28 Jul Ransomware: What You Need to Know
Your personal files are encrypted. To get the private key and decrypt your files, pay the sum below. Any attempt to remove of damage this software will lead to the immediate destruction of the private key.
Sounds scary? Now try to visualise this message on the screen of your computer as it blocks your access to the book you have just completed writing, confidential information on your company and its clients, the cryptocurrency you have invested into, or the system of transportation or electricity affecting the whole city. If you have put enough efforts into visualising any of these scenarios, you are ready to go beyond the this-will-not-happen-to-me belief and read more about ransomware – the increasingly popular form of cyber-attack.
WHAT IS RANSOMWARE?
Ransomware is coined from two words: “ransom” and “malware”, which in its turn stands for “malicious software”. This etymology can already tell you much about the nature of the attack – it is a software that infects your computer blocking your access to it or encrypting the your files, so that you have to pay a ransom to regain control. Once users get affected, they see a screen with the explanation of what has happened and the steps they should take to fix it.
There are two types of ransomware:
Locker ransomware block users’ access to the operating system, so that they cannot reach the desktop, any apps or files. Some locker versions, notorious Petya in particular, affects not even an operating system, but a Master Boot Record, which prevents operating system from booting up.
Crypto-ransomware or encrypting ransomware are the most widespread nowadays. This type of ransomware uses a sophisticated encryption algorithm and then demands the ransom for the key, which would decrypt your files. CryptoLocker, Locky, CryptoWall – all respresent this type of ransomware.
THE EVOLUTION OF RANSOMWARE.
The first ransomware took place in 1989, was spread through floppy disks and requested the ransom to be sent to a post office box in Panama. It is both funny and scary to think how much has changed since that time, as ransomware, means of infection have become much more sophisticated, while ransom payments have become instant and anonymous. Let us have a quick look at how ransomware evolved to this point.
First ransomware typically zipped the files of particular types creating password-protected zip files, which could be retrieved only once the ransom was paid. Then, a cyber criminal world saw the emergence of Reveton or Police Ransomware. The peculiarity of it was that the note was “authored” by the local police (these were first instances of geographic targeting) and said the user was caught browsing the illegal sites or doing another illegal internet activity. Users also received a wider choice for paying a ransom.
Crypto-ransomware appeared in late 2013 and revolutionized a ransomware market, as the files remained encrypted even if the malware was deleted. Thus, the notes even began to give instructions on how to recover the malware if it was deleted by user’s antivirus so that the user could proceed with other steps mentioned in the ransom note. Ransomware have begun to request payments in cryptocurrency, which made payments fully anonymous and irreversible. In 2015, the spread of the ransomware came to the new level with Angler exploit kit, which meant that malware could be transmitted without victim having to open or download anything. The range of files ransomware encrypt have grown wider too – in addition to old-known .doc, .xls, .jpg and similar files, ransomware began to encrypt databases, website files and virtual desktop files.
The latest trends in the evolution of ransomware are particularly concerning and show the attacks are here to stay. These trends are:
- Ransom-as-a-service. It is difficult to believe this, but ransomware criminals do not need to be technologically savvy now – malware creators now sell their products together with instructions on how to deploy them and a comprehensive support.
- Attacks on companies and organisations. Attackers have become increasingly interested in bigger targets, as this means higher ransoms and higher chances that it will be paid.
It is important to note that the second trend does not eliminate attacks on individual users. The fact is the criminals widened their target audience, not changed it. Let us consider why the two audiences remain interesting for the criminals in the further section.
WHY RANSOMWARE CRYMINALS TARGET HOME USERS/BUSINESSES?
Home users make good victims for ransomware criminals because:
- they feel secure and have little cyber security knowledge, so that they can click on or download almost anything;
- home users do not back up their data, which makes them unwilling to let go their work or cherished memories;
- home users feel reluctant to invest into reliable protection solutions, at the same time, they often lack even basic protection tools or do not care to update their software regularly;
- they are easily manipulated by psychological techniques such as scaring, shaming and feeling of urgency attackers create;
- since the losses to each individual victim are comparatively small, there are no chances that the case of an attack will ever be investigated at all.
Businesses and organisations make good victims for ransomware criminals because:
- the requested ransom is much much higher (the requested sum generally amounts to $10,000 – $40,000);
- since businesses and organisations may not allow themselves disruption in operations, the chances that the ransom will be paid are much higher (according to statistics, 70% of the infected businesses eventually paid the ransom);
- while businesses may have much more sensitive data on their computers or servers, the latter are still used by people, so human factor becomes a great chance to exploit;
- businesses may be reluctant to report the attack to avoid legal consequences or brand damage;
- small businesses and state organisations do not have enough budget to install advanced security systems and may even have employees working on their own devices.
HOW DOES RANSOMWARE INFECT A SYSTEM?
Users can encounter the potential threat through multiple means. The most widespread infection method is still spam emails containing malicious links and attachments. Criminals may also exploit vulnerabilities in software and hack legitimate websites to inject malicious code or redirect users to malicious websites. Some ransomware are spread by the infected computers, criminals’ botnets.
Clicking on the link to the malicious website or downloading and opening the attachment, victims allow to place a malicious payload (downloader) on their PCs. Then, the downloader uses specified criminals-controlled domains and servers to download the ransomware program on the system. When the server sends the requested data, the malware encrypts the content of the hard disk, personal files, and all data stored in the cloud such as Dropbox or Google Drive synchronized with the PC (many people still do not realise ransomware can do this too!).
Note that infection may happen even if you never click any suspicious links and do not open any attachments you are not sure about. For example, the infection can take place when you unsuspectingly browse a secure website hacked by the ransomware criminals. The malicious code they have injected into the website will roam your computer in search of vulnerabilities – outdated apps of all kinds, from browsers to plugins. Once a malware finds a weakness, it infiltrates the systems and gains the control of it.
HOW TO PROTECT YOURSELF OR YOUR BUSINESS FROM RANSOMWARE?
All security specialists beg users not to pay a ransom, as it makes the criminals thrive and is your personal investment into further evolution of ransomware. What is more, only 1 in 4 users eventually recovers the data after paying a ransom. What they recommend is to resort to free decryption tools, which you can use to decrypt your data without having to pay. Still, there are no such tools for all ransomware. In addition, even the existing solutions constantly become outdated as criminals elaborate on their products. In this case, your survival of the attack will depend on the availability of a backup of all of your critical files and databases, which will allow you to let go the encrypted version.
Now, when you have realised the complexity and the potency of ransomware, prices you or your business may be compelled to pay (with no guarantees of data recovery, of course), and limited after-attack solutions available, read this list of prevention rules, which will minimise the risk you fall a victim to ransomware:
- Remember that modern ransomware affects clouds (Dropbox/Google Drive), so have at least one backup of your data, which is external or disconnected when it is not doing a backup.
- Make sure your operating system and software are constantly updated to the latest version, where the spotted security weaknesses are already eliminated.
- Remove the plugins you do not use and do not update to the latest available version.
- Do not open spam or suspicious emails.
- Do not download attachments orclick links recieved in spam or suspicious emails.
- Turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.
- Remove Adobe Flash, Adobe Reader, Java and Silverlight plugins from your browser, as these may become infected with a ransomware. Set the browser to ask you whether to activate them and activate them only when needed.
- Use a reliable antivirus having an automatic update and a real time scanner.
- Use traffic-filtering solutions, which can proactively protect you from a ransomware.
- Better not use an administrator account on your PC on a daily basis. Use a quest account with limited access and administration rights instead.
Ransomware attackers are restless and ruthless, but proper measures can help you to prevent or survive the attack without paying a cent. The recipe is simple – be vigilant and back up, back up, and back up.