20 JUN 2018

Cybercrime and ransomware: features and risks of ransom attacks (part I)

The term ransomware indicates a sophisticated category of malware that infects desktop and mobile systems, restricting access to the lawful owners. To regain access to files, the owner must pay a ransom (from this the word “ransomware”).

There are mainly two types of ransomware:

  1. Locker ransomwares: the first distributed versions: they block the victim out of the operating system, denying him the access to the desktop and to any apps or files. Files are not encrypted, but hackers ask for a ransom to unlock the infected computer. Some examples include ransomwares that pass themselves off as a police organization (for example FBI, Metropolitan British Police and similar) or Winlockers. Some versions of locker ransomware directly infect the Master Boot Record (MBR), the hard disk section that allows the operating system to start up. When  ransomware hits the MBR, the boot process will not complete and a ransom request screen appears. Satan and Petya are examples of ransomware of this type;
  2. Encrypting ransomwares:  incorporate advanced encryption algorithms and are designed to encrypt and then block the files in the system and request the payment of ransom to provide the victim with the key that can decode the blocked content. Some examples include Cryptolocker, Locky, Crytpowall. Wannacry is in this category and is particularly sophisticated because it has exploited a Windows vulnerability discovered by the American NSA and publicly revealed to the whole world by the hacker group The Shadow Brokers (TSB). Wannacry struck on 12 May 2017 and in its early hours infected about 200,000 machines worldwide, including large organizations.

The spread of Ransomware occurs through phishing e-mails with harmful attachments or through links to malicious sites from which the malware is downloaded without the user noticing it.

Why are ransomware attacks constantly increasing?

Ransomware attacks are technically effective and leverage on the psychology of victims through fear fed by intimidating messages of destruction or irreversible denial of access to data or system.

In particular, the features that make a “successful” ransomware attack are:

  • ransomwares have a robust encryption, which means that the user cannot decode the files by himself;
  • they have the ability to encrypt all kinds of files, from documents to images, videos, audio files and other things that a user can have on his or her PC;
  • they can encode filenames, so it is impossible to know what data is involved. This is one of the tricks of social engineering used to confuse and force victims to pay the ransom;
  • they show a screen or a message that lets the user know that his data has been encrypted and that he has to pay a specific amount of money to retrieve it;
  • they require payments in bitcoins because this crypto-currency basically permits anonymity;
  • generally, the ransom payments have a time limit, to add another level of psychological constraint to extortion. If the time ends, in most cases, the ransom will increase, or data will be destroyed and lost forever. Only 42% of the victims who paid the ransom recovered their data;
  • they use a complex set of evasion techniques to avoid traditional antivirus;
  • they often recruit infected PCs in bot networks, in this way cybercriminals can expand their infrastructure and feed future attacks;
  • they can spread to other PCs connected to a local network, creating additional damage;
  • they often have data extraction capabilities, to extract data from the affected computer (usernames, passwords, email addresses, etc.) and send them to a server controlled by cybercriminals, and so,  encrypting files is not always the only purpose;
  • often payment information is translated into victim’s language, in order to increase the possibilities of the ransom payment.


The following picture is not the subway map of a city, but the evolution of ransomware variants in the space of 5 years, from 2012 to 2017:

L'evoluzione delle varianti degli attacchi ransomware negli ultimi anni, dal 2012 al 2017

Ransomware attacks: differences between desktop and mobile devices

There is no ransomware encryption in the mobile world because apps and operating systems back up on the cloud. If users back up their files, there is no need to pay a ransom, so cybercriminals have no interest in attacking mobile users except for the purpose of gain access to personal data contained in the devices.

Locker (or blockers), instead, represent 99% of ransomwares of mobile devices because, easily, they overlap themselves to the interface of any app and the user can no longer use it.

Have you enjoyed this article? Keep reading our study about Ransomware attacks!

Edited by Lucia D’Adamo, in collaboration with Andrea Petriglia, superved by Marco Pirrone