reassuring note and the hackers behind the original “uncrackable” TeslaCrypt ransomware virus released the keys that would allow anyone affected to retrieve their data.