BERLIN: Cybercriminals have been building up their toolbox for attacking individuals and businesses in recent months, and cybersecurity experts say there has been a fundamental change in the way that encryption malware is operating.

Until now, most ransomware (malware designed to hold files hostage until the victim pays to get them back) encrypted the data on a victim’s computer or a company’s network and the cybercriminals then demanded payment to decrypt it.

However, a new kind of Trojan is increasingly being spotted, one that first copies your files and then destroys them, IT security experts say.

For users, the consequences of a copy-and-delete malware remain the same - files being held ransom. This is because the attackers only make money by returning the stolen data if you pay up.

They also often threaten to publish captured files in order to drive up the price, according to German tech industry website Heise Security.

The main reason for a new kind of malware is that encrypting data is costly and error-prone. In many cases, security researchers have managed to recover data without a ransom having to be paid because of flaws in the encryption.

In addition, encrypting large amounts of data takes a very long time and suspicious write operations or a high computing load on the computer may be noticed by the potential victim, who could possibly stop the encryption.

”Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data,” says cybersecurity company Cyderes.

Only time will tell whether copying and deleting will replace encryption, or whether both types of attack will coexist in the future

What is certain, however, is that regular backups on external storage drives remain the most important protection against this kind of extortion software. After all, you don’t have to “buy back” your data if you already have it backed up.

In addition to backups, the German Federal Office for Information Security (BSI) recommends three preventive measures: regular (preferably automatic) security updates for all devices, an active virus protection program, and never opening emails from unknown or dubious senders.

 - dpa