Ransomware is a type of malware, which is malicious code that infiltrates or damages a system. This type of infectious program encrypts files and deletes the originals, thus preventing access to the data until a ransom is paid (Buecker, A. et al., 2011).
The first primitive type of ransomware dates back to 1989. Later, what we know as ransomware was first identified in Russia in 2005. Subsequently, this type of malware saw an increase in attacks in 2011. According to reports from Kaspersky Labs (Brulez, 2011), it was initially known as the “police virus” due to its mode of operation.
One of its early methods was to display a deceptive message on the screens of infected devices. In this message, ransomware identified itself as the police of the country where the device was located and accused the user of accessing child pornography or other types of embarrassing websites. Since the user couldn’t remove the message because the system was locked, a threat was displayed, coercing them to pay a sum of money within 24 hours, or the hard drive would be erased.
In the years following its appearance, ransomware's operating mechanisms expanded. In 2012, new variants of ransomware called Locked and SGAE emerged. In 2014, new ransomware versions like CryptoDefense, CryptoLocker, and Cryptowall appeared. According to Ferrer (2015), CryptoWall has become the greatest threat and continues to evolve, with its version 3.0 having earned a ransom of $325 million per attack.
Due to the speed at which new, increasingly alarming ransomware variants have emerged, 2016 was considered by Adam Philpott, Cisco's Cybersecurity Director for Europe, the Middle East, Africa, and Russia, as the "Year of Ransomware." With the onset of COVID-19, not only did we face a health pandemic, but ransomware attacks also increased. This is evident in attacks on government institutions, leading some governments to classify them as acts of terrorism, as they disrupted local government activities and other public institutions. For example, we can mention the attack on Spain’s Public Employment Service (SEPE) in March 2021.
How does ransomware attack?
Ransomware affects any computer, server, or smartphone. Attacks occur when executing files sent through protocols like IRC (Internet Relay Chat), email, peer-to-peer networks, newsgroups, suspicious website videos, system updates, and seemingly trustworthy programs like Windows or Adobe Flash.
Once installed, it locks the operating system and encrypts the user's data, preventing its use until the ransom is paid. In some cases, the threat includes the device’s IP address, the Internet service provider, and even a photo from the webcam. It is important to note that although many people pay the ransom, they do not recover the data, and the device may be formatted, causing the loss of stored data.
Types of Ransomware
- Lockers
These are named for their primary goal: to completely lock the system and display a message demanding a ransom for the data. These were the first types of ransomware to appear and were identified as police authorities. The threat wasn’t only to recover data but also to avoid imprisonment. Examples include ransomware that places a pornographic banner on the desktop and threatens the user in this way.
2. Encryptors or Filecoders
This type of ransomware encrypts the names and/or content of the data stored in the affected system. Initially, it used symmetric encryption or secret-key encryption, but later it evolved to use asymmetric encryption, which uses a double key. The most prominent examples of this type of ransomware are AIDS, the first ransomware with symmetric encryption, and PGPCoder, which uses asymmetric encryption.
3. Hybrids
Hybrid ransomware combines both previously mentioned methods to hijack data. It combines features of both locking the system and encrypting the data. An example of this type is the CryptoLocker ransomware.
Most Well-Known Ransomware
- Locky
Locky ransomware attacks have been recorded since 2016. This type of ransomware is designed to encrypt more than 160 types of files and spreads through email attachments. It targets files used for programming, design, engineering, and quality control.
2. WannaCry
WannaCry ransomware has been known since 2017, with victims in more than 150 countries. Its attack is based on a Windows vulnerability revealed by the hacker group Shadow Brokers. WannaCry highlights the deficiencies in system updates within some organizations. It is estimated that WannaCry has infected over 230,000 devices worldwide.
3. CryptoLocker
CryptoLocker ransomware has been identified since 2007. Like Locky, it spreads through email attachments. This ransomware also propagates through a network of infected computers. Once the system it used was identified, mechanisms were created to help victims face the attacks, such as a web portal that provided the encryption key to recover the compromised data.
4. Petya
Petya ransomware has been recorded since 2016 and was later identified in 2017 as GoldenEye. The main characteristic of this ransomware is that it encrypts not only files but also the entire hard drive. Its infection method was through infected Dropbox links.
Conclusion
From the brief overview presented, we can understand the wide-reaching impact of this malware and its ability to disable systems and even cause the loss of critical data for organizations. Given that this threat continues to present new variants that adapt to updated security systems, it is essential to consider investing in security as part of a company’s general budget. The looming risk of falling victim to this type of threat is the primary reason for this. Additionally, due to the specialization of these types of attacks, often carried out by highly specialized hacker groups, many companies choose to hire data security services to have specialists on hand and avoid the enormous costs of data security breaches.
EN 
ES