Ransomware is a compound word ransom and -ware from software. It can be said to be a kind of attack method similar to kidnapping, holding data hostage and demanding money from data owners. It is a kind of malicious software that restricts the user’s use of the system by encrypting the system screen or files and demands a ransom. If the victim does not comply with the request for money, secondary damage is caused by deleting the encrypted file or by distributing and selling information through the dark web without permission.

Ransomware is mainly spread and infected through security vulnerabilities such as system and software vulnerabilities, visiting websites with malicious codes, and social engineering attack techniques using email attachments that deceive users. It is operatable again only after the ransom has been paid. However, since data may be leaked or completely destroyed during this process, in some cases, some public recovery tools are employed using previously backed up data for damage recovery.

In addition, similar to how voice phishing criminals are maximizing criminal profits through organization and division of labor, ransomware attackers are also organizing by distributing detailed roles to maximize profits. As it became known that ransomware can make money, demand for ransomware rose, which triggered the emergence of RaaS (ransomware as a service), a method of producing, supplying, and selling ransomware. In addition, negotiating experts have appeared to professionally intimidate the victimized companies and proceed with negotiations over problems such as language barriers.

<Damage Cases in Korea>
▶ (Damage to distribution Companies) A situation in which major stores of the XXX group, such as department stores and outlets, were shut down due to an attack by the Clop ransomware organization. (November 2020)
• The ransomware infection system was linked to POS terminals in some stores, affecting the operation in 23 out of 50 department stores and outlets.
▶ (Manufacturing Damage) Encryption of server and employee PC data of parts manufacturing companies (1st attack), employee personal information, overseas business data dark web leakage (2nd attack), and a DDoS (distributed denial-of-service attack paralyzes the website (3rd attack). (May 2021)
▶ (Hospital Damage) The attacker stole a domestic plastic surgery clinic’s clients contacts by ransomware, causing secondary damage by making direct contact with the clients. The clinic notified the police of the damage on the website and requested that the case be referred to an investigative agency. (May 2021)
▶ (Damage to Heavy Industry) Due to a ransomware attack, a network that exchanges data was paralyzed, resulting in disruption of some process operations such as design. (January, 2022)

<Damage Cases Overseas>
▶ (U.S.) Colonial Pipeline, the nation’s largest oil pipeline company, was attacked by ransomware, and the pipeline was completely shut down due to system paralysis. (May 2021)
▶ (Germany) Due to the ransomware attack, 30 Düsseldorf University hospital servers were paralyzed, and the hospital’s IT service operation became impossible. A female patient was transferred to a nearby city hospital because she couldn't receive emergency treatment and eventually died. (September 2020)
▶ (UK) The British National Health Service (NHS) was attacked by WannaCry. Sixteen hospitals were closed at the time, and at least 6,900 appointments for the National Health Service were canceled. (May 2017).
▶ (Spain) SEPE, the Spanish information and labor organization, was attacked by ransomware. The network system was encrypted and some services were suspended, but personal and payroll information was not stolen. (March 2021)
▶ (The Netherlands) The Netherlands Organization for Scientific Research’s (NWO) internal data was stolen due to a ransomware attack, and it suspended research grant-related work. (February 2021)
▶ (Japan) Fujifilm announced that it had been attacked by ransomware and recovered the damaged system by blocking some networks to prevent the spread of the attack, and there was no information leaked. (June 2021)

In 2020, the number of ransomware cases worldwide was estimated to be about 304 million, an increase of 61.8% compared to 2019. In 2031, the global ransomware damage is expected to reach 304 trillion won. Therefore, it is urgent to prepare thorough prevention and countermeasures at the corporate and national level as well as for individual users. Accordingly, major countries around the world are in the process of preparing national digital safety policies.

Following President Biden’s signing of an executive order to strengthen the cybersecurity capabilities of the U.S. government and the private sector, the U.S. Transportation Security Administration issued security guidelines for owners and operators of major oil pipelines. In addition, after pointing out that Russia was behind the recent cyber terrorism in the United States, and demanding anti-ransomware measures from Putin, it announced measures to prevent ransomware. The European Union is announcing the European Union Security Strategy and building a future security environment to cope with the growing dependence on digital technology and infrastructure and cybercrime. The UK has prepared cybersecurity guidelines to promote cyber safety for users focusing on the security technology industry. Australia has announced a cybersecurity strategy and is strengthening the national cybersecurity level by expanding investment in the cybersecurity field. Japan and China have also announced cyber and data security measures.

Korea has established and announced the Ransomware Response Reinforcement Plan, which consists of a three-step strategy for prevention, response, and foundation to minimize damage from ransomware as follows.

<Strategy 1> Preemptive prevention by important national facilities, companies, and national consumers.
① Establishing a strong national important facility management system, ② Strengthening support for SMEs’ security capabilities
③ National ransomware immunity
<Strategy 2> reemptive prevention by important national facilities, companies, and national consumers.
① Strengthening information sharing and cooperation channels, ② Prevention of spread and prompt damage support
③ Strengthening cyber attack investigations to prevent secondary damage
<Strategy 3> Improving core response capabilities against evolving ransomware
① Securing core technology to respond to cyber attacks such as ransomware
② Preparing the foundation for strengthening the cybersecurity ecosystem

▶ Open and operate a Korean-style ‘Stop Ransomware’ site that provides integrated ransomware information.
* In case of ransomware infection, all ransomware information is provided, from countermeasures to recovery program sites.
Reference link: https://boho.or.kr/ransom/main.do

In the future, in order to maximize the effect of policy promotion in Korea, it is important to ensure that the reinforcement measures are being properly implemented after the announcement of the 「Ransomware Response Reinforcement Plan」, and it is important to thoroughly and continuously manage the supplementation of existing policies according to trends. In addition, if the current damage situation persists despite continuous efforts, it is necessary to strengthen ransomware response and to review the preparation and promotion of additional supplementary measures such as user protection.