Ransomware is one of the most dangerous threats organizations face today, and z/OS systems are not immune to this risk. Despite being known for their security and capability to handle large volumes of data, mainframes are attractive targets for cybercriminals who aim to encrypt critical files and disrupt operations.

In this article, we will explore how ransomware affects z/OS systems, what makes it so destructive, and how companies can protect their infrastructure to avoid falling victim to an attack.

What is ransomware? What does it do?

Ransomware is a type of malware designed to take hostage the victim's data, either by encrypting it or blocking access to systems, demanding a ransom to release or restore access. Despite the advanced cryptography used in systems like z/OS, they are not immune to ransomware attacks.

When ransomware is activated, it takes control of critical files within the system, making them unusable unless the ransom is paid. The payment is typically made through cryptocurrencies like Bitcoin, which allows for anonymous transactions, making it difficult to trace the attackers.

In some cases, ransomware acts like a logic bomb, remaining dormant for days or even weeks, waiting for the right moment to strike, making it even more dangerous and harder to detect.

Types of ransomware

There are several types of ransomware, each using different methods to target victim systems. Below are the most common ones:

Ransomware encryption

Encryption ransomware is the most common and widespread type. It encrypts the victim's files, meaning that the files and data cannot be accessed without the decryption key provided by the attackers—only if the ransom is paid.

This type of ransomware primarily affects sensitive documents, databases, images, and other important files, causing operational disruptions until the demand is met. Notable ransomware encryption attacks include WannaCry and CryptoLocker, which spread rapidly through software vulnerabilities and caused severe economic losses worldwide.

The encryption used by these attackers is extremely powerful, making attempts to recover the files using other methods, like recovery tools, useless without the provided key.

Screen lock ransomware

Unlike encryption ransomware, screen lock ransomware prevents access to the operating system or the device itself by displaying a lock screen, demanding a ransom to restore access.

This type of ransomware doesn't destroy or encrypt the data but focuses on blocking the device's use, which can still be extremely damaging for businesses or individuals who rely on their devices for daily tasks. In many cases, the attackers might use a false message, pretending to be a legal authority (e.g., the police), to scare the victim into paying the ransom quickly.

While screen lock ransomware doesn’t encrypt the files, attacks on mobile devices and critical systems can still be highly damaging if the lock isn’t resolved in time.

Leakware (Doxware)

Leakware, also known as doxware, is a much more dangerous type of ransomware because it goes beyond just encrypting the victim’s data. This type of malware steals confidential information like passwords, sensitive documents, or private databases, and threatens to leak or publish them online unless the ransom is paid.

Unlike other types of ransomware, leakware jeopardizes not just access to data, but also the reputation and confidentiality of the victim. This type of attack is especially dangerous for companies that handle personal or financial data of clients, as leaking confidential information can have severe legal and financial consequences.

Leakware is often used by cybercriminals who seek to extort the victim, not only for the ransom but also for the threat of making stolen data public.

Mobile ransomware

Mobile ransomware affects mobile devices, such as smartphones and tablets. While not as common as encryption ransomware, it’s on the rise due to the growing dependence on mobile devices. This type of ransomware is primarily distributed through malicious apps downloaded from unofficial sources or through compromised websites that infect the victim’s device.

Unlike other types of ransomware, mobile ransomware usually doesn’t encrypt the data but locks the device’s access or screen, presenting a ransom message. Often, the attackers can also manipulate system settings, making recovery without paying the ransom more difficult.

Mobile ransomware is particularly problematic for users who rely on their devices for financial transactions or accessing sensitive personal information.

Wiper ransomware

Wiper ransomware is one of the most destructive types of ransomware, as it not only encrypts the victim's data but destroys it permanently, making recovery impossible even if the ransom is paid. This type of ransomware is used mainly in large-scale attacks, often perpetrated by nation-state actors or in the context of cyberterrorism.

Rather than simply blocking access to or encrypting files, wiper ransomware erases or destroys the files irreversibly, causing permanent damage. This attack can target companies that handle sensitive information, such as client databases or government data, and the loss of this data can have much broader consequences than just being temporarily inaccessible.

Wiper ransomware is, therefore, extremely dangerous and is used for mass data destruction or as a political cyberattack tool.

Ransomware attack. Phases

A ransomware attack in z/OS follows a general pattern of phases. Each phase is designed to maximize the impact of the attack and complicate recovery:

Phase 1: Initial Access

The attack starts when cybercriminals gain access to the victim’s network, often through phishing emails, software vulnerabilities, or stolen credentials. This phase establishes the entry point, and the attackers look for key systems within the z/OS infrastructure to exploit known weaknesses.

Phase 2: Propagation

Once inside, the ransomware spreads to other systems within the infrastructure. This includes servers, databases, and other critical devices within z/OS, often exploiting lateral movement to infect more systems and increase the damage.

Phase 3: Data Encryption

The malware starts encrypting essential files, such as datasets, databases, and key files of the z/OS system. At this point, the data becomes inaccessible without the decryption key. The attackers’ goal is to disrupt system operations and force payment to restore access.

Phase 4: Ransom Notification

Once the files are encrypted, the ransomware displays a ransom screen demanding a payment (typically in Bitcoin) for the decryption key. This screen typically warns of the consequences of non-payment, such as permanent data loss or the leakage of sensitive information.

Phase 5: Data Recovery

If the ransom is paid, the attackers provide the decryption key to restore access to the files. However, there is no guarantee that all data will be fully restored or that the system will be clean. Some attacks include second waves, which could lead to further encryption or attacks even after paying the ransom.

Protect Your z/OS environment against ransomware

Ransomware is an ongoing threat, especially in critical environments like z/OS. Despite advanced encryption, z/OS systems are not immune. The best way to protect your infrastructure is by having a proactive security strategy and risk mitigation plan.

If you want to protect your z/OS environment from real threats like ransomware, and learn how to detect, contain, and mitigate attacks before they impact your systems, enroll in our course

👉 https://www.go2bsecure.com/z-os-courses/