Ransomware: What it is, Who’s at Risk, and How to Stop an Attack

Last year was riddled with ransomware attacks with thousands of systems compromised as a result. With technology evolving at the current rate, hackers are finding more and more ways to attack. For example, ransomware is no longer limited to affecting desktops or laptops — it can also target mobile devices. A report by Kaspersky noted that there was a 250% increase in mobile ransomware attacks just within the first few months of 2017.

Thankfully, the ever-evolving technology also gives us more ways to protect against these attacks.

The first step toward protecting yourself and your business against ransomware is knowledge. Understanding what ransomware is and how it works can help you take the necessary security precautions. Below, we’ll delve into the history of ransomware, the various ways it accesses devices, who is at risk, and some of the technologies and best practices you can follow to prevent an attack or save encrypted data.

Are you prepared for an attack? Click here for our free checklist and learn how to stop ransomware in its tracks.


What exactly is ransomware and where did it come from?

Ransomware is a form of malicious software that blocks and/or locks your computer and prevents you from accessing your data until you pay a ransom. Both the attacks and the ransoms can come in many different forms. Some demand payment, some threaten with harm, and others do both.

According to an article by Heimdal Security, ransomware first appeared in 1989 in the form of the AIDS Trojan; where malware was spread using floppy disks and demanded victims to pay $189 as ransom. More commonly noted instances of ransomware occured in Russia and Eastern Europe between 2005 and 2009. Victims were demanded to pay using SMS messages or by calling a premium rate phone number, since online payment wasn’t as available as it is today.

Since then, ransomware attacks have continued (and continued to evolve) at an alarming rate. In 2013, CryptoLocker — a software that locks and unlocks victims’ files — infected over half a million victims, extorting around $27 million from the percentage of users who paid the ransom. In 2017, victims were hit by WannaCry, one of the most wide-spread malware attacks, which infected Windows users by encrypting files on the hard drive and demanding Bitcoin payment from the victims.

Ransomware today can generally be classified into two types: encrypting and locker. Locker is also known as MBR or Master Boot Record exploit. Encrypting ransomware blocks files using encryption algorithms, and demands payment in order to decrypt the blocked data. Examples of this type are CryptoLocker and CryptoWall. According to Wired, “with the development of ransom cryptware, [it] encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.” Whereas, locker ransomware locks the user out of the operating system, blocking access to the entire desktop without actually encrypting any files, such as police-themed ransomware. There is also a less common type of ransomware known as leakware or doxware, that threatens to release sensitive data from the user’s computer unless the ransom is paid. To read about the different variations of encrypting and locker ransomware, check out this source.

How does ransomware spread?

Understanding exactly what ransomware looks like is crucial because you’ll know how to look out for phishy signs. Heimdal Security goes into detail describing the various characteristics that make ransomware unique from other forms of malware. Keep an eye out for these actions, which may indicate a ransomware attack:

  • Encrypting all kinds of files
  • Scrambling file names
  • Adding extensions to files
  • Displaying an image or message that your data has been encrypted (and asking for a ransom)
  • Requesting payment in Bitcoins
  • Limiting the time available to make a payment (and/or threatening if payment is not met)
  • Spreading to other PCs (within a local or wide area network)

All forms of ransomware can be spread through infected email attachments (phishing scams), software apps, external hard drives (e.g. flash drives), drive-by downloads, SPAM, out-of-date anti-virus, and compromised websites. Not to mention there’s now infected SMS messaging to target mobile devices.

Now that you have a better grasp on what signs to look for, we’ll discuss who are the most likely targets of a ransomware attack and what you can do to protect yourself and your business.

Who is at risk of a ransomware attack?

Unfortunately, basically everyone. Since there are variants of each type of ransomware and new forms are coming out at an ever-increasing pace, it’s nearly impossible to predict who the next victim(s) will be. That being said, we can make some educated guesses.

By analyzing the circumstances and characteristics of past victims, we can figure out why some users were attacked — helping us predict who might be at risk in the future. Presently, we know that some attackers aim for businesses only, while others aim for the average individual user. Here are some of the reasons why:

If users don’t have any kind of data backup, attackers will definitely take notice. And users are less likely to have knowledge about proper IT security, therefore they’re more likely to open phishy emails or click on suspicious links. Attackers also look for users who don’t keep their software up to date and lack of basic cybersecurity knowledge.

As for businesses, they’re targeted often because they’ve proven more lucrative than the individual. If a ransomware attack is causing a major disruption, they’ll likely pay off the ransom quickly, no matter the amount. In addition to all the computers housed within a business’ building, Heimal Security points out that ransomware can infect “servers and cloud-based file-sharing systems, going deep into a business’s core.”
It’s no surprise that large businesses and corporations are targeted because they have the ability to pay off a large ransom if all or some of their computers and data are attacked.

Small businesses also fall prey to ransomware because of IT security negligence. Many — especially new startups —- don’t have security in place and are unprepared to deal with security breaches.

Some businesses and individuals are guilty of thinking a malware attack won’t happen to them. But, according to Wired, “at least $5 million is extorted from ransomware victims each year.” The damage caused by ransomware attacks cannot and should not be ignored. Experts say that a ransomware attack can cost a user between $200 and $10,000, and more than 50% of businesses surveyed have paid anywhere from $10,000 to $40,000.

Thankfully, there is technology available to guard against malware, and some practices you can learn to protect yourself or your business from becoming another victim.

What are some technologies and best practices you can follow?

As we mentioned previously, understanding what ransomware is and how it works can make you less vulnerable to an attack — knowledge is power!

The next step to ensure basic IT security for anyone is to install antivirus protection on your computers/devices, and to keep all your operating system and software up to date. Updating promptly and on a regular basis gives attackers fewer vulnerabilities to exploit.

Then — and we can’t stress this point enough — backup all of your data. This doesn’t stop a ransomware attack, but it will make it a whole lot easier when it comes to recovering from an attack.

Some of the best practices you can follow to prevent falling victim to ransomware are:

  • Never open spam emails or emails from unknown senders;
  • Never download attachments from spam/suspicious emails;
  • Never click links in spam/suspicious emails.

Pro tip: If you receive emails from Microsoft or some other well-known brand name asking for your account information or payment, be sure to check the sender’s email address. If it’s not directly from @microsoft.com, or looks suspicious in any other way – don’t open it or click any links within them.

If you’re removing ransomware (on a Windows system) you can follow these steps lined out by CSO Online:

  • Reboot Windows 10 to safe mode
  • Install anti-malware software
  • Scan the system to find the ransomware program
  • Restore the computer to a previous state

As soon as you notice either the ransomware warnings or evidence of encrypted files, unplug you PC from any network! The virus will crawl your network and infect any files or machines it finds — you need to contain the infection.

There are also professional cybersecurity researchers working around the world to break the encryptions on large-scale ransomware attacks. Unfortunately, if you didn’t backup your data, there is no way to get your data back or decyrpted without paying the ransom. Remember, you need to remove any malicious software before you restore from a recent backup. When in doubt, always reach out to your IT department or an IT professional service like ours at Advance2000 as soon as possible. We can help you recover your files and hardware.


There is no reason for anyone to feel helpless when it comes to ransomware. With basically unlimited information about ransomware on the internet and the ever-evolving technologies to keep your computers and data secure, you should be able to safeguard yourself against most malicious ransomware attacks.

To help, we’ve partnered with Sophos to provide you with a comprehensive checklist outlining exactly how to stop malicious ransomware attacks in their tracks. Click below to ensure you’re prepared in the event of an attack: