How Ransomware Works: QuickTake Q&A

Tracking Ransomware's Monetary Toll on Businesses

An increasingly popular and disruptive form of cybercrime is ransomware, which makes files and data stored on computers inaccessible unless a fee is paid. Once a niche area for hackers, the attacks are now affecting government agencies and some of the world’s biggest corporations. Companies hit in 2017 included A.P. Moller-Maersk, FedEx Corp., Nissan Motor Co., Russia’s largest oil producer Rosneft and advertising giant WPP Plc. The U.K. National Health Service and a number of Ukrainian agencies were also harmed. With sophisticated ransomware software available online for hackers to use and the rise of anonymous digital currencies such as bitcoin, there are fears the attacks will only continue.

1. What is ransomware?

It’s a form of malicious software, “malware” for short, that essentially holds a device hostage until a fee is paid to restore it to normal. In the case of the WannaCry worm in May, the ransom was $300 in bitcoin, payable within 72 hours. In June, a South Korean web hosting company agreed to pay more than $1 million to unlock its servers, the largest known payout. The virus spreads from machine to machine on a network, often via email attachments from rogue senders. The targets are usually older computer operating systems that have not been properly maintained with up-to-date security software.

2. What happens if you don’t pay?

Typically one of two things: Either you restore your files from a backup, or you lose them forever. Hackers often give victims a deadline -- say 72 hours to pay the $300 in bitcoin; after that, the price doubles. If the targets refuse to pay, their computers will be permanently locked -- a serious problem for people who haven’t backed up their data.

3. Who is doing this?

The identity of the hackers is hard to learn because they can act anonymously online and the ransom is paid with digital currencies. But the most recent forms of ransomware used a technique purportedly stolen from the U.S. National Security Agency, and affected computers running on older versions of Microsoft Corp.’s operating system.

4. Why does this keep happening?

The simple answer is that it’s expensive to keep operating systems with the best security up to date. Microsoft issued a security patch in March that it labeled “critical,” but many users of personal computers either couldn’t or didn’t download it. Machines still running the long-outdated Windows XP are even more at risk, since Microsoft ended support for that several years ago. An organization with hundreds or thousands of computers would need to spend a lot of money to upgrade all of their systems. When budgets are limited and no problems are occurring, performing costly upgrades is often considered a lower priority. Another reason is software compatibility. Many companies use bespoke software that was designed many years ago and which is incompatible with modern computer operating systems. Keeping hold of those old, vulnerable systems may be preferable than rewriting or upgrading.

5. Why are the ransoms so small?

Hackers make the ransom small enough that companies may conclude it’s cheaper to pay it than to hire expensive specialist teams to restore their data. The low cost, combined with the threat of doubling after three days, may have felt to the perpetrators like the most practical way to get paid.

6. If you want to pay, how do you send bitcoin?

You can purchase bitcoin via a broker or specialist exchange. There are many available online for use with numerous currencies. Once the money has been verified and transferred from a bank to the exchange, the user is granted a bitcoin or fraction of a bitcoin in a digital wallet, which can then be sent anonymously to any other registered wallet.

7. Can the bitcoin help find the perpetrators?

Maybe. Some government agencies perform forensics on bitcoin purchases to try to learn more about the perpetrators. But the tools aren’t likely to lead to a particular person or group unless the money is touched or withdrawn. Some experts believe withdrawal might not happen, since the world’s cyber-intelligence forces will be watching the bitcoin account for any sign of activity. The perpetrators may choose to leave the money and count their losses, but remain anonymous. It’s perhaps more likely that clues within the malware itself will provide more intelligence on the identities or location of the attackers.

8. Could this happen again?

Yes. And experts believe it will. It’s not difficult for an attacker to alter the code of this malware in order to deploy it once more, although the threat of such action may motivate companies and individuals to protect themselves better, thereby reducing the potential damage, and appeal, of a repeat attack. The advice of some security specialists is simple: Don’t pay the ransom -- it just encourages copycats.

9. What can be done for protection?

The most effective form of prevention -- for businesses or individuals -- is to back up files. If data is backed up regularly to an external source, a computer can be reset to its factory settings and then the backed-up files can be reinstalled, essentially wiping the ransomware from the system. Ransomware worms are easy for hackers to modify so even if a fix is found for one bug it won’t necessarily safeguard against a future attack.

For more on cybersecurity, check out the Decrypted podcast:

The Reference Shelf

  • Microsoft’s Malware Protection Center offers ways for home and business users to protect themselves from ransomware. 
  • The man who says he stopped the May malware attack explained how he did it in the MalwareTech blog. 
  • Bloomberg View columnist Leonid Bershidsky makes the case for banning governments from hoarding cyberweapons that could be used against non-military systems.
  • InfoWorld offers four reasons why users shouldn’t pay a ransomware demand.
  • QuickTake explainers on cybersecurity and how bitcoin works.
    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE