Ransomware is malicious software that forcefully encrypts the data files or systems in order to block users from accessing the hardware or the data stored on computers, laptops, mobile devices, and similar machines. Such software programs are usually designed to demand ransom from the victims. If a victim fails to meet the attackers’ demands, the results can be anything from destruction to the worldwide disclosure of the sensitive and private data under siege. The ransomware attacks have grown immensely over the last few years. They have become lethal as the ransomware attacks are turning out to be more organized. Despite an increase in numbers and risk, not many people including organizations are able to grasp the sophistication of ransomware attacks. This article is about how Ransomware works, what are different types of Ransomware, the ransomware statistics according to some latest threat reports, and finally certain precautionary measures that can save people from many ransomware attacks.
HOW RANSOMWARE WORKS?
According to a high-level definition, ransomware is malicious software that locks the computer systems or encodes the documents using data encryption techniques. The adversaries offer decryption keys to the victims in exchange for a certain amount of money, digital currency, or any other ransom demanded by the attackers.
Propagation Method: A common ransomware needs a dropper to infect the target systems. There are different options available to carry the ransomware. The most common and successful methods are download links and email attachments containing the ransomware scripts. Once downloaded on the victim’s machine, the ransomware code either locks the victim machine or starts encrypting data files. The malware also deletes any backup files including system restoration points so that the victim should not be able to regain access to the system or data through recovery methods. Some advanced level ransomware targets system vulnerabilities and self-propagate rather than depending on human interaction with the malware.
Encryption Techniques: The ransomware encryption process is based on symmetric and asymmetric cryptography. Some ransomware uses the symmetric approach to encrypt and decrypt the files on target systems. For non-technical users –The symmetric cryptosystem uses the same key to encrypt and decrypt the data. There are different types of symmetric keys. The most effective symmetric keys are based on the Advanced Encryption Standard (AES). The AES keys are usually 128, 192, or 256 bits long. With the currently available supercomputers in the world, it can take centuries to break the AES-128 bit keys. The asymmetric is the other form of encryption used by the ransomware. In asymmetric cryptography, there are two keys, usually known as public and private keys. The data encrypted with the public key can be accessed by decrypting it with the private key. The most common and secure asymmetric keys used by some of the most advanced ransomware are based on (Rivest, Shamir, Aldeman) RSA algorithm. The RSA keys can be 1024, 2048, or 4096 bits. It is important to note here that a ransomware attack may generate different encryption and decryption keys for each hostage computer system. Retrieval of decryption keys by one individual does not guarantee the recovery of data for other victim machines using the same decryption keys.
There are many examples of ransomware that we shall discuss in this section. All these ransomware can be categorized into the following two types.
1) Locker Ransomware
As the name suggests, the locker ransomware locks the victim’s machine instead of encrypting the files on the system.
Locker Ransomware Examples:
Reveton Ransomware: Reveton ransomware started attacking computers in late 2012. The other names used for Reveton ransomware are screen locker ransomware and police ransomware. Reveton impersonates as a Cybercrime agency blocking people from accessing their computers with some warning messages on the screen. The users are asked to pay a fine (ransom) to avoid any legal action against them and to regain access to their computers.
In Crypto ransomware, the malware encrypts the data files using symmetric/asymmetric encryption techniques.
Crypto Ransomware Examples
Locky Ransomware: Locky ransomware is a Crypto ransomware that uses a hybrid approach to encrypt the data files on target machines. The Locky Command and Control Center (C&C) holds a set of asymmetric (public and private) RSA keys. The malware generates a random symmetric key using AES to encrypt the files on the victim’s computer. The AES encryption key is then encrypted with the RSA public key. The decryption process is the opposite of the encryption method. The RSA private key from the C&C is fetched to decrypt the AES key. The AES key is then applied to the encrypted data to decipher the files.
WannaCry Ransomware: The WannaCry ransomware is known as the first global ransomware that appeared in 2017. The malware took advantage of a Microsoft vulnerability to globally infect and seize the Windows machines. The WannaCry script has a hardcoded gibberish URL that is used as a kill switch. The researchers found that the script attempts to access the URL before encrypting the files on the target system. If the URL is not found, the malware starts encrypting the files in different formats to make them inaccessible by the users. Once the hardcoded URL is registered, the ransomware halts its operations.
CryptoWall Ransomware: The CryptoWall ransomware is another crypto-ransomware that was first spotted in 2014. The ransomware takes advantage of the Microsoft CryptoAPI to encrypt data files. The Microsoft CryptoAPI is a Windows package utility that supports symmetric and asymmetric keys to encrypt Windows-based applications. The Cryptowall uses this API feature to encrypt data files on target host using RSA and AES encryption techniques. The encryption and decryption process is similar to the Locky ransomware. An AES key is generated to encrypt data files; the public RSA key is used to encrypt the AES key. In the decryption phase, the RSA private key is used to extract the AES key; the AES key is then applied on the scrambled data to decrypt the ciphertext.
RANSOMWARE QUICK STATS
Ransomware attacks have become more common and aggressive over the past few years. Following is a quick overview of Ransomware attacks from different trusted threat reports.
- The Verizon termed ransomware as the 2nd most common malware incident variety and the 3rd most common malware breach variety in its latest Data Breach Investigation Report 2020. According to the report, 27% of the malware incidents were ransomware attacks.
- The Checkpoint Research published the Cybersecurity Report 2020 regarding 2019 Cybersecurity trends and incidents. According to this report, year-2019 was the year of targeted ransomware attacks with healthcare, software services, and the public sector as the major ransomware victims.
- The Cybersecurity in 2020 and Beyond is a special report by the FireEye that discloses the possibility of nexus among different ransomware attackers. The report suggests that different ransomware attackers are working together to target private industries and local government organizations.
- The VMware Carbon Black’s Global Threat Data 2020 reveals that various ransomware attacks have no decryption mechanism that leads to the complete destruction of the data under siege. The main targets of the different ransomware attacks in the year 2019 were Energy/Utilities (32%), Government (14.1%), and the Manufacturing sector (13.8%).
HOW TO AVOID RANSOMWARE ATTACKS?
Although ransomware attacks are on the rise with more aggressive behavior, there are certain following measures one can follow to avoid the majority of these attacks.
Avoid Suspicious Email & Download Links: Many ransomware attacks can be avoided by knowing the common attack vectors used by the attackers. As mentioned earlier in the article, email attachments and download links are the most common ransomware attack propagation methods. Hence, one can escape from these attacks by ignoring unverified email attachments and download links. Always prefer the verified sources for downloading any data or application from the internet.
Be Aware of Peripheral Utilities: Devices like USB are also a source of initiating the ransomware attacks. Therefore, it is highly recommended to never attach untrusted USB or any external/storage devices with your computers.
Update Software and Services: Timely patching and updates can keep users safe from malware that takes advantage of specific systems’ vulnerabilities.
Use Security Programs: Search for effective antivirus/antimalware programs that can detect the malicious activities and applications operating on your system. Many ransomware operates by connecting back to their command and control center. Good intrusion detection and prevention systems can interpret such behavior and halt the C&C operation through disconnection. The C&C ransomware is unable to encrypt files if the connection between the victim’s computer and C&C fails.
Use VPN Services: Attackers can eavesdrop on users’ communication to make the ransomware attack more effective. The use of a VPN service can prevent attackers from gaining insights into user communication and launching targeted attacks.
Have a Separate Backup: Since ransomware is able to delete backups on the target machines, it is a good idea to have a backup on a different machine or cloud service.
The early ransomware attacks were random and less severe. As the technology evolved, these attacks have become more targeted and dangerous. The ransomware without decryption mechanism is the most critical attack since the victims are unable to get their data back even after paying the ransom. The common precautions mentioned in the article can keep users safe from the majority of the ransomware attacks.