Please ensure Javascript is enabled for purposes of website accessibility

 

December 27, 2021 | Cybersecurity Toolbox

What is Ransomware?

1

AUTHOR
Alexander R. Boler, Esq. | 2021 – 2024 Member, The Florida Bar’s Standing Committee on Technology

Imagine this scenario: You return from your lunch break to find one of your staffers pulling computer power cords from the outlets, the receptionist is frantic and unable to answer client inquiries, associates do not have access to discovery documents or case research, senior partners have lost their draft pleadings, and your bookkeeper no longer has an accounting of the firm’s trust account. Your firm’s files and data are gone, unable to be restored. And now someone demands a hefty sum. You have fallen victim to a ransomware attack.

What is Ransomware?

So, what is ransomware? This devious creation is a form of malware that attempts to extort a ransom from its victims by denying them access to their computer files and digital data. Let’s back up: First, what is malware? As the name suggests, malware is malicious software, or software that is intentionally designed to compromise computer hardware and/or data. Unlike many other forms of malware, ransomware provides a compelling incentive to its perpetrators through the allure of financial gain. Indeed, it has grown into a criminal enterprise.

Now, how does this software operate? When the ransomware software is launched on a computer, it quickly works to encrypt the files on that computer with a unique encryption key, overwriting the original data that was there.

Encryption is a mathematical process, using a string of bits called an encryption key, by which data is made unreadable without the same key (called symmetric encryption), or a different key that cannot be derived from the original key (called asymmetric encryption). Encryption acts to make data secure from prying eyes, but in the case of ransomware it makes that data secure from its owner’s eyes.

The ransomware works efficiently, too, targeting text documents (such as Word Documents, and PDFs), images (JPEGs and PNGs), videos (MP4s and MOVs), audio files (WAVs and MP3s), and many other important files first, while intentionally ignoring standard system files or other software programs that can be easily replaced. And, it seeks to propagate through a computer network by attacking network attached storage, and other local computers. (In the example above, your staffer unplugging computers may have been preventing the ransomware from affecting those computers.)

By overwriting the data on the computer, the ransomware ensures that the user unable to access or recover his or her important files without the ransomware attacker’s help. This is when the ransom offer is made.

To regain access to the unencrypted files the ransomware attackers promise to provide a decryption key to decrypt the encrypted files, and thus restore the original data to the computer. But, in exchange the attackers demand a ransom, payable (almost always) in cryptocurrency. When paid, the attackers will deliver the decryption key and software. While no individual user can be ensured to get the decryption keys upon payment—these are criminal actors, after all—there is an incentive for the attackers to provide a reliable and easy method of file decryption and data restoration. If they were to fail to deliver on their promise after receiving ransom payment, future victims would have no reason to believe the attacker’s offer and simply refuse to pay the demanded ransom.

The advent of cryptocurrencies has presented the ability to circumvent financial controls. Cryptocurrencies provide an attractive and effective means of transferring funds across borders, with little to no identification of parties to the transactions. (Although many originally believed these transactions to be difficult to trace, experience has now proven otherwise, especially when government actors are investigating the transactions.) This gives criminal enterprise a tool to receive and move funds without normal government or industry safeguards.

The first widespread ransomware, known as CryptoLocker, began as an e-mail attachment sent to unsuspecting users. Carelessly opened, the ransomware would infect and attack a computer. But the unwitting victims were often unable to pay high ransoms, and usually did not have high-value data. If the damage is just going without a few family recipes, some computer game save files, book reports that have already been turned in, then, an individual computer user might not feel any need to pay a ransom to restore the data. On the other hand, a law firm, a hospital, or a local government, might have data so precious that its loss would trigger serious damage. These entities may need the data and be willing and able to shell out hundreds of thousands or even millions of dollars. This has created criminal enterprises.

Precautions

Precautions for protecting yourself from attacks by ransomware are similar to protecting yourself from any malware. Starting with the basics: Do not click links or open files in e-mails that you cannot verify; avoid untrusted websites; and run malware and virus protection on your computer.

Even if you fall victim to a ransomware attack, you can avoid a serious hit to your pocketbook or a serious loss of files and data, if you have securely backed up your files. Be sure that the backup is independent from your computer network so that the ransomware cannot attack it too. Cloud backups can be convenient and easy, but ensure they keep multiple versions of a file so that the encrypted file does not overwrite its original on the cloud backup. Local backups on removable media can be more resilient to overwrites and less expensive, but they require diligence to perform, and are susceptible to physical loss.

Unfortunately, as victims take measures to prevent their own loss of data through backups, ransomware attackers are exploiting a new reason to demand a ransom. In addition to encrypting the data on a local computer, the ransomware copies sensitive data to the attacker’s computer. This now gives the attacker leverage to release sensitive information (perhaps trade secrets, financial data, or protected health information) if the client refuses to pay.

In the end, responsibility for data protection falls on each of us.

More reading:

Cybersecurity and Infrastructure Security Agency’s ransomware guide: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf

National Institute of Standards and Technology’s ransomware risk management: https://csrc.nist.gov/publications/detail/nistir/8374/draft

PC Magazine’s protection recommendations: https://www.pcmag.com/picks/the-best-ransomware-protection

ABOUT THE AUTHOR
Alexander R. Boler, President of Boler Legal PLLC, has over six years of experience representing clients in corporate settings and state government. He has extensive experience representing clients in litigation in the Florida circuit and county courts, district courts of appeal, the Florida Supreme Court, the Florida Division of Administrative Hearings, and in two federal district courts. Additionally, he has had significant success advising clients and negotiating on their behalf. At the appellate level, he has regularly secured successful published results for his clients at the 1st, 2nd, 3rd, and 4th DCAs, and the Florida Supreme Court.



This LegalFuel publication is intended for educational purposes only and does not replace professional judgment. Statements of fact and opinions expressed are those of the author individually and, unless expressly stated to the contrary, are not the opinion of The Florida Bar or its committees. The Florida Bar does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information published. Any feedback should be provided to the author.