This type is the least dangerous of the three types and least harmful to the user, his device and his files, as it relies on intimidating the user and causing shock and confusion to deceive him into paying the money; As this type comes in the form of fake programs that are installed on your device in crooked ways, and then frighten you with a barrage of pop-up messages informing you that there are many problems in your device and you have to pay to fix them, and the truth is that there are no problems or anything like that.
3- The reason for the spread of the ransom virus wave in recent years
Since 2017, a wave of ransomware viruses has begun that affected the whole world, and the first reason is due to the WannaCry ransomware virus, which spread widely and had an eloquent and unavoidable effect, and showed the world that ransomware attacks are profitable. Since then, dozens of ransomware viruses have been developed and used in various attacks.
Also, what made matters worse is the Covid-19 pandemic, which helped spread the wave of ransom viruses greatly, how? Simply because it forced everyone, without exception, to go quickly and without preparation to work remotely, which created many security gaps that greatly affected companies and institutions and affected their security defenses, and accordingly cybercriminals and hackers exploited these security gaps to carry out ransom virus attacks, which increased the severity and ferocity of the wave Ransomware.
4- Ways to spread the ransomware virus
Ransomware, like other harmful malware, has several ways to spread, reach and infect victims' devices. In general, the methods are as follows:
Email phishing: Hackers and cybercriminals impersonate trusted organizations and companies or even individuals you know and trust, and then send you an email containing an attachment (file) or link that appears reliable and safe. The hackers' goal is for you to click on the link that directs you to a malicious and amalgamated web page that infects your device with the ransom virus, or to download the attached file, which appears normal but activates the attack and infects your device the moment you download and open it. Such messages are common and I personally receive them periodically.
Malvertising: or malicious advertising; It is when hackers and ransomware owners distribute it through the use of fake advertisements on websites. Real and reliable online advertising networks are used to spread these malicious ads in devious and hidden ways, and this affects even large trusted websites and turns them into a platform for spreading malware.
How is your device infected with malicious ads? Simply when you see advertisements that appear normal on a website you visit and click on the advertisement, here the ransom virus can infect your device after clicking on the harmful advertisement. others are more serious; It infects your device as soon as the web page loads in your browser completely and without any need to click on anything!
Social networking sites: You are probably aware that social networking sites are one of the most attractive places for hackers and cybercriminals to spread their malicious programs of all kinds, not just the ransom virus, because it is considered an environment full of potential victims who can be easily caught only through malicious links spread here and there. .
Infected files: which are widely spread on the Internet in the form of regular programs that you need to install and use, only to be surprised that they are infected. Often the main reason for this is downloading from unreliable sites. Infected files are also spread among users in the form of crack activation tools, whether to activate paid games or paid programs, only to be surprised that that file or that tool that would have helped you to get paid programs or games for free is mined and your device is now infected with the ransom virus.
– Download without permission (Drive-by downloads): Where hackers exploit the security holes in unsafe sites and web pages, to plant malicious software on the site or on the web page, and therefore when the average user visits the infected web page, the malicious and harmful software downloads itself Automatically and secretly on the victim's device without his explicit permission.
Self-propagation: The ransomware spreads itself and infects other devices via the network or via USB flash drives.
5- How the ransomware attack works
We can summarize ransomware attacks in seven stages, which are as follows:
1) Infection of the device: At this stage, the ransom virus uses one of the methods of spreading that we mentioned earlier to reach the victim’s device and install itself on it, and from there the device becomes completely infected.
2) Execution: After infection, the ransomware virus begins to carry out its work and what it was programmed to do; It scans the device and locates the target files, as well as which systems can be accessed over the network (for later propagation). In some cases, the ransomware searches for backup files and folders and then encrypts or deletes them to eliminate any chance for the victim to survive the attack.
3) Encryption: In this stage, all the target files in the previous stage are encrypted by changing the structure of the files so that they become unusable. Usually, data encryption methods are used and employed that can only be reversed or decrypted using a specific decryption key owned by the attacker, which is what you bargain to pay for obtaining it, decrypting your files and regaining access to them.
4) Notifying the user: At this stage, the user is informed and notified of what is happening by displaying a reminder telling him the situation he is in now, what he must do in the next step, and how much he must pay, in addition to detailed instructions regarding the payment process for decryption.
5) Cleaning: In some cases, the ransomware virus may delete itself from the victim's device after completing the previous steps, leaving the user with encrypted files and a reminder message containing the steps to complete the payment process and retrieve their files again.
6) Payment: At this point the user decides that he must pay to get his files back and there is no other choice for him, so he decides to follow the instructions included in the reminder which usually contains the address of the bitcoin wallet to which you must send the payment, as well as how to buy bitcoins (cryptocurrencies) ) if the user does not own it.
7) Decryption: After completing the payment process, the victim is supposed to receive the decryption key, which will give him full access to his files again without encryption, but! There is no 100% guarantee that the victim will receive the decryption key after completing the payment as promised by the attackers.
6- How to protect against ransom virus
Let's agree that the best way to protect yourself and your device from a ransomware attack is to prevent it from happening in the first place; Meaning, to prevent ransomware malware from infecting your device in the first place. Therefore, you should follow the following tips:
Invest in your cyber awareness: The most important thing that malicious software, including ransomware viruses, depends on to spread is social engineering. All methods of spread depend on a set of tricks used to deceive the user and make him fall into the trap without his awareness. That is why you should always stay informed of the latest developments in cybersecurity, and constantly educate yourself on how to detect ransomware tricks and tricks that it uses to launch its attacks and infect devices, as well as how to avoid it.
- Be skeptical: You should always be skeptical when you use the Internet; You always have to be careful when dealing with links and emails, even those that come from parties and people you know and trust. And when it comes to files, always make sure to download them from trusted destination sites. To remove any doubts, I advise you to use free tools such as [ VirusTotal ] , which will help you scan files and links before opening them to ensure that they are free of any danger.
Use an ad blocker: As mentioned earlier, one of the ways attackers use to infect your device with ransomware is through ads. Especially annoying pop-up ads that unfortunately fill Arabic websites, download files and open links without your permission.
Use an antivirus: or any strong and well-known protection program that has real-time protection so that it blocks attacks and malware before it reaches you. Accordingly, I advise you to [ Malwarebytes ], one of the best protection programs currently in existence, which contains the full package to protect your device from ransomware viruses.
Create secure backups of your files on a regular basis: Ransomware gains its power and control over the victim only because it denies access to his files and holds them hostage, but if the victim has a backup copy of his important files elsewhere, the ransomware virus loses all its power and danger and becomes nothing. That's why we advise you to create secure backups of your files regularly using cloud storage or even physical storage on a USB flash drive or HDD/SSD.
Ensure that the operating system and programs are constantly updated: Ransomware viruses and other malicious software usually exploit security holes in the operating system (Windows permanently and frequently), as well as holes in programs such as browsers, etc., to infect victims’ devices. This is why you should always make sure to install the latest updates firsthand, whether updates to the operating system or updates to the programs installed on your device, because updates would close security gaps and prevent hackers from using them in their repeated attacks.
7- How to remove the ransomware virus
You should know that getting rid of and removing the ransomware virus from your infected device is the easiest part of the process, but restoring your encrypted files is the hardest part. Why? Because there is no 100% guarantee that your files will be decrypted if you pay the ransom.
That is why experts always advise not to pay the ransom because this will increase the greed of the attackers and thus will intensify the ransom attacks. In general, the recommended steps to remove the ransomware virus and try to absorb and reduce losses are as follows:
- Run the computer in Safe Mode.
- Install security software to scan your device and remove ransomware to prevent it from spreading or doing other damage.
- Look for the availability of [ Free Decryption Tools ] that can help you decrypt your files and recover them without having to pay any ransom.
- Seek help either online or by going to the experts so they can assess the situation and tell you what to do.
In the end, these are the general tips and broad steps that can be followed if your device is infected with a ransom virus, but know that it will not work in all cases, and each case has its own method that must be followed.
As mentioned earlier, the best thing you can do to avoid getting to this point is; It is to prevent it from happening in the first place, and as the famous saying goes, “An ounce of prevention is worth a pound of cure . ”
8- The most famous and deadliest ransom virus in history
Here is a list of the most famous ransomware viruses that were a global pandemic that caused severe damage and impact:
- WannaCry: It was the reason that ignited the next ransomware wave. In 2017, the WannaCry ransomware virus spread around the world like wildfire across 150 countries, leaving about 230,000 infected devices, in addition to losses estimated at $4 billion.
- Ryuk: It first spread in 2018 and targeted organizations and companies whose systems contained security holes such as hospitals, etc., and infected devices via email phishing or drive-by downloads. Ryuk is known as one of the most expensive types of ransomware in the world. It targets large companies and institutions and asks them for an average ransom of more than 1 million dollars, and the figure has reached a maximum of 12.5 million dollars. The Ryuk ransomware is likely to have generated a total of US$150 million by the end of 2020.
- Petya: The kind that targets Windows computers, and when it infects the device, it encrypts the entire hard drive to lock the computer and prevent you from using it. The Petya ransomware broke out in 2016 and returned in a more advanced form in 2017. According to [ a report published by Wired magazine ] , the total damage caused by NotPetya (from the same Petya family) is estimated at more than $10 billion.
This was a very brief overview of the deadliest ransomware in history and the list is still long, but we can't mention it all.
9- The latest form of ransom virus threats
You should know that the forms of ransomware threats are constantly being changed by their owners so that they are not detected, and so that the ransomware they create finds its way to new victims. That is why you must know one of the forms and aspects of ransomware threats in order to protect yourself from falling victim to a ransomware virus in the future. Here are the latest threats:
– DLL Side Loading: Where does the ransom virus impersonate a real DLL file to avoid detection and deceive the user to infect his device, as DLL files are among the Windows system files necessary to run many programs and services, and the user always finds himself forced to search for missing DLL files and download them on His device to operate everything without problems. That is why you should be careful as a user from now on when you deal with DLL files or download them from the Internet, because they may be a gateway for a ransom virus to infect your device without your knowledge.
Targeting web servers: Where does the ransom virus use phishing e-mail messages to target and infect web servers, including infecting all sites hosted on the servers and distorting the sites by showing the ransom message when visitors access them, and this puts pressure on the owners to pay the ransom.
Spear-phishing: or spear phishing is what ransomware owners currently prefer over normal phishing; Where attackers target specific targets with high privileges, instead of randomly targeting thousands of potential victims at once.
Ransomware as a Service (RaaS): Ransomware as a Service ; Where ransomware owners sell or rent ransomware to buyers who can then launch attacks without having any expertise in digital security or malware creation.