Ransomware is an online data hostage situation, where the online data of an internet property is held hostage. Once the target data is held hostage, the attacker demands a fee to decrypt the data. On non-compliance, the attacker may either release the entire dump of procured data on the internet or just leave the data decrypted, leaving the victim helpless.
The attacker may also destroy the data on non-compliance. Ransomware is the internet version of extortion.
There are 3 stages in a typical ransomware attack:
This is where the attacker attempts to communicate with the victim’s computer system. This is where the attacker spoofs the system in thinking that a legitimate file is shared with it. This spoofed file contains the malware payload. Within the payload is a mechanism that decrypts the victim’s data.
In this stage, the payload lodged within the victim’s computer system executes, thereby encrypting the victim’s data. Once the data is encrypted, the victim cannot use it.
Once encryption of data is complete, the attacker usually prompts the victim to pay a ransom by displaying a message in the victim’s website, with a threat to either corrupt the data completely or release it to the open web. Once the victim pays the ransom, the attacker may choose the decrypt the data, thus making It useful to the victim once again.
Disguising ransomware payloads
Payload disguised as images
This is where the malicious file is spoofed as an image. The image would take a minor portion of storage and the rest of the storage space would be allotted to the payload. Example: A spoofed image with a size of 1 MB can be attached via an email attachment. The actual size of the image may be 100 KB and the rest of the 900 KB would be the actual ransomware payload.
Payload within emails
The ransomware payload can be send across as an email attachment. Once this attachment is executed, the files on the system may be decrypted and compromised.
Payload within removable storage
Payloads can also be spread through removable storage like external hard-drives and pen-drives.
Types of ransomware
TeslaCrypt was a ransomware technique where the Trojan would target users playing one or multiple popular computer games.1 If the victims had a particular computer game within his computer system, the payload would act in such a way that it would encrypt certain critical game related files. These files would be decrypted only once the victim pays a ransom. TeslaCrypt was retired by making its keys public in May 2016.
Reveton is a ransomware technique where the payload is dispersed through the victim’s computer system through one of the various payload dispersing techniques mentioned above.2 Once this ransomware is activated, it prohibits the user from accessing his / her computer. When the user tries to open the computer, a threatening pop-up opens on the victim’s screen. The pop-up would state that the country’s local police or cyber department has traced various wrong-doings to the victim’s computer. The wrong-doings mentioned would typically include watching illegal pornography or violating copyrights. The pop-up would also give the user the ability to pay a penalty and remove the blockage.
Cryptowall is a technique that encrypts non-exe files on the victim’s computer and asks for a ransom 3(typically through Bitcoin) for decryption of these files. File extensions that can be encrypted include .docx, .pptx, .doc, .jpg, .png, .ppt among others. A typical Cryptowall ransomware prompt would display something like ‘Your files are Encrypted / locked and the key is on a secret sever somewhere on the internet. The key will be destroyed permanently in 24 hours, unless you pay a ransom of $200’
The victim would receive a garbled Microsoft Word document. When the user opens this document, it would display a prompt stating ‘Enable macro if data encoding is incorrect’. Once the user clicks on yes, the payload gets downloaded and infects the machine, thereby encrypting the target data. All targeted extensions get converted to .locky extensions and become encrypted.
KeRanger is ransomware that affected Mac OSX users.4 It has the ability to encrypt documents, audio, images and videos. On top of this, it also has the ability to lock source code related files like .java and .class files.
The Linux.Encoder.1 was the first ransomware that targeted the Linux operating system 5. Linux.Encoder.1 would deliver the payload through an error in the Magento content management system and encrypt targeted data.
Satan ransomware-as-a-service (RaaS)
Anyone with the ability to pay through Bitcoin and a tor brower can link themselves with RaaS through the dark web. There are websites within the dark web that provide Ransomeware-as-a-service, where regular users, without any programming knowledge can use the RaaS platform to perform his own ransomware attacks. The RaaS platform will keep a percentile commission based on the ransom received 6.
Data backup at an external location
If regular and multiple data backups are maintained at multiple physical locations, the victim can flush out the infected server and reload the backup to it. This would however not protect against the threat of data leak, as the attacker may realize that the ransom will not be paid and leak the data to the open web.
Check for executable files in emails
Executable files in emails should be filtered out. Gmail does a good job at this and filters out any suspicious exe files sent through it.
Beware of spam
Spam emails are the usual gateway for ransomware. Be sure that the email you received is from the intended individual / organisation and not an impostor.
Be double-sure with email attachments
Be careful about downloading attachments send by an anonymous sender. The attachment may have beep spoofed and loaded with ransomware or other malware.
Disable Remote desktop protocol
It is a possibility that the payload may be executed using Remote desktop protocol. If you do not use RDP regularly, it can be turned-off for additional security.
Total network disconnection
If you feel you’re in the accidently in middle of downloading / executing a suspicious file, you may attempt to immediately disconnect from your network or force shut your computer, this may limit the damage caused.
Due to advances in anti-virus technologies, various leading anti-virus companies have released free / paid versions of anti-ransomware tool kits. These kits remove ransomware from the infected computer and decrypts the data.
- Anti-ransomware tools by Avast
- TeslaCrypt decryption tool
- Alcatraz Locker decryption tool
- Apocalypse decryption tool
- NoobCrypt decryption tool
- Trend Micro Ransomware Screen Unlocker Tool
- BitDefender Anti-CryptoWall
- EasySync CryptoMonitor
- Talos decryptor for TeslaCrypt
Malware vs ransomware
Malware infects the target computer system with an aim to either corrupt or compromise the information that is laying on it. It does not ask for a ransom to the victim. On occasions the victim might be left in the dark for months or even years about a malware attack on his system. Ransomware attackers ask for a ransom in the form of untraceable Bitcoin payments, only once these payments are made, the files are decrypted.
Scareware vs ransomware
Scareware attackers make use of browser or website pop-ups that mimic legitimate anti-virus corporations. They would inform the reader about a potential security breach within their computer and prompt the user to click on the pop-up to clean up their system. Once the user clicks on the pop-up, he is redirected to a splash page, where he is informed about the benefits of tool and is asked to make a payment to purchase it. The tool the user downloads is generally malware that may compromise the systems security.
Phishing and ransomware
A combination of Phishing and ransomeware may be used to hold the victim hostage. The victim may receive a spoofed email from an impersonator that’s impersonating to be a legitimate service (that the victim generally uses). This is done through cleverly mimicking the look and feel of an official email. Once the victim clicks on the call to action within the email, he / she gets redirected to a spoofed splash page. The splash page also mimics the look and feel of the legitimate service. Once the victim logs in through this spoofed page, their credentials are compromised to the Phisher. Once this is done, the Phisher can ask for a ransom to give back access or use it for other activities.
Ransomware and the dark web
On occasions, the victims are unable to pay the ransom or refuse to do so for various reasons. If the attacker is convinced that the victim will not pay a ransom, he may sell of the stolen data on the dark web. What is the dark web? The dark web is an encrypted network that lays below our own internet. Heavy encryption means anonymity, this fuels illegitimate activities on the dark web.
A typical smartphone ransomware demand originates from a malware application through the Android play store. Once the corrupted application is downloaded on the victim’s device, the malware hijacks the victim’s phone, steals its data and finally asks for a ransom to unlock the phone and decrypt the data on the phone.
Kaspersky has stated that it protected over 35 thousand android users within a range of 1 year.6 This number skyrocketed to over 135000 the following year. About 56 percent of mobile ransomware attacks between 2015-16 were carried on by the Fusob ransomware family.
Student hangs himself after a ransomware attack
Joseph Edwards, a 17 year old autistic boy was the victim of a ransomware attack. The attacker (pretending to be the police) locked his computer and prompted that he was indulging in illegal activities online. Edwards succumbed to his fears and hanged himself.7
Ransomware attack on St. Louis Public Library
The library was attacked and its files decrypted. It however, managed to avoid paying the $35,000 ransom to its attacker by rolling back to a recent backup.8
University Of Calgary pays Canadian $20,000 ransom
In June, 2016, the University Of Calgary fell victim to a ransomware attack by paying a sum of CAD 20,000 to decrypt their data.9
- Community of Christ Church in Oregano ended up paying a ransom amount of $570 to get back access to their data
- The Hollywood Presbyterian Medical Center (HPMC) ended up paying a ransom of $17,000 to obtain the decryption key
- Attackers have also disposed-off over 10,000 infected MongoDB databases
- Horry County school, South Carolina agreed to pay a ransom of $8,500
Ransomware by the numbers
- Ransomware is an estimated $1 billion industry10
- $209 million were paid in ransoms in the first quarter of 2016
- Average ransom demand is $679
- Roughly 60% of all ransomware gets infected through email
- “The extortion model is here to stay,” – Roman Unuchek, mobile security expert, Kaspersky Lab
- “Ransomware is unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact” – James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology