With the growing influence of automated data handling systems in various aspects of the daily life of an average citizen, such as banking, education, health care and many other public and private services, systems security is becoming ever more important. Various malicious online activities by large criminal syndicates or independent individual bad actors now threaten any operation reliant on computer systems.
Of the numerous strains of malware regularly appearing online, ransomware is now of particular interest to the cybersecurity community [zhang2019classification] as it is capable of targeting any user indiscriminately and can inflict irreversible harm on its victims. A ransomware often exploits low-level operating system mechanisms or security-based operations, such as cryptography, to isolate users from their assets (be these data services or systems), partially or on the whole. The user can only regain access if and when a sometimes-hefty “ransom” is paid, and in many instances, the access to the data is never returned to the user even if the ransom is paid in full [moore2016detecting]. Consequently, due to the significant financial gain ransomware can offer the perpetrators [laszka2017economics], considerable resources are often put behind the creation of new and innovative variants, allowing them to bypass state-of-the-art anti-virus and anti-malware software [kok2019ransomware].
Initially, ransomware attacks seem to have been in the form of spray-and-prey, with little targeting towards any particular individual. However, more recently, attackers have been moving towards more targeted attacks [fbi] – the so-called “big game hunting”, in which cybercriminals target high-value organisations, putting significant value into identifying more targeted routes of entry.
As a result of this perceived high value for cybercriminals, the cybersecurity community has had to stay vigilant to maintain the ability to detect and avert constantly-emerging ransomware attacks. Malware activities have conventionally been identified either at the network level [gu2008botminer, cabaj2018software], system level [bayer2009scalable] or both [jacob2011jackstraws]. For instance, Andronio [andronio2015heldroid] proposes an approach that identifies device-locking or encryption activities at the system level by finding code paths using static taint analysis along with symbolic execution. In another work, anomalous file system activities are used to detect ransomware [kharraz2015cutting]. Similarly, Scaife et al. [scaife2016cryptolock] attempts to identify abnormal system behaviour by carefully measuring changes in file type, similarity measurements and entropy.
With††Volenti non fit injuria: No wrong is done to one who consents.
the significant recent advances in machine learning[simonyan2014very, atapour2018real, ren2015faster, mikolov2013distributed, grover2016node2vec, bonner2018temporal], learning-based approaches have also found their way into the expansive literature on ransomware detection and classification. For example, the approach proposed by Sgandurra et al. [sgandurra2016automated]
detects and classifies ransomware variants by dynamically analysing the behaviour of applications during the early stages of their installation. Ransomware classification has also been attempted through combining a static detection phase based on the frequency of opcodes prior to installation and a dynamic method which investigates the use of CPU, memory and network as well as call statistics during run-time[ferrante2017extinguishing]. Vinayakumar et al. [vinayakumar2017evaluating]
investigates the efficacy of neural networks used to detect and classify ransomware activities, with a focus on tuning the hyperparameters and the architecture of a simple multilayer perceptron. In another work, Atapouret al. [aaa] propose a vision-based system that classifies ransomware variants based on an image of the splash screen casually captured using a smartphone camera.
Despite the advances in ransomware detection techniques, the constantly-evolving landscape of ransomware and the substantial level of diversity among its variants give further importance to acquiring deeper insight into the nature of ransomware attacks. In this vein, we take a closer look at ransomware categories and particularly the types of victims that are often targeted and regularly fall for ransomware attacks. In Section II, we briefly review the types of ransomware commonly found in the wild, Section III focuses on the victims of ransomware attacks and finally, a number of preventative and response strategies are discussed in Section IV.
Ii Variants of Ransomware
Before attempting to understand the victims of ransomware attacks, it is important to understand the varieties of ransomware and the reasons behind this variation. While the existing literature contains numerous studies that provide meaningful taxonomies of ransomware [luo2007awareness, luo2009ransomware, ahmadian2015connection, al2018ransomware], we primarily focus on aspects of ransomware variants that can directly contribute to a deeper understanding of their victims.
Ransomware variants can be classified based on their mode of propagation (e.g. through pre-packaged exploitation kits [hopkins2015exploit], affiliate packages built on top of existing malware infrastructures [wyke2012zeroaccess], spam campaigns [wyke2012zeroaccess]), payment methods (e.g. direct digital currency payments [coindesk], pre-paid vouchers, calls and texts to premium rate numbers, online purchases) and many other characteristics. However, of the numerous factors that can aid in the classification of ransomware with respect to the victims: attack intensity [luo2007awareness, luo2009ransomware] and the user platform towards which the attack is designed [al2018ransomware] are arguably the most important. Considering these factors, we provide a very generic classification of ransomware variants in the following.
Ii-a Attack Intensity
In terms of the intensity of the attacks (the level of threat a ransomware can pose to an infected system), there are, in general, three types of ransomware: scareware, locker-ransomware and crypto-ransomware (Figure 1).
Predominantly, the objective of a scareware is simply to scare the victim into paying a fee without causing any actual harm to the computer system [savage] and can thus be easily dealt with. This is usually accomplished by displaying a fake splash screen on the victim’s computer [aaa] and asking for a ransom despite the files and the entire system still being accessible to the user. In most cases, a scareware might threaten the victim by alleging that they have found illegal content or viral infections on the system [richet2016extortion, pathak2016dangerous] and exploit the victim’s fear to extort money.
Conversely, locker-ransomware and crypto-ransomware [cabaj2018software] can be truly detrimental to system, sometimes causing irreparable damage. Locker-ransomware often takes control of the locking capabilities of the operating system and denies the victim access to one or more of the system services or applications [savage]. The system is subsequently left with limited capabilities, which might only allow the victim to follow the instructions needed to pay the ransom. However, this form of ransomware is, in many cases, incapable of successfully extorting the ransom, especially from skilled PC users, as the operating system and the files are left intact and unharmed and it is relatively easy to bypass the locking mechanism.
Crypto-ransomware, on the other hand, employs cryptography to encrypt the user’s files [ganesh2016static], essentially removing all access to the files, leaving the victim with two options: either pay the ransom or forever lose access to all the encrypted files (which in many cases will happen even if the ransom is paid). In essence, the ransom is demanded in exchange for the decryption key, which is often the only way for the victim to regain access to the data and/or the system.
When it comes to the profile of the victims targeted by these types of ransomware, technical knowledge often plays a critical role. While highly-skilled victims are unlikely to pay the ransom, except for cases where a crypto-ransomware has successfully encrypted files which have not been archived or backed up, unskilled users can fall victim to locker-ransomware or even scareware. However, depending on the platform, these variants of ransomware can have different effects and can cause varying levels of harm. As such, in the following section, we focus on the platforms different variants of ransomware might target.
Ii-B Target Platform
Another factor that plays a role in understanding the ransomware victims is the platform they use. While PCs and mobile devices have long been the target of ransomware attacks, new variants of ransomware now commonly attack IoT devices and cloud-based systems as well [symantec2019internet]. There has even been a demonstration that other consumer devices such as digital cameras can also be successfully targeted [eos]. Encrypting images directly on the camera could have significant negative impact, especially if the photographer is working as a professional.
However, due to the wide-spread use of personal computers for decades, it is expected that they make up the majority of ransomware targets, and while MS Windows systems are most commonly attacked, others such as Mac OS and Linux machines are not entirely immune either [arsene2016ransomware, benchea2016]. PCs are often targeted by all three types of ransomware (scareware, locker-ransomware and crypto-ransomware), with the number of attacks being on the rise and new variants constantly being introduced [Symantec, mcafee2017mcafee].
Due to the ease of use and the low skill levels needed to operate, mobile devices are now ubiquitously used by a wide spectrum of individuals, making them ideal targets for ransomware attacks [yang2015automated, afifi2016dyhap]. Mobile ransomware attacks have reportedly more than quadrupled since 2015 [ksn], with locker-ransomware variants carrying out most of the successful attacks. This is mainly due to the fact that important personal files are often kept outside the mobile device, rendering local encryption attacks against the device useless, and the mobile operating systems do not offer the manoeuvrability needed to bypass a locking attack, making them significantly more effective [al2018ransomware] than locking attacks against a PC.
Recently, there have been numerous reports of attacks on IoT devices [karkouch2016data], despite such appliances generally not holding any valuable data. Not unlike mobile attacks, different variants of locker-ransomware can inflict significant harm to the users of IoT devices by disabling access, causing power outages and even disrupting critical services [Symantec]. To understand why and how certain victims are targeted more often than others, in the next section, we focus on the victims, themselves.
Iii Ransomware Victims
Since significant financial gain continuously drives the creation and spread of ransomware [laszka2017economics], one of the most effective methods of combating this type of malware is cutting off the supply of funds obtained through the ransom paid by the victims. Hence, a deeper understanding of the typical victims of ransomware attacks can be very helpful in coming up with solutions that prevent or mitigate the current fast-growing ransomware problem. From a top-down perspective, ransomware victims can broadly be classified into two wide groups: individuals and business entities. Due to the important differences between these two groups, the behaviour of the ransomware targeting these victims is often very different.
Iii-a Individual Home Users
Consumer ransomware often targets individual home users, which in terms of numbers make up the majority of ransomware victims [al2018ransomware]
. These individualistic attacks are often opportunistic and perpetrated via indiscriminate attack vectors. For instance, the victim might receive a spam e-mail, in which they are encouraged to click on a malicious link or they might visit a compromised website infecting the system with ransomware. In rarer occasions, however, infection can occur without user engagement through drive-by downloads[cova2010detection] or by means of malvertising and ad-injections [xing2015understanding].
Considering the limited resources often available to non-technical individual victims compared to large corporations and government-affiliated organisations, the ransom demanded from the victims is often significantly smaller ($300 to $700) [Symantec]. When a consumer ransomware attacks a targeted individual, all the files and resources are normally locked or encrypted as fast as computationally possible and the ransom note is quickly displayed in the form of a splash screen [aaa]. Despite the more affordable fees demanded by the perpetrators, due to the large number of infections a single attack can spread across the world, this type of ransomware attack remains profitable and incentivises further investment of resources and development for the perpetrators [bisson2017half].
Non-technical individuals are also widely targeted by scareware (Section II-A), the variants of which essentially issue fake warnings and threaten the victim’s files and/or personal privacy without them ever actually being in any serious danger. For instance, the famous FakeAV [stone2013underground] epitomises a typical scareware by adopting the appearance of a legitimate anti-virus that warns the user of the supposedly malicious software it has discovered on the victim’s computer after a fake scan. Subsequent to the this, payment is demanded, sometimes very aggressively, to remove the fake malware [savage].
With the growth of the ransomware-as-a-service model [nadir2018contemporary], even unskilled amateur hackers are now capable of launching ransomware attacks using pre-fabricated automated tools, which sometimes come with a consumer support service to talk the victims through negotiation attempts and payments [sherer2016ransonware]. This has a led to an increase in the number of mass indiscriminate attacks against individuals, necessitating a deeper analysis and understanding of the situation. While certain factors such as age, level of education and financial resources do contribute to the likelihood of an individual falling victim to a ransomware attack and subsequently paying the ransom, the level of computer-literacy is the primary determining factor.
While simple solutions such as regular software and operating system updates [savage, leong2016understanding], e-mail security (on both client and server side [cormack2008email, leong2016understanding]), anti-malware tools [continella2016shieldfs], access and authorisation control [mattei2017privacy] and simply backing up the data [young2017cryptovirology, mustaca2014your] can significantly reduce the number of successful ransomware attacks on individuals, the user needs to be aware of and skilled enough to implement such measures, which signifies the value of computer-literacy for the public.
Iii-B Business Entities
Despite having access to large IT infrastructures and security professionals, business organisations also regularly fall victim to ransomware attacks. Such ransomware attacks are often a consequence of the more targeted (big game hunting) attacks where the perpetrator may put significant effort into preparing a credible social attack against an identified member of staff. After gaining access through an entry point into the system, the attack vectors often employed by such ransomware variants are mostly gradual and covert [Symantec]. The ransomware usually focuses on avoiding and evading the countermeasures deployed by the organisation’s security experts and slowly takes control of specifically targeted data, such as transactional documents, backups and archives [al2018ransomware]. As expected, large organisations often receive significantly higher ransom demands compared to individuals, easily reaching numbers as high as $10,000 or higher [al2018ransomware].
As far as business entities and organisations are concerned, the security systems, the type of data and possibly the services they deal with are the primary factors in their victimisation. In the following, we focus on the various sectors that are often targeted by ransomware attacks.
In recent years, educational institutions, such as schools and universities, have become one of the primary targets of ransomware attacks. In fact, according to a recent report [bitsite], the educational sector faces the largest number of attacks per capita with more than 10% of all schools and universities having been targeted. Many such organisations have budgetary constraints, limited access to cybersecurity professionals and smaller teams of often over-worked IT personnel, yet due to their high rate of network file sharing and centralised systems [target] can be prime targets for any malware.
Additionally, an average school, university or any other educational or research institute stores valuable and highly-sensitive data on students, who might be under the legal age, staff, intellectual property, financial documents and sometimes even medical records that must not be compromised in any way. One such ransomware attack was experienced by University College London, where shared drives and student management systems were compromised [ucl] in 2017.
Iii-B2 Health Industry
Healthcare facilities and hospitals are also commonly targeted for ransomware attacks, mainly due to the highly critical data and services that they depend on. Not having immediate access to a patient’s data can have life-or-death consequences. A major example of this would be the Hollywood Presbyterian Medical Center, where a ransom of $3.7 million was demanded after highly-sensitive medical data and hospital services were disrupted. The hospital was forced to pay the ransom since daily administrative operations were reduced to pen and paper, and more importantly, the life of the patients was hanging in the balance. This case, however, is particularly notable as the ransom was negotaited down to $17,000 and access to the data and services was returned to the hospital [mattei2017privacy] allowing normal operations to resume.
Iii-B3 Government Agencies
The number of attacks on government agencies tripled from 2015 to 2016 [bitsite] and has been steadily growing ever since. In 2018, the city of Atlanta, Georgia suffered a significant ransomware attack. The ransomware had found its entry point into the system by means of a brute-force attack to crack weaker passwords [statescoop]. Although most services (safety, water and airport operations) were not compromised, online payment systems and court information access were severely restricted, potentially affecting up to 6 million people [statescoop] and costing the city over $2.7 million in recovery efforts.
As government agencies are generally perceived to have significantly larger funds available to them and many of their services (e.g. police, water, transportation) are highly critical and time-sensitive, perpetrators always look for opportunities to get through the security systems of such organisations in any way possible.
Iii-B4 Utilities, Retail and Finance
With the growing reliance many organisations in the utilities, retail and finance sector place on computationally-powerful low-latency systems, combined with the significantly heavy costs they can suffer as a result of any down-time, they have become one of the recurring targets of ransomware attacks [bitsite]. In many such companies, and even small to mid-size businesses of similar nature, the human resources departments are now regularly preyed on as they often have access to many other sections and departments within any given company and this connectivity is very enticing to the perpetrators [csoonline].
Iii-B5 Emerging Targets
In general, any organisation that holds sensitive data or offers critical services is always at risk of a ransomware attack. A law firm, for instance, is always in danger. While the loss of data can be catastrophic to a law firm, the possibility of publicising confidential client data can put an end to the business entirely, which would make a law firm willing to pay any amount [target]. Industrial control systems have also largely avoided being targets of ransomware attacks [formby2017out], but this is not because of their level of security as there are glaring security vulnerabilities that do not seem to be improving [savage]. Any widespread attack on such systems can lead to a compromise in critical infrastructure, which can have devastating international consequences.
Iv Prevention and Response
Since the significant re-emergence of ransomware within the past few years, many new tools and workarounds have been suggested to mitigate or recover from a ransomware attack. However, due to the increasing viability of the business model, perpetrators invest significant resources to stay ahead of the cybersecurity community. According to a recent report [nahorney2017internet], the number of ransomware attacks that have been successfully detected and prevented saw a 30% increase from 2015 to 2016. However, the overall number of attacks has also notably risen. Consequently, detecting every new variant of ransomware might be impossible using a single powerful anti-malware tool, but there are various techniques that individuals or companies can employ to protect their systems from a ransomware infection. Here, we discuss certain measures that can help with the prevention of or response to a ransomware attack. In Section IV-A, we discuss some of the most prominent security techniques that can prevent ransomware attacks and in Section IV-B, we focus on what should be done in response to an infection.
Iv-a Prevention Techniques
Attempting to remove a ransomware or re-gaining access to a corrupted system or encrypted data can be very expensive and sometimes impossible, even if the ransom is paid. The best solution, in this case, is prevention. While securing the system and network activity is extremely important for both individual users and business organisations, an overwhelming majority of successful malware attacks are due to human error [proofpoint], so securing the end user is of utmost importance. In the following, we briefly outline the most important prevention approaches on the system and the user side.
Iv-A1 Network/System Security
While certain system and network security measures are more expensive and require expert support, the majority of the recommendations listed below apply to both individual home users and business entities:
A robust backup and archiving system removes the threat the majority of ransomware attacks can pose.
Anti-malware and other similar tools are indispensable to a secure system. Modern tools [continella2016shieldfs] even take advantage of machine learning approaches to remove their dependence on knowledge of existing threat signatures.
In a secure system, all hardware, operating systems, software, cloud locations and content management systems must be patched and up-to-date at all times.
Via effective system administration, application white-listing and software restriction policies [sittig2016socio], dubious programs can be kept off the system, specially for large companies, where controlling and monitoring all the employees with system access might not be possible.
Using a proxy-server and any of the numerous ad-blocking packages, common ransomware entry points can be restricted.
Through network segmentation, virtual machines, and limited authorisation and privileges, potentially harmful network access to sensitive data can be averted.
It is important for any organisation, to introduce access policies and closely monitor any third parties as they can easily introduce vulnerabilities into the system.
Any company with sensitive data requires a response plan that outlines how the system can be protected if an attack is detected in its early stages.
Iv-A2 End User Security
While human error is a significant cause of ransomware attacks [proofpoint], it is not always avoidable. Nor can we assume that a well-constructed attack would not thwart even the most security-savvy. Education and training, both for individuals and businesses with many employees, can be very effective in preventing, or at least reducing the likelihood of, a ransomware attack.
End users need to be aware of social engineering as it is a common attack vector for many malicious actors [gallegos2017social].
All end users must be trained on phishing and how it must be countered.
Companies should have strict policies about their employees’ use of the internet as personal emails and social media websites [richardson2017ransomware] are regular points of entry for many ransomware variants.
It is very important for end users to have strong passwords as perpetrators can easily gain access to the main system via various password cracking approaches [marechal2008advances].
Iv-B Response to an Attack
More often than not, when data has been encrypted using a crypto-ransomware, not many solutions are left available. However, it is very important, especially for non-skilled individuals, to ensure the infection has indeed been caused by a crypto-ransomware as locker-ransomware and scareware can often be easily removed from most computer systems without causing serious harm to the system.
Identification is often key when seeking to distinguish which type of Ransomware has infected the system. In such situations, knowledge is highly-important especially as many attackers obfuscate their ransomware to reduce the chance of easy detection. The “No More Ransom” project [nomoreransom] provides a mechanism to identify the ransomware from either the text within the ransom note or a small number of the encrypted files. While Atapour et al. offers a more layperson approach allowing users to take a picture of the ransomware splash screen and use this for identification [aaa].
In cases where the algorithm or the key used by the perpetrators are not strong, a decryption solution might be available. While certain companies such as Kaspersky and Windows Defender offer proprietary decryption tools, the No More Ransom project [nomoreransom] is specifically dedicated to helping all victims, whether individual home users or businesses, to recover their encrypted files without having to pay the ransom.
Finally, one of the most important actions every business entity or individual home user must take after a ransomware infection is to report the incident and share as much data about the incident as possible with the authorities and experts. Many individuals and companies often remain quiet about such attacks out of fear of bad publicity. However, reporting such events can go a long way in putting a stop to similar future attacks.
The level of threat that ransomware poses is extremely serious and can disrupt the fabric of our modern data-dependent society. With the recent rise in cybercrime, it is now more important than ever to combat the perpetrators of ransomware attacks and cut off the large supply of funds regularly invested in the development and improvement of new variants of ransomware. In this vein, this paper has primarily focused on facilitating a better understanding of ransomware variants and the victims often targeted by them. We also provide a brief classification of ransomware variants and the attack vectors they are commonly associated with. This is accomplished by examining the severity of the threat a variant of ransomware can pose and the platform it is designed to attack. The paper also discusses the targets predominantly victimised by ransomware perpetrators to enable further insight into the underlying forces that drive this malicious business model. While individual home users make up the majority of the victims, depending on the type of data they hold or the services they may provide, businesses can make for more lucrative targets and are often at a greater risk. Furthermore, we have briefly considered helpful prevention strategies for individuals and businesses that fall victim to these attacks and the potential post-infection recovery techniques that might aid in mitigating the devastating effects the loss of sensitive data can have on any victim as paying the ransom is rarely advisable and is not guaranteed to lead to a full recovery of the data.
This work was in part supported by the EPSRC EMPHASIS (EP/P01187X/1) and CRITiCaL (EP/M020576/1) projects.