#ransomware is an actual cyber – phenomenon. First brought to attention in 1989 (the AIDS Trojan or PC Cyborg), then mentioned somewhere back in 2005 (Trojan.Gpcoder, then the Archiveus Trojan in 2006 that combined ransomware with RSA encryption), 2014 seems to have been its year of choice – the number of incidents surged to 113% compared with 2013.
Even worse, according to other sources; for example, Symantec reported in August 2014 a 700 percent-plus increase. It marks the shift in hacking, from recognition to remuneration, also bringing a very unpleasant blur between the cyber world and the real world.
Basically, via #trojans and/or other malware tools, an illicit part takes control of the user’s device and would not relinquish it until a requested ransom #fee is paid. Attributed to “generation five” cyber-criminals, ransomware is part of an underground economy where cyber-attacks generate money. Lots of it, or rather the right amount per hit to make their activity productive, but also to determine the victim to pay the fee.
First ransomware #outbreak and 2014 status
In 2012 McAfee reported approximately 100 thousands new samples just for the first quarter of the year. The number doubled by the next quarter, in an unprecedented wave of money-generating cyber-crimes. This happened at the same time as the so-called cyber-crime ecosystem “coming of age” with the launch of Citadel – a malware distributing toolkit, followed by the Lyposit kit and the Reveton worm.
Hackers instructed users to pay the fines via payment services such as Ukash, Paysafe or MoneyPack.
In 2013 cryptographic malware appeared through CryptoLocker – a ransomware Trojan, spread via the Gameover ZeuS botnet that encrypted certain file extensions and deleted the originals. Maybe the most famous ransomware so far, it later generated numerous variations. This time Bitcoins were one of the requested payment methods, and the fine would go higher if the user did not pay in the first three days. The Bitcoin (BTC) payments alone reached a value of $27 million.
The original cyber-crime network behind Gameover ZeuS and CryptoLocker was taken down in May 2014. In August 2014 a decrypting program – DecryptCryptoLocker offered affected users the possibility to decrypt infected files – but only for those affected earlier than May 2014, because later variations employed different encryptions (Locker, CryptoLocker 2.0, CTB-Locker or Critony, CryptoWall, TorrentLocker).
In 2015 the most prevalent ransomware seems to be Crowti (Cryptowall), followed by Tescrypt, according to this source.
Types of ransomware
Depending on the type of action taken once inside a machine, there are two types of ransomware:
• The ones that lock the screen;
• The ones that encrypt files and/or folders.
There are also several ransomware families.
Depending on the propagation means, there are:
• TDS (Traffic Distribution System) ransomware, redirecting web traffic towards the host site;
• Malvertisement ransomware, redirecting web traffic to the host site via malicious advertisements;
• Spam email – induced ransomware;
• Infected downloaders&botnets – propagated ransomware;
• Social-engineered and self-propagated ransomware that uses the infected system to reach other systems (via SMS messages, for example).
Ransomware prevention methods
Some of the recommended actions would be user/employee training (in evaluating the validity of email and attachments received, and in avoiding any .exe files, automatically or individually), keeping all software updated and patched, backing up all files to an external drive regularly and using multi-layered protection techniques, instead on simply relying on a single monitoring method.
It is also useful to use anti-malware software alongside antivirus software.
In the case of enterprises, the devices that are connected to the main system grow in numbers – but any such device should be secured. A security policy should be implemented and monitored, and programs should not be allowed to auto-install or to run any unauthorized processes in the background. All possible entry points should be taken into consideration and secured.
It is generally the task of an IT manager to plan and execute such policies – of backup, security and monitoring, all part of the security awareness overall task.
Ransomware – cleaning methods
Although these usually work only if at least some of the prevention methods have been employed, it is helpful to:
• Network on safe mode;
• Restore your computer system from a Boot Recovery CD;
• Use the Slave Hard Disk Drive Option;
• Use the Optical CD-R, whose data cannot be altered by the active virus.
• Once the system isolated and cleaned, some file recovery software might prove helpful in retrieving deleted data, unless the #attack employed secure deletion tools.
Ransomware facts
One of the most unpleasant facts is that paying the requested fine can be useless – no guarantees are offered. And the charges are usually high, amounting to hundreds of U.S. dollars or Euros per ransom fee.
Some ransomware schemes build trust by demo-decrypting several files without any fee, in order to prove it possible and motivate the payment.
There are also documented cases of fee negotiation, or even very rare cases where the files were decrypted after denial of payment.
In many instances, ransomware enters the computers via other types of malware.
The top countries affected by ransomware are USA, Japan and UK, followed by Italy, Germany and Russia, according to Symantec.
In what concerns the future, it is estimated that while the counter measures will focus on operational security and international cooperation in bringing down the cyber-crime networks behind the attacks, the ransomware localization will increase, and also it will spread to a new array of devices – wearables. Ransomware as a service is accessible to virtually anyone and it threatens the future IoT.
We’ve reviewed a few facts about ransomware and learned a bit about its history, types of attacks and some counter measures. As a cyber-security topic, ransomware is now trending and one might even say it is critical. Its milder “relative” is scareware – when the victim is scared into paying a fine with a fake attack. The principle is the same and they both might result in taking the victims’ money – thus bridging into the real world.
This cybersecurity issue is very sophisticated and critical. Payment or no payment, the affected system is compromised, which is even more dangerous when data is sensitive. Even after decryption, associated malicious tools can keep on stealing data, passwords and other elements from the target’s computer, or even spread to other devices using the infected machine.
Ransomware is not going away soon, and it is not easy to fight with – it calls for prevention measures above all, and for a maximum of diligence when dealing with any possible propagation means.
