Ransomware is a type of malware from cryptovirology that threatens to publish the

victim's data or perpetually block access to it unless a ransom is paid. While some
simple ransomware may lock the system in a way which is not difficult for a
knowledgeable person to reverse, more advanced malware uses a technique called
cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible,
and demands a ransom payment to decrypt them. In a properly implemented cryptoviral
extortion attack, recovering the files without the decryption key is an intractable problem
– and difficult to trace digital currencies such as Ukash or Bitcoin and other
cryptocurrency are used for the ransoms, making tracing and prosecuting the
perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a
legitimate file that the user is tricked into downloading or opening when it arrives as an
email attachment. However, one high-profile example, the "WannaCry worm", travelled
automatically between computers without user interaction.
Ransomware is a type of malicious software, or malware, designed to deny access to a
computer system or data until a ransom is paid. Ransomware typically spreads through
phishing emails or by unknowingly visiting an infected website.
Ransomware can be devastating to an individual or an organization. Anyone with
important data stored on their computer or network is at risk, including government
or law enforcement agencies and healthcare systems or other critical infrastructure
entities. Recovery can be a difficult process that may require the services of a reputable
data recovery specialist, and some victims pay to recover their files. However, there is
no guarantee that individuals will recover their files if they pay the ransom.
CISA recommends the following precautions to protect users against the threat of
ransomware:

 Update software and operating systems with the latest patches. Outdated
applications and operating systems are the target of most attacks.
 Never click on links or open attachments in unsolicited emails.
 Backup data on a regular basis. Keep it on a separate device and store it offline.
 Follow safe practices when browsing the Internet. Read Good Security Habits for
additional details.

In addition, CISA also recommends that organizations employ the following best
practices:

 Restrict users’ permissions to install and run software applications, and apply the
principle of “least privilege” to all systems and services. Restricting these
privileges may prevent malware from running or limit its capability to spread
through a network.
 Use application whitelisting to allow only approved programs to run on a network.
 Enable strong spam filters to prevent phishing emails from reaching the end
users and authenticate inbound email to prevent email spoofing.
 Scan all incoming and outgoing emails to detect threats and filter executable files
from reaching end users.
 Configure firewalls to block access to known malicious IP addresses.
Malware (malicious software)
Malware, or malicious software, is any program or file that is harmful to a
computer user. Types of malware can include
computer viruses, worms, Trojan horses and spyware. These malicious
programs can perform a variety of different functions such as stealing,
encrypting or deleting sensitive data, altering or hijacking core computing
functions and monitoring users' computer activity without their permission.

How malware works

Malware authors use a variety of physical and virtual means to spread

malware that infect devices and networks. For example, malicious programs
can be delivered to a system with a USB drive or can spread over the internet
through drive-by downloads, which automatically download malicious
programs to systems without the user's approval or
knowledge. Phishing attacks are another common type of malware delivery
where emails disguised as legitimate messages contain malicious links or
attachments that can deliver the malware executable to unsuspecting users.
Sophisticated malware attacks often feature the use of a command-and-
control server that allows threat actors to communicate with the infected
systems, exfiltrate sensitive data and even remotely control the compromised
device or server.

Emerging strains of malware include new evasion and obfuscation techniques

that are designed to not only fool users but security administrators and anti-
malware products as well. Some of these evasion techniques rely on simple
tactics, such as using web proxies to hide malicious traffic or source IP
addresses. More sophisticated threats include polymorphic malware, which
can repeatedly change its underlying code to avoid detection from signature-
based detection tools, anti-sandbox techniques, which allow the malware to
detect when it is being analyzed and delay execution until after it leaves the
sandbox, and fileless malware, which resides only in the system's RAM in
order to avoid being discovered.
Common types of malware

Different types of malware contain unique traits and characteristics. Types of

malware include:

 A virus is the most common type of malware which can execute itself and
spread by infecting other programs or files.

 A worm can self-replicate without a host program and typically spreads

without any human interaction or directives from the malware authors.

 A Trojan horse is designed to appear as a legitimate program in order to

gain access to a system. Once activated following installation, Trojans can
execute their malicious functions.

 Spyware is made to collect information and data on the device user and
observe their activity without their knowledge.

 Ransomware is designed to infect a user's system and encrypt the data.

Cybercriminals then demand a ransom payment from the victim in
exchange for decrypting the system's data.

 A rootkit is created to obtain administrator-level access to the victim's

system. Once installed, the program gives threat actors root or privileged
access to the system.

 A backdoor virus or remote access Trojan (RAT) secretly creates

a backdoor into an infected system that allows threat actors to remotely
access it without alerting the user or the system's security programs.

 Adware is used to track a user’s browser and download history with the
intent to display pop-up or banner advertisements that lure the user into
making a purchase. For example, an advertiser might use cookies to track
the web pages a user visits to better target advertising.

 Keyloggers, also called system monitors, are used to see nearly everything
a user does on their computer. This includes emails, opened web-pages,
programs and keystrokes.
Mobile malware

Malware can also be found on mobile phones and can provide access to the
device's components such as the camera, microphone, GPS or
accelerometer. Malware can be contracted on a mobile device if the user
downloads an unofficial application or if they click on a malicious link from an
email or text message. A mobile device can also be infected through a
Bluetooth or Wi-Fi connection.

Malware is found much more commonly on devices that run the Android OS
comparatively to iOS devices. Malware on Android devices is usually
downloaded through applications. Signs that an Android device is infected
with malware include unusual increases in data usage, a quickly dissipating
battery charge or calls, texts and emails being sent to the device contacts
without the user's knowledge. Similarly, if a user receives a message from a
recognized contact that seems suspicious, it may be from a type of a mobile
malware that spreads between devices.

Apple iOS devices are rarely infected with malware because Apple carefully
vets the applications sold in the App Store. However, it is still possible for an
iOS device to be infected by opening an unknown link found in an email or
text message. iOS devices will become more vulnerable if jailbroken.

How to detect and remove malware

A user may be able to detect malware if they observe unusual activity such as
a sudden loss of disc space, unusually slow speeds, repeated crashes or
freezes or an increase in unwanted internet activity and popup
advertisements. An antivirus tool may also be installed on the device that
detects and removes malware.These tools can either provide real-time
protection or detect and remove malware be executing routine system scans.

Windows Defender, for example, is a Microsoft anti-malware software which is

included in Windows 10 operating system (OS) under Windows Defender
Security Center. Windows Defender protects against threats such as spyware,
adware and viruses. Users can set automatic “Quick” and “Full” scans, as well
as set low, medium, high and severe priority alerts.

Malwarebytes is another anti-malware tool which can remove malware from

Windows, macOS, Android and iOS platforms. Malwarebytes can scan
through a user’s registry files, running programs, hard drives and individual
files. If detected, malware can then be quarantined and deleted. However,
users cannot set automatic scanning schedules.

History

The term malware was first used by computer scientist and security
researcher Yisrael Radai in 1990. However, malware existed long before this.
One of the first known examples of malware was the Creeper virus in 1971,
which was created as an experiment by BBN Technologies engineer Robert
Thomas. Creeper was designed to infect mainframes on ARPANET. While the
program did not alter functions, or steal or delete data, the program moved
from one mainframe to another without permission while displaying a teletype
message that read, "I'm the creeper: Catch me if you can." Creeper was later
altered by computer scientist Ray Tomlinson, who added the ability to self-
replicate to the virus and created the first known computer worm. The concept
of malware took root in the technology industry, and examples of viruses and
worms began to appear on Apple and IBM personal computers in the early
1980s before becoming popularized following the introduction of the World
Wide Web and the commercial internet in the 1990s.

Similar programs

There are other types of programs that share common traits with malware but
are distinctly different, such as a PUP, or potentially unwanted program.
These are typically applications that trick users into installing them on their
system (such as browser toolbars) but do not execute any malicious functions
once they have been installed. However, there are cases where a PUP may
contain spyware-like functionality or other hidden malicious features, in which
case the PUP would be classified as malware.