What is Ransomware? Rob Shaw Explains…

Want to know more about the recent spate of cyber attacks on the NHS and other companies computing systems?

Click here to find out more from one of our senior lecturers, Rob Shaw.

Terminology of the Cyber Attack and what to do to prevent it by Rob Shaw, Senior Lecturer in the School of Computing and Digital Technologies


The recent outbreak of the WannaCry Ransomware has highlighted the need for everyone, and every organisation to ensure they have the latest updates and security patches for their IT Systems.

This cyber-attack has spanned the globe, affecting systems in 150 countries, infecting more than 230,000 computers.

What is it?

The ransomware  is essentially a virus that will encrypt a user’s files then demand payment to decrypt them, uses something termed EternalBlue, which exploits a vulnerability, or weakness, in Server Message Block (SMB), used to provide shared access to files.

A ‘fix’ for this vulnerability was released by Microsoft in March 2017 but many users had not applied the security patch before the outbreak.  Recognising the severity of this event, Microsoft have released further patches, downloadable from Microsoft.

It appears that the initial attack vector was via a phishing email, but once the code had infected one machine, the code then spread without any further human intervention.  The attack was prevented from spreading any further by a malware researcher discovering a means by which the code itself could be ‘turned off’ (a ‘kill switch’) and the spread of the infection was halted.

What to do?

  1. It is essential that you apply ALL patches and updates to your system.
  2. Ensure that frequent and regular backups are taken.  The frequency and regularity will depend upon the data and system, but daily backups are the norm.
  3. It is also recommended that antivirus software be installed.  This should ideally incorporate some form of virus/spam/phishing email detection.
  4. It has been reported that work is being carried out to develop a decryption tool, that will allow for those that have fallen victim to recover their files/data, though as yet there is no such tool readily available.

How does ransomware ‘work’?

The ransomware virus is used to block users from their own files, then a demand is made for payment to unblock the files – usually by changing the wallpaper of the computer to the attackers ‘demand for payment’ message.  On payment, a key is sent to the user to unblock the files.

On infecting a computer, the virus will look for user files, encrypt them (using an encryption key known only to the attacker) and delete the original unencrypted files.  It will then look for further computers to infect and spread across a network.



Leave a Reply

Your email address will not be published. Required fields are marked *