1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites
Crime

What is ransomware?

Chase Winter
June 28, 2017

Thousands of computers across the globe can be hit simultaneously by a ransom-demanding malware. DW explains what ransomware is and how to avoid becoming the next victim.

https://p.dw.com/p/2cuxl
Symbolbild Kreditkartenbetrug Cyberkriminalität
Image: imago

When the malware called "WannaCry" first infected tens of thousands of computers in nearly 100 countries it exploited vulnerabilities believed to have been exposed in documents leaked from the US National Security Agency. 

The ransomware was aiming to extort money from victims, including governments, companies and organizations.

 

What is ransomware?

Ransomware is malware that encrypts files on an infected computer or mobile device. The ransomware locks the computer and prevents users from accessing files, documents and pictures until payment is made.

Symbolbild Computerprobleme in Großbritannien
Major organizations across England reported problems with their computer systems as a result of an apparent cyberattackImage: picture-alliance/AP Photo/@fendifille

How does a computer get infected with ransomware?

Computers are typically infected when a user opens a link or email attachment from a malicious email message. Known as a phishing email, the message is often sent from an email account disguised to look like it is coming from a known or trustworthy entity. Hackers can also plant malware on websites.

Sometimes a user may not be immediately aware the computer is infected. Some types of ransomware, such as the one used on Friday, show a "lock screen" notifying the user their files have been encrypted and demanding payment to unlock the files.

How does payment and unlocking work?

The ransomware demands the user pay to have the files decrypted. Payment, often with the anonymous virtual currency Bitcoin, allows the user to access the files with an encryption key only known by the hacker. As in Friday's attack, the payment can go up if it is not made within a short time frame.

If the payment is not made within a certain time period, the encryption key is destroyed and the files are lost forever.

Wiesbaden BKA Vorstellung Lagebericht Cybercrime 2015 Ransomware
A typical ransomware infection will show a message telling the victim to pay a ransom to decrypt filesImage: DW/M. von Hein

Should you pay ransomware? 

Law enforcement agencies advise against paying ransom. They say payment encourages criminal hackers, and there is no guarantee that after payment access to files will be restored.

What can you do to protect yourself against ransomware?

Exercise caution before clicking on an email link from an unknown or potentially disguised source. Users should also install security updates on their computers and back up their files to avoid losing them in case of an attack.

Friday's attack targeted a known vulnerability in the Windows operating system. Microsoft said it had released Windows updates to defend against the ransomware used in the attack, but not everyone installed them.

Why are businesses vulnerable to ransomware?

Larger businesses, organizations and governments may not install security updates immediately because they have their own security measures in place. Hackers target businesses because they calculate that they are more likely to pay. Businesses may have sensitive data and do not want to disrupt operations. Restoring files may also be more expensive than paying the extortion fee.

How can you get files back?

Without paying the extortion payment it is very difficult to save the files. There are instances of hackers creating weak malware that is capable of being broken. In one case, a hacker regretted creating malware and published a master key for files to be decrypted. In another case, law enforcement seized a server with keys on it and shared it with victims. 

Law enforcement agencies and computer security companies have keys to some ransomware to decrypt files, but with a growing number of different malware most ransomware cannot be decrypted.