Ransomware is malware that denies a victim access to their files and then requests a ransom payment in return for allowing access. For example, ransomware may encrypt the victim's files and then provide the victim with the key for decrypting the files after the ransom payment is received. Ransomware may be installed on a victim's computer via a Trojan horse, which appears to be a legitimate program but actually contains malware. If the ransom is paid, but the ransomware is not removed from the victim's computer, then the ransomware may then again repeat the process of encrypting files and demanding a ransom payment.
One well-known ransomware is Locky, which was released in 2016. The ransomware arrives as an email attachment that contains malicious macros. When the user opens the attachment, the attachment requests the user to enable macros if the content appears to be garbled, which is does because the content is indeed garbled. When the user enables macros, the malware is downloaded and executed. The ransomware encrypts files and renames them with a unique 16-character alphanumeric name and the “locky” extension. The user is then instructed to visit a web site for further instructions. The web demands payment in bitcoins with a value of between $350 and $750. When payment is made, the decryption key is provided to the user, who then can decrypt the files.
Ransomware is an increasing problem that affects millions of computers worldwide. Another well-known ransomware, referred to as CryptoWall, was estimated to have received over $18 million in ransom payments. Moreover, ransomware attackers are estimated to have received over $1 billion in revenue in the first half of 2016.
Given the fast growth of cloud computing, it is not surprising the ransomware has been targeting cloud storage. Often, a user sets up their computer so that the files stored on their computer are synchronized with their other devices via cloud-based storage. Once a file is encrypted by ransomware, all copies of the file that are synchronized with the encrypted file also become encrypted. So if a user has multiple devices (e.g., a work desktop, a home desktop, a laptop, and a smartphone) the copy of the file on each device and the cloud storage all become encrypted.
One cloud storage provider recognizes the problem and notes that a previous version of the file can be restored if the encryption is detected within 30 days. In some instances, the changes made since the prior version may be such that they cannot be regenerated, or the cost of regenerating the changes may be significantly more than the ransom payment. Some cloud storage providers may allow for a user to restore only one file at a time, and thousands of files may have been encrypted, which makes restoration at the least very tedious and possibly impracticable. Moreover, some users may not detect the encryption until it is too late to retrieve the prior version.