press enter to search

How ransomware works: QuickTake Q&A

Nate Lanxon and Adam Satariano


| Wed, May 17, 2017 | 03:28 pm
How ransomware works: QuickTake Q&A

While ransomware attacks can be hoaxes, or their threats false, experts believe the current threat is real. (Shutterstock/File)

Computer networks worldwide have been falling victim to a so-called ransomware attack, which makes files and data stored on computers inaccessible to users unless a fee is paid. More than 200,000 computers in more than 150 countries have been affected so far, including at FedEx Corp., Nissan Motor Co., Telefonica SA and government agencies such as the National Health Service in the U.K. While experts restore computers to full operation, others fear this is just the first of many possible attacks.

Read also: Who's to blame for ransomware outbreak?

1. What is ransomware?

It’s a form of malicious software, “malware” for short, that essentially holds a device hostage until a fee is paid to restore it to normal. In this case, the ransom was $300 in bitcoin, payable within 72 hours. The virus can spread from machine to machine on a network, often via email attachments from rogue senders. The targets are usually older computer operating systems that have not been properly maintained with up-to-date security software.

2. What happens if you don’t pay?

Typically one of two things: Either you restore your files from a backup, or you lose them forever. While ransomware attacks can be hoaxes, or their threats false, experts believe the current threat is real. The hackers have given their victims 72 hours to pay the $300 in bitcoin; after that, the price doubles. If the targets refuse to pay after seven days, their computers will be permanently locked -- a serious problem for people who haven’t backed up their data.

3. Who did this?

The identity of the hackers isn’t yet known. But the malware used a technique purportedly stolen from the U.S. National Security Agency, and affected computers running on older versions of Microsoft Corp.’s operating system.

Read also: Six steps to prevent ransomware

4. How did this happen?

The simple answer is that it’s expensive to keep operating systems with the best security up to date. Microsoft issued a security patch in March that it labeled “critical,” but many users of personal computers either couldn’t or didn’t download it. Machines still running the long-outdated Windows XP are even more at risk, since Microsoft ended support for that several years ago. An organization with hundreds or thousands of computers would need to spend a lot of money to upgrade all of their systems. When budgets are limited and no problems are occurring, performing costly upgrades is often considered a lower priority. Another reason is software compatibility. Many companies use bespoke software that was designed many years ago and which is incompatible with modern computer operating systems. Keeping hold of those old, vulnerable systems may be preferable than writing or upgrading your critical internal software applications.

5. Why was the ransom so small?

Some experts have said the amount demanded by the hackers is small enough that companies may conclude it’s cheaper to pay it than to hire expensive specialist teams to restore their data. The low cost, combined with the threat of doubling after three days, may have felt to the perpetrators like the most practical way to get paid.

6. If you wanted to pay, how does one send $300 in bitcoin?

A user would have to purchase bitcoin via a broker or specialist exchange. There are many available online for use with numerous currencies. Once the money has been verified and transferred from a bank to the exchange, the user is granted a bitcoin or fraction of a bitcoin in a digital wallet, which can then be sent anonymously to any other registered wallet.

7. Can bitcoins help find the perpetrators?

Almost certainly not, unless the money is touched or withdrawn. Some experts believe withdrawal might not happen, due to the threat of the world’s cyber-intelligence forces who will be watching the bitcoin account for any sign of activity. The perpetrators may choose to leave the money and count their losses, but remain anonymous. It is perhaps more likely that clues within the malware itself will provide greater intelligence as to the identities or location of the originators of the attack.

Read also: Worldwide ransomware attacks: What we know

8. Could this happen again?

Yes. And experts believe it will. It’s not difficult for an attacker to alter the code of this malware in order to deploy it once more, although the threat of such action may motivate companies and individuals to protect themselves better, thereby reducing the potential damage, and appeal, of a repeat attack. The advice of at least one security specialist is simple: Don’t pay the ransom -- it just encourages copycats.

The Reference Shelf

  • Microsoft’s Malware Protection Center offers ways for home and business users to protect themselves from ransomware. 
  • The man who reportedly stopped the malware attack explained how he did it in the MalwareTech blog. 
  • In Bloomberg View, columnist Leonid Bershidsky makes the case for banning government intelligence cyberweapons that target non-military systems.
  • InfoWorld offers four reasons why users shouldn’t pay a ransomware demand.
  • QuickTake explainers on cybersecurity and how bitcoin works as an alternative currency.