Ransomware is a subset of malware in which the data on a victim’s computer is locked, typically by encrption, and payment is demanded before the ransomed data is decrypted and access is returned to the victim. The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as Bitcoin, so that the cyber criminal’s identity is not known.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites. Attacks have also used remote desktop protocol and other approaches that do not rely on any form of user interaction.
How ransomware attacks work
Steps in a Typical Ransomware Attack
The typical steps in a ransomware attack are:
|After it has been delivered to the system via email attachment, phishing email, infected application or other method, the ransomware installs itself on the endpoint and any network devices it can access.|
Secure Key Exchange
|The ransomware contacts the command and control server operated by the cybercriminals behind the attack to generate the cryptographic keys to be used on the local system.|
|The ransomware starts encrypting any files it can find on local machines and the network.|
|With the encryption work done, the ransomware displays instructions for extortion and ransom payment, threatening destruction of data if payment is not made.|
|Organizations can either pay the ransom and hope for the cybercriminals to actually decrypt the affected files (which in many cases does not happen), or they can attempt a recovery by removing infected files and systems from the network and restoring data from clean backups.|
Types of ransomware
- With the recent influx of ransomware stories seemingly every week, it’s hard to keep track of the different strains. While each of these is spread in a different way, they generally rely on similar tactics to take advantage of users and hold data hostage. Let’s take a look at the common ransomware examples:
- Bad Rabbit: A strain of ransomware that has infected organizations in Russia and Eastern Europe. Bad Rabbit spreads through a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding .05 bitcoin (about $285).
- Cerber: Cerber targets cloud-based Office 365 users and impacted millions of users using an elaborate phishing campaign. This type of malware emphasizes the growing need for SaaS backup in addition to on-premises.
- CryptoLocker: Ransomware has been around in some form or another for the past two decades, but it really came to prominence in 2013 with CryptoLocker. The original CryptoLocker botnet was shut down in May 2014, but not before the hackers behind it extorted nearly $3 million from victims. Since then, hackers have widely copied the CryptoLocker approach, although the variants in operation today are not directly linked to the original. The word CryptoLocker, much like Xerox and Kleenex in their respective worlds, has become almost synonymous with ransomware.
- CryptoWall: CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014, and variants have appeared with a variety of names, including CryptoBit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits.
- Crysis: Crysis ransomware encrypts files on fixed, removable, and network drives with a strong encryption algorithm making it difficult to crack in a reasonable amount of time. It’s typically spread via emails containing attachments with double-file extension, which make the file appear as a non-executable file. In addition to emails, it can also be disguised as a legitimate installer for applications.
- CTB-Locker: The criminals behind CTB-Locker take a different approach to malware distribution. Taking a page from the playbooks of Girl Scout Cookies and Mary Kay Cosmetics, these hackers outsource the infection process to partners in exchange for a cut of the profits. This is a proven strategy for achieving large volumes of malware infections at a faster rate.
- GoldenEye: GoldenEye is similar to the prolific Petya ransomware. Hackers spread GoldenEye ransomware through a massive campaign targeting human resources departments. After the file is downloaded, a macro is launched which encrypts files on the computer. For each file it encrypts, GoldenEye adds a random 8-character extension at the end. The ransomware then also modifies the user’s hard drive MBR (Master Boot Record) with a custom boot loader.
- Jigsaw: Jigsaw encrypts and progressively deletes files until a ransom is paid. The ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72-hour mark, when all remaining files are deleted.
- KeRanger: According to ArsTechnica, KeRanger ransomware was discovered on a popular BitTorrent client. KeRanger isn’t widely distributed, but it’s known as the first fully functioning ransomware designed to lock Mac OS X applications.
- LeChiffre: “Le Chiffre”, which comes from the French noun “chiffrement” meaning “encryption”, is the main villain from James Bond’s Casino Royale novel who kidnaps Bond’s love interest to lure him into a trap and steal his money. Unlike other variants, hackers must run LeChiffre manually on the compromised system. Cybercriminals automatically scan networks in search of poorly secured remote desktops, logging into them remotely and manually running an instance of the virus.
- LockerGoga: This strain of ransomware hit various European manufacturing companies, including Norsk Hydro. The ransomware infiltrated the company through a phishing email, causing a global IT outage and forcing the company to order hundreds of new computers.
- Locky: Locky’s approach is similar to many other types of ransomware. The malware is spread in an email message disguised as an invoice. When opened, the invoice is scrambled and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption.
- NotPetya: Initial reports categorized NotPetya as a variant of Petya, a strain of ransomware first seen in 2016. However, researchers now believe NotPetya is instead a malware known as a wiper with a sole purpose of destroying data instead of obtaining a ransom.
- Petya: Unlike some other types of ransomware, Petya encrypts entire computer systems. Petya overwrites the master boot record, rendering the operating system unbootable.
- Spider: A form of ransomware spread via spam emails across Europe. Spider ransomware is hidden in Microsoft Word documents that install the malware on a victim’s computer when downloaded. The Word document, which is disguised as a debt collection notice, contains malicious macros. When these macros are executed, the ransomware begins to download and encrypt the victim’s data.
- TeslaCrypt: Like most of the other examples here, TeslaCrypt uses an AES algorithm to encrypt files. It’s typically distributed via the Angler exploit kit specifically attacking Adobe vulnerabilities. Once a vulnerability is exploited, TeslaCrypt installs itself in the Microsoft temp folder.
- TorrentLocker: TorrentLocker is typically distributed through spam email campaigns and is geographically targeted with email messages delivered to specific regions. TorrentLocker is often referred to as CryptoLocker, and it uses an AES algorithm to encrypt file types. In addition to encoding files, it also collects email addresses from the victim’s address book to spread malware beyond the initially infected computer—this is unique to TorrentLocker.
- WannaCry: WannaCry is a widespread ransomware campaign that affected organizations across the globe. The ransomware hit over 125,000 organizations in over 150 countries. The ransomware strain affected Windows machines through a Microsoft exploit known as EternalBlue.
- ZCryptor: ZCryptor is a self-propagating malware strain that exhibits worm-like behavior, encrypting files and also infecting external drives and flash drives so it can be distributed to other computers.
How to Defeat Ransomware
So, you’ve been attacked by ransomware. What should you do next?
- Prevent the infection from spreading by separating all infected computers from each other, shared storage, and the network.
- From messages, evidence on the computer, and identification tools determine which malware strain you are dealing with.
- Report to the authorities to support and coordinate measures to counter attacks.
- You have a number of ways to deal with the infection. Determine which approach is best for you.
- Use safe backups and program and software sources to restore your computer or outfit a new platform.
- Make an assessment of how the infection occurred and what you can do to put measures into place that will prevent it from happening again.
Ransomware attack prevention
To protect against ransomware attacks and other types of cyber extortion, experts urge users to back up computing devices regularly and update software, including antivirus software, regularly. End users should beware of clicking on links in emails from strangers or opening email attachments. Victims should do all they can to avoid paying ransoms.
While ransomware attacks may be nearly impossible to stop, there are important data protection measures individuals and organizations can take to ensure that damage is minimal and recovery is as quick as possible. Strategies include compartmentalizing authentication systems and domains, keeping up-to-date storage snapshots outside the primary storage pool and enforcing hard limits on who can access data and when access is permitted.
How to remove ransomware
Famous ransomware: CryptoLocker and WannaCry
Perhaps the first example of a widely spread attack that used public-key encryption was Cryptolocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either Bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used, when properly implemented, was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server used by the attack and recovered the encryption keys used in the attacks. An online tool that allowed free key recovery was used to effectively defang the attack.
n May 2017, an attack called WannaCry was able to infect and encrypt more than a quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files.
Payments were demanded in Bitcoin, meaning that the recipient of ransom payments could not be identified, but also meaning that the transactions were visible and thus the overall ransom payments could be tallied. During the thick of the week in which WannaCry was most virulent, only about $100,000 in bitcoin was transferred (to no avail: There are no accounts of data having been decrypted after payment).
The impact of WannaCry was pronounced in some cases. For example, the National Health Service in the U.K. was heavily affected and was forced to effectively take services offline during the attack. Published reports suggested that the damages caused to the thousands of impacted companies might exceed $1 billion.
According to the Symantec 2017 Internet Security Threat Report, the amount of ransom demanded roughly tripled from the previous two years in 2016, with the average demand totaling $1,077. Overall, it’s difficult to say how often these demands are met. A study by IBM found that 70% of executives they surveyed said they had paid a ransomware demand, but a study by Osterman Research found that a mere 3% of U.S.-based companies had paid (though percentages in other countries were considerably higher). For the most part, payment seems to work, though it is by no means without risk. A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them didn’t receive their files back.
THE FUTURE OF RANSOMWARE
These incidents are catapulting ransomware into a new era, one in which cybercriminals can easily replicate smaller attacks and carry them out against much larger corporations to demand larger ransom sums. While some victims are able to mitigate attacks and restore their files or systems without paying ransoms, it takes only a small percentage of attacks succeeding to produce substantial revenue – and incentive – for cybercriminals.
Even paying a ransom doesn’t guarantee that you’ll be granted access to your files. The CryptoLocker ransomware “extorted $3 million from users but didn’t decrypt the files of everyone who paid,” CNET reports, based on findings from an article in the Security Ledger. A survey from Datto found attackers neglected to unlock victims’ data in one out of every four incidents where ransoms were paid.
Ransomware operations continue to get more creative in monetizing their efforts, with Petya and Cerber ransomware pioneering ransomware-as-a-service schemes. The authors of Cerber were especially opportunistic, offering their ransomware operations as a service in return for a 40% cut of the profits earned from paid ransoms. According to Check Point researchers, Cerber infected 150,000 victims in July 2016 alone, earning an estimated $195,000 – of which $78,000 went to the ransomware authors.
The potential for profit for ransomware authors and operators also drives rapid innovation and cutthroat competition amongst cybercriminals. ZDNet recently reported on the PetrWrap ransomware, which is built with using cracked code lifted from Petya. For victims, the source of the code does not matter – whether you are infected with Petya or PetrWrap, the end result is the same: your files are encrypted with an algorithm so strong that no decryption tools currently exist.
What’s next for ransomware? A new report from the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA), as reported in a ZDNet article, warns of developing threats such as ransomware-as-a-service and mobile ransomware
In addition, 2017 saw the first reported ransomware attack on connected devices. According to The Guardian, 55 traffic cameras were infected with the WannaCry ransomware. While this attack amounted to little damage, all Internet of Things (IoT) devices (such as smart TVs, fitness trackers, etc.) are vulnerable. The rate at which the IoT is growing, combined with the widely-reported insecurity of IoT devices, provides a whole new frontier for ransomware operators.
Best practices for ransomware protection, like regular backups and keeping software up-to-date, do not apply to most connected devices, and many IoT manufacturers are sluggish or simply negligent when it comes to releasing software patches. As businesses become increasingly reliant on IoT devices to run operations, a spike in ransomware attacks on connected devices may occur.
Critical infrastructure poses another troubling target for future ransomware attacks, with DHS enterprise performance management office director Neil Jenkins warning at the 2017 RSA Conference that water utilities and similar infrastructure could make for viable, high-value targets for attackers. Jenkins referenced a January 2017 ransomware attack that temporarily disables components of an Austrian hotel’s key card system as a potential predecessor for more significant attacks on infrastructure to come.
PROTECTING AGAINST RANSOMWARE ATTACKS
There are steps that end users and companies alike can take to significantly reduce the risk of falling victim to ransomware. As referenced above, following fundamental cybersecurity best practices are key to minimizing the damage of ransomware. Here are four vital security practices to have in any business:
- Frequent, Tested Backups: Backing up every vital file and system is one of the strongest defenses against ransomware. All data can be restored to a previous save point. Backup files should be tested to ensure data is complete and not corrupted.
- Structured, Regular Updates: Most software used by businesses is regularly updated by the software creator. These updates can include patches to make the software more secure against known threats. Every company should designate an employee to update software. Fewer people involved with updating the system means fewer potential attack vectors for criminals.
- Sensible Restrictions: Certain limitations should be placed on employees and contractors who:
- Work with devices that contain company files, records and/or programs
- Use devices attached to company networks that could be made vulnerable
- Are third-party or temporary workers.
- Proper Credential Tracking: Any employee, contractor, and person who is given access to systems create a potential vulnerability point for ransomware. Turnover, failure to update passwords, and improper restrictions can make result in even higher probabilities of attack at these points.
Keep updated with the latest security feeds: https://www.theweborion.com/blog/