Ransomware: What it is, Who’s at Risk, and How to Stop an Attack

Last year was riddled with ransomware attacks with thousands of systems compromised as a result. With technology evolving at the current rate, hackers are finding more and more ways to attack. For example, ransomware is no longer limited to affecting desktops or laptops — it can also target mobile devices. A report by Kaspersky noted that there was a 250% increase in mobile ransomware attacks just within the first few months of 2017.

Thankfully, the ever-evolving technology also gives us more ways to protect against these attacks.

The first step toward protecting yourself and your business against ransomware is knowledge. Understanding what ransomware is and how it works can help you take the necessary security precautions. Below, we’ll delve into the history of ransomware, the various ways it accesses devices, who is at risk, and some of the technologies and best practices you can follow to prevent an attack or save encrypted data.

Are you prepared for an attack? Click here for our free checklist and learn how to stop ransomware in its tracks.


What exactly is ransomware and where did it come from?

Ransomware is a form of malicious software that blocks and/or locks your computer and prevents you from accessing your data until you pay a ransom. Both the attacks and the ransoms can come in many different forms. Some demand payment, some threaten with harm, and others do both.

According to an article by Heimdal Security, ransomware first appeared in 1989 in the form of the AIDS Trojan; where malware was spread using floppy disks and demanded victims to pay $189 as ransom. More commonly noted instances of ransomware occured in Russia and Eastern Europe between 2005 and 2009. Victims were demanded to pay using SMS messages or by calling a premium rate phone number, since online payment wasn’t as available as it is today.

Since then, ransomware attacks have continued (and continued to evolve) at an alarming rate. In 2013, CryptoLocker — a software that locks and unlocks victims’ files — infected over half a million victims, extorting around $27 million from the percentage of users who paid the ransom. In 2017, victims were hit by WannaCry, one of the most wide-spread malware attacks, which infected Windows users by encrypting files on the hard drive and demanding Bitcoin payment from the victims.

Ransomware today can generally be classified into two types: encrypting and locker. Locker is also known as MBR or Master Boot Record exploit. Encrypting ransomware blocks files using encryption algorithms, and demands payment in order to decrypt the blocked data. Examples of this type are CryptoLocker and CryptoWall. According to Wired, “with the development of ransom cryptware, [it] encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.” Whereas, locker ransomware locks the user out of the operating system, blocking access to the entire desktop without actually encrypting any files, such as police-themed ransomware. There is also a less common type of ransomware known as leakware or doxware, that threatens to release sensitive data from the user’s computer unless the ransom is paid. To read about the different variations of encrypting and locker ransomware, check out this source.

How does ransomware spread?

Understanding exactly what ransomware looks like is crucial because you’ll know how to look out for phishy signs. Heimdal Security goes into detail describing the various characteristics that make ransomware unique from other forms of malware. Keep an eye out for these actions, which may indicate a ransomware attack:

  • Encrypting all kinds of files
  • Scrambling file names
  • Adding extensions to files
  • Displaying an image or message that your data has been encrypted (and asking for a ransom)
  • Requesting payment in Bitcoins
  • Limiting the time available to make a payment (and/or threatening if payment is not met)
  • Spreading to other PCs (within a local or wide area network)

All forms of ransomware can be spread through infected email attachments (phishing scams), software apps, external hard drives (e.g. flash drives), drive-by downloads, SPAM, out-of-date anti-virus, and compromised websites. Not to mention there’s now infected SMS messaging to target mobile devices.

Now that you have a better grasp on what signs to look for, we’ll discuss who are the most likely targets of a ransomware attack and what you can do to protect yourself and your business.

Who is at risk of a ransomware attack?

Unfortunately, basically everyone. Since there are variants of each type of ransomware and new forms are coming out at an ever-increasing pace, it’s nearly impossible to predict who the next victim(s) will be. That being said, we can make some educated guesses.

By analyzing the circumstances and characteristics of past victims, we can figure out why some users were attacked — helping us predict who might be at risk in the future. Presently, we know that some attackers aim for businesses only, while others aim for the average individual user. Here are some of the reasons why:

If users don’t have any kind of data backup, attackers will definitely take notice. And users are less likely to have knowledge about proper IT security, therefore they’re more likely to open phishy emails or click on suspicious links. Attackers also look for users who don’t keep their software up to date and lack of basic cybersecurity knowledge.

As for businesses, they’re targeted often because they’ve proven more lucrative than the individual. If a ransomware attack is causing a major disruption, they’ll likely pay off the ransom quickly, no matter the amount. In addition to all the computers housed within a business’ building, Heimal Security points out that ransomware can infect “servers and cloud-based file-sharing systems, going deep into a business’s core.”
It’s no surprise that large businesses and corporations are targeted because they have the ability to pay off a large ransom if all or some of their computers and data are attacked.

Small businesses also fall prey to ransomware because of IT security negligence. Many — especially new startups —- don’t have security in place and are unprepared to deal with security breaches.

Some businesses and individuals are guilty of thinking a malware attack won’t happen to them. But, according to Wired, “at least $5 million is extorted from ransomware victims each year.” The damage caused by ransomware attacks cannot and should not be ignored. Experts say that a ransomware attack can cost a user between $200 and $10,000, and more than 50% of businesses surveyed have paid anywhere from $10,000 to $40,000.

Thankfully, there is technology available to guard against malware, and some practices you can learn to protect yourself or your business from becoming another victim.

What are some technologies and best practices you can follow?

As we mentioned previously, understanding what ransomware is and how it works can make you less vulnerable to an attack — knowledge is power!

The next step to ensure basic IT security for anyone is to install antivirus protection on your computers/devices, and to keep all your operating system and software up to date. Updating promptly and on a regular basis gives attackers fewer vulnerabilities to exploit.

Then — and we can’t stress this point enough — backup all of your data. This doesn’t stop a ransomware attack, but it will make it a whole lot easier when it comes to recovering from an attack.

Some of the best practices you can follow to prevent falling victim to ransomware are:

  • Never open spam emails or emails from unknown senders;
  • Never download attachments from spam/suspicious emails;
  • Never click links in spam/suspicious emails.

Pro tip: If you receive emails from Microsoft or some other well-known brand name asking for your account information or payment, be sure to check the sender’s email address. If it’s not directly from, or looks suspicious in any other way – don’t open it or click any links within them.

If you’re removing ransomware (on a Windows system) you can follow these steps lined out by CSO Online:

  • Reboot Windows 10 to safe mode
  • Install anti-malware software
  • Scan the system to find the ransomware program
  • Restore the computer to a previous state

As soon as you notice either the ransomware warnings or evidence of encrypted files, unplug you PC from any network! The virus will crawl your network and infect any files or machines it finds — you need to contain the infection.

There are also professional cybersecurity researchers working around the world to break the encryptions on large-scale ransomware attacks. Unfortunately, if you didn’t backup your data, there is no way to get your data back or decyrpted without paying the ransom. Remember, you need to remove any malicious software before you restore from a recent backup. When in doubt, always reach out to your IT department or an IT professional service like ours at Advance2000 as soon as possible. We can help you recover your files and hardware.


There is no reason for anyone to feel helpless when it comes to ransomware. With basically unlimited information about ransomware on the internet and the ever-evolving technologies to keep your computers and data secure, you should be able to safeguard yourself against most malicious ransomware attacks.

To help, we’ve partnered with Sophos to provide you with a comprehensive checklist outlining exactly how to stop malicious ransomware attacks in their tracks. Click below to ensure you’re prepared in the event of an attack:


HIPAA Compliance and Ransomware: What You Need to Know

If you work in the medical field or for a health care provider, chances are you’re very familiar with HIPAA guidelines and how they pertain to patient care. But are you familiar with how HIPAA affects your IT environment? When it comes to HIPPA and patient care, most people are already familiar with the HIPAA Privacy Rule, but how familiar are you with the HIPAA Security Rule? Due to recent events regarding ransomware and the Erie County Medical Center, HIPAA compliance – along with data security – has become more important than ever.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the use and disclosure of Protected Health Information (PHI). This applies to (but is not limited to) health insurers, medical service providers, health clearing houses, and employer sponsored health plans. From April of 2003 until January of 2013 there were over 91,000 HIPAA complaints, which led to 22,000 enforcement actions. As if going through legal litigation isn’t bad enough, violators also pay a pretty penny per HIPAA violation. In 2010, Cignet Health of Maryland was fined 4.3 million dollars for simply not providing patients copies of patient medical records when requested.

How can HIPAA compliance affect your daily operation?

Now that we’ve established how important HIPAA is, lets break down how this may affect your operations on a day-to-day basis. To do this, I’m going to refer back to ECMC. When ECMC was initially hit with the cyberattack, they were given an option to settle for 1.7 bitcoin (which is the equivalent of $4,644 U.S. dollars). This may not seem like an astronomical amount of money; however, the $4,644 dollar figure was in reference to each infected machine. If you take into account how many machines a small- to medium-size office may have (likely around 10 to 15), you’re looking at a starting point of around fifty thousand dollars and up (now the fee seems a bit more severe). On top of the monetary losses, you also must take data security, HIPAA fines, down time, productivity loss, and reputation into account.

Hopefully now we see how the consequences from not being HIPAA compliant, but how does HIPAA compliance help protect your data?

The first step in becoming HIPAA compliant, from an IT perspective, is to have an audit of your environment completed. This way a managed service provider can provide a detailed scope of your environment, along with an IT roadmap, which will help you to plan for future expenses and potential issues. During the audit, multiple scans of the environment will be run. Some of the scans will make sure your hardware and software is up to date, and will also check for any security vulnerabilities or possible holes in your infrastructure configuration management.

After the audit has been completed, an engineer will sit down with you and explain his finding and recommendations. Sometimes the recommendations may be very minute in scale and will be able to be implemented in a very short amount of time. On other occasions the engineer may find larger holes or more serious issues which may need to be addressed in a more urgent matter.  As an example, a main part of being HIPAA compliant is having a full off-site backup. If the audit is completed and no backup is found, an engineer will sit down with you and provide you with a detailed proposal which will help you protect your data in the event that you are ever attacked by a malicious software and data loss does indeed occur.

As technology continues to advance and hackers become more sophisticated, data security increasingly becomes a top priority for organizations like yours. We’ve seen foreign countries/governments “hack” U.S. computers with the explicit interest of stealing intellectual property and extorting money from U.S. business. A HIPAA security audit is great way to make sure this doesn’t happen to you.

Free HIPAA Security Checklist