What is Ransomware? Ransomware Examples & Trends in 2024

Gridinsoft Cyber Security

» Ransomware

What is Ransomware?

July 27, 2024

It is likely the worst nightmare to discover that files on your PC are encrypted. You were checking your mailbox and clicking on the attached files to see what they contained. The strange file, which had nothing but offered to enable macros, was not looking suspicious. But suddenly, less than 15 minutes after you open that document, you see that all files on your PC have strange extensions, and at least one readme.txt file is inside each folder. How did it happen?

The short definition of ransomware is hidden in its name, just like in many other viruses. “Ransom software” is a program that injects into your computer, encrypts your files, and then asks you to pay the ransom to get your files back. Some examples of ransomware can threaten their victims that they will delete your files or publish some sensitive data if you do not pay the ransom. While the first hazard is a 100% lie, the second thesis can be real since ransomware is often spread with spyware or stealers.

Various ransomware examples use different encryption methods. AES-256 and RSA-1024 encryption principles are used in most cases, but you can sometimes meet the standards using RSA-2048. The number in the end primarily means the degree you need to bring two to get the number of possible keys. Even in the case of AES-256, the number of keys is a 78-digit number. Can you brute force it? Maybe, if you have spare 2 million years. Or a quantum PC with much better performance than any currently existing ones. ~ Gridinsoft Team

For every victim, ransomware generates a unique online key. That key is stored on the server maintained by cybercriminals. If the virus cannot connect to that server, it encrypts the files with the offline key, which is stored locally on the encrypted machine. The amount of offline keys is limited. Hence, you have a decryption key in common with several other victims.

Unfortunately, there is no 100% guarantee of getting your files back. If you are lucky enough and ransomware uses the offline key, you can decrypt your data much faster. Nonetheless, obtaining keys is quite long, and you may have to wait several weeks. The decryption app, which is supposed to be used for file decryption, will receive the update with the key that fits you as soon as analysts find it.

Online keys are much harder to solve. Since every such key is unique, you may wait for months. Ransomware distributors will likely be caught and forced to uncover all keys they have on the servers. Another case when all keys are released to the public is when ransomware creators decide to shut down their malicious activity. Such a situation was only once - in 2018 when GandCrab developers claimed that they earned 2 billion dollars and suspended their activity.

Ransomware attack stages

Most analysts define the six main stages of a ransomware attack. They may happen during a single day or within a month. However, the order, as well as the sense of these steps, always remains the same.

Compromise. It is also sometimes called an initial injection. At that point, attackers inject the malware into the network (or the device if it is an attack against the individual user). Compromising is usually done through RDP breaches, email spamming, or unlicensed software usage.

Infection. At this stage, crooks use the initial presence in the network to inject the malicious payload. They rarely use direct downloads - it is straightforward to detect and prevent with security solutions. That’s why malware downloading usually exploits Windows and application software bugs. However, it may even prefer the direct download when it strikes an unprotected network or a sole user.

Escalation. All malware relies on running with administrator privileges. This property makes it possible to decrease the malware hazard by using the account with user privileges. However, even in that case, cybercriminals can find a way through. Most of the escalation stages in corporate networks are done through vulnerability exploitation - particularly ones that escalate privileges.

Scan. That step supposes scanning the infected machine(s) to detect all the files ransomware can cipher. Usually, ransomware takes the most sensitive data formats – ones that belong to MS Office files, pictures, and music. However, some act differently and cipher whatever they reach, despite the files that may harm the programs functionality.

Encrypt. Encryption may take minutes or hours, depending on the number of files on the attacked machines, used algorithm and the quality of ciphering software. The fastest ransomware known at the moment – Rorschach – can cipher 220,000 files in just 4.5 minutes. More massively used ransomware may need hours to accomplish the same task.

Pay Day. When the encryption is over, malware notifies the victim about the attack. It usually generates a ransom note file on the desktop and in each folder with ciphered files. Optionally, it can also change the desktop wallpaper to the ransom note. In the most extreme cases (like Petya ransomware), malware will infect the bootloader and show you the ransom note banner when you press the power button instead of the OS loading.

Ransomware Attack Stages

Types of ransomware

There are several types of ransomware existing currently. All users in the cybersecurity community are used to the kind of ransomware called crypto. That is precisely the virus you can read about above. Another type of ransomware was active much earlier, before 2014. It was called locker ransomware. As you can understand from its name, this virus was locking your system, asking for a ransom for desktop unlocking. Let me show you the critical difference between locker and crypto-ransomware:

Locker ransomware:

Blocks your desktop;
Covers the desktop with a ransom note banner;
Modifies the registry keys that are responsible for Windows Explorer work;
Suspends the explorer.exe process;
Blocks the majority of system combinations (Ctrl+Alt+Del, Ctrl+Shift+Esc);
Some versions can infect the BIOS, making it impossible to load the system;
Sometimes, it can be easily removed after tricky manipulations with system functions;
Ask you to pay a ransom as a mobile number top-up, as well as through the online payment system (PayPal, WebMoney, Qiwi, etc.);

Crypto ransomware:

Encrypts the files of the most popular extensions (.docx, .png, .jpeg, .gif, .xslx), and adds to it its specific extension;
Changes registry keys that are responsible for networking and startup programs launch;
Adds a .txt file that has the ransom payment instructions to each folder where encrypted files are located;
Can block access to some of the websites;
Prevents the launching of the installation files of anti-malware software;
Can change your wallpapers on a ransom note;
Ransom payment is about to be done only with the use of cryptocurrencies, primarily - Bitcoin;

Latest ransomware attacks

List of ransomware families, actual for November, 2024:

Avaddon ransomware showed up a short but pretty active life: its developers decided to shut down their activity in May 2021.
STOP Djvu ransomware is one of the most widespread ransomware families. The first activity of that virus type was detected in 2018, and still, its activity is very high. Being targeted mainly at simple users, this ransomware can be a perfect example of a "classic" ransomware.
Conti ransomware. This criminal group attacks organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services, and law enforcement agencies. Group dissolved in mid-2022, after a conflict between its members.
Matrix ransomware is an old-timer of the ransomware sector, appearing in December 2016.
MedusaLocker ransomware appeared in September 2019 and took a very rapid start with attacks on companies from all over the world.
Snatch ransomware uses the trick with Windows Safe Mode and privileged service.
VoidCrypt ransomware uses several features that are more typical for corporate-oriented viruses.
Xorist ransomware uses crypto-constructor and can change itself so much that it is hard to recognize it.
Dharma ransomware appeared around 2016, this ransomware family aims at a small business. Almost 77% of all Dharma cases are related to the exploitation of RDP vulnerabilities.
Egregor ransomware has attacked large companies from all over the world.
HiddenTear - Being initially created for educational purposes.
LockBit an extremely fast ransomware.
Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.
Makop doesn’t stay on a single encryption algorithm.
Ryuk is an old-timer that is possibly related to North Korean hackers.

Is it a solution to pay the ransom?

The majority of income ransomware developers receive is used to fund various outlaw activities, such as terrorism, other malware distribution campaigns, drug dealership, and so on. Since all ransom payments are made in cryptocurrencies, there is no way to uncover the personality of crooks. However, email addresses can sometimes point out ransomware distributors in the Middle East.

As you can already conclude, paying the ransom equals participating in outlaw activities. Of course, no one will blame you for terrorism funding. But there is nothing pleasant to understand that money you get for fair work is spent on terrorism or drugs. Often even large corporations that are blackmailed with threats to publish some internal data are not paying a penny to those crooks.

How can I protect my computer from ransomware?

Usually, anti-malware programs update their detection databases every day. GridinSoft Anti-Malware can offer you hourly updates, which decreases the chance that a completely new ransomware sample will infiltrate your system. However, making use of anti-malware software is not a panacea. It would be best if you were careful in all risky places. Those are:

Email messages. Most ransomware cases, regardless of the family, are related to malicious email messages. People used to trust all messages sent through email and don’t think something malicious may be inside the attached file. Meanwhile, cyber burglars use that weakness and bait people to enable macros in Microsoft Office files. Macros is a specific application that allows increasing the interaction with the document. You can construct anything on Visual Basic and add it to the document as macros. Crooks, without further thought, add ransomware code.
Dubious utilities and untrustworthy programs. You may see various advice while browsing the Web. Online forums, social networks, and seeding networks - these places are known as sources for various specific tools. And there is nothing bad in such software - sometimes, people need the functions that are not demanded (or accepted) for corporate production. Such tools are so-called keygens for various apps, license key activators (KMS Activator is one of the most known), and utilities for system elements adjusting. Most anti-malware engines detect those applications as malicious, so you will likely disable the antivirus or add the app to the whitelist. Meanwhile, this utility may be clear or infected with trojans or ransomware.

A timeline of the biggest ransomware attacks:

Protect yourself against ransomware with Gridinsoft, the best Anti-Ransomware available. Regain control of your privacy with a ransomware scanner, detector, and remover that's ultra-fast and refreshingly lightweight — and 100% effective.

Download Anti-Ransomware

Frequently Asked Questions

Can ransomware spread through Wi-Fi?

Fortunately, no. The cases when ransomware spreads in the local network are related to malware circulation in the standard directories. Simultaneously attackers get administrator privileges and execute this malware on all computers in the network. However, it is impossible to get infected without letting the crooks connect to your device.

Is ransomware a crime?

For sure, it is. Both are creating the malicious code, spreading it, and collecting the ransom payments that fall under the cybercrime legislation in numerous countries. Even touching the process or the ransom money may be accounted as participation in this crime.

Do I have to report ransomware to the FBI?

You are not obliged to report it precisely to the FBI - any other law enforcement will fit. Sure, it is best to say the ransomware attack to the organization created to counter cybercrimes specifically. However, they may not be represented in your city or even county/state. Police may claim your report and transfer it to the competent authorities or consult you on whom you can report the case.

What can I do against ransomware?

Individual users cannot do a lot against ransomware development and spreading. Even though the crooks may be your friends or relatives, you will likely uncover it only in newsletters - after their capture. They have strict rules of information hygiene since their primary enemy - law enforcement - poses a much more significant threat to them. The main thing you can do to counter the ransomware activity is to make it unprofitable. Each user who pays the ransom stimulates the crooks to keep the action going. But when they do not get a penny from most victims, they may just get dissatisfied and possibly switch their skills in a more peaceful direction.

Is Windows 10 or Windows 11 vulnerable to ransomware?

All of the Windows versions are vulnerable to ransomware attacks. Some specific Windows versions may be harder to infect (in fact, ransomware will struggle to complete the encryption), but it is still possible. Windows 11, Microsoft's newest operating system, has some severe security upgrades, including a reinforced Windows Defender and security mechanisms in the sensitive system components. As a result, it is considered less vulnerable, but ransomware developers are working as well.

Ransomware: Examples & Trends in 2024