The word Ransom refers to a demand made by the abductors for the release of an imprisoned. In some cases, the criminal may not release the person even after getting the money.
Similarly, in the cyber world, it’s not guaranteed that even after paying the Ransom, your encrypted files get released/decrypted. In some case, also collects banking information along with the demanded money. For taking advantage and utilizing it again, most of the times, malicious files are not removed.
Anatomy of Ransomware
Ransomware is a piece of software intended to block access to system resources until a sum of money is paid. Ransomware encrypts files on the infected system. When infected all files are inaccessible as they also have a different extension which is unknown to a computer file system. Bad actors demand a payment to restore access to these files.
Ransomware code is often a simple one because unlike many types of old-style malware, it usually does not need to remain undetected what we have in case of FUD (Fully Undetectable) for long to attain its goal. As the Ransomware software is now readily available in the darknet marketplace, any script kiddies can download and launch it against any organizations to gain profit.
Ransomware can quickly be delivered via emails which most of the time look like legitimate emails to the users. Sometimes it can be delivered through phishing emails which may contain some links. Users unknowingly click on those links and the malicious software gets downloaded in the system which can later be used to infects other systems in the environment through lateral movement. Social media interaction is another method for the infection. Exploit kits are now very much sophisticated to bypass antivirus software. They can confuse and deliver malware with ease. Another important source is the cracked versions of the legitimate software. People often take a simple method to save software cost, which may contain malicious codes for Ransomware. Pirated software may ultimately turn out to be a costly event for the user.
The History of Ransomware
First Ransomware was created in 1989 by Harvard biologist Joseph L. Popp. The name was AIDS Trojan, and this was also known as PC Cyborg. Joseph sent 20,000 infected diskettes named “AIDS Information – Introductory Diskettes” to attendees of the WHO’s AIDS conference.
In 2006, the Archiveus Trojan was released. This Trojan was using RSA encryption which encrypted everything in the My Documents and encouraged victims to purchase things from an online pharmacy to obtain the 30-digit password.
In 2007, another kind of Ransomware released that locked out users. Winlock exhibited porno images till the users sent a $10 premium-rate SMS to receive the key.
In 2008, a variant of the same virus called GPcode. Using 1024-bit RSA key, AK was unleashed on the public.
In 2011, a big scale Ransomware outbreak happened and started into the use of anonymous payment services.
In 2012, Citadel appeared, a toolkit for dispensing malware and managing botnets that primarily evolved in January 2012 followed by Lyposit, Urausy Police Ransomware Trojans and Reveton.
In 2013, Svpeng, an android Trojan targets Android device. CryptoLocker and CryptorBit followed them, and it can bypass Group Policy settings put in place to defend against this type of infection. The bad actors use social engineering and strategies to install Ransomware as a rogue antivirus product and encrypt the files. Then the user is provoked to install the TOR Browser and their details, and payment up to $500 in Bitcoin is demanded. The software installs the CryptoCoin mining software, this software tricks the victim computer resources and mine digital coins such as Bitcoin, then deposited to the bad actor’s digital wallet.
In 2014, CryptoDefense was released. It utilized TOR and Bitcoin for concealment and 2048-bit encryption. A Subsequent release of an improved version called CryptoWall was evolved. Another one is Koler.a: launched in April, this police ransom Trojan infected around 200,000 Android users, who were probing for porn and coiled up downloading the malware.
In 2015 Ransomware-as-a-service was released. One can simply go to a TOR website “for criminals by criminals”, launch your own Ransomware for free. A report from Kaspersky depicted that it is doubling every year. Another report from Symantec has shown that TeslaCrypt attacks increased from 200 to 1,800 a day.
In 2016, Javascript Ransomware-as-a-Service exposed, Cybercrime has piggybacked on the successful SaaS model and numerous pieces of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared.
The WannaCry Ransomware took the world by a hurricane in mid-May, starting with an attack on vulnerable SMB services telcos, rail department, universities, the UK’s NHS and so on. Shadow Brokers the hackers who leaked the NSA SMB 0-day exploit and that motorized WannaCry published a manifesto announcing a subscription offer where they will release more 0-day bugs and exploits for several desktop and mobile platforms, taken from the NSA.
Just after Wannacry, NotPetya was the new worldwide Ransomware attack. Its targeted Ukraine, Russia, Spain, France and other countries. However, NotPetya is more like cyber warfare and does not come from the of the original Petya sources. It does not delete any data but simply makes it unusable by locking the files and then throwing the key away.
2018 Data Breach at Verizon reports Ransomware as the most common type of malware carried by phishing attacks. This used 56% of such occurrences.
In 2018, Blackheart, BitKangoroo, Satan Ransomware, GandCrab v4 was evolved. 2018 Cyber Threat Report from SonicWall, with some interesting statistics about the state of Ransomware:
- In 2017 a 229% increase in Ransomware attacks.
- Twelve new variants of Ransomware appeared.
- Approximately 181.5 Million attacks.
Q4 2018 Global Ransomware Marketplace Report by Coveware’s depicts that bad actors are just getting started with this deadly form of malicious attacks. Numbers of ransom payment and downtime resultant to an attack backups repository compromised are all grown during the quarter.
Cybercrime Tactics and Techniques: Ransomware Retrospective report by Malwarebytes, businesses risks are growing by 365% from Q2 2018 to Q2 2019.
McAfee Labs witnessed 504 new threats every minute in Q1 on an average in 2019 and a recovery of Ransomware along with campaign execution and code change. But an increase of 118% new Ransomware while most common strains were Dharma (aka Crysis), GandCrab and Ryuk.
Steps that can save you from the extortion:
Be Proactive, Not Reactive
- Multiple location backup like local, cloud and more
- Segment network access and tighten internal data access policy
- Early threat detection systems
- Use EDR solution
- Run recurrently scheduled security scans
- Create restore & recovery points in case of attack
- Regular training and security mock test
- Enforce strong password security policy
- Doublethink before clicking on any link
- Set up file extensions as viewable
- Use gateway mail security
- Add virus control at the mail server
- Apply software and OS patches
- Block vulnerable plug-ins
- Limit user internet connectivity
What if you are already infected?
You may be thinking of paying the money to the bad actors, but that is a dreadful idea. According to a Symantec Ransomware report, only 47% of people who pay the ransom get their files back. Bad actors are always encouraged if we pay the Ransom, and they will continue to do so. Also, as they already have your data, they will surely sell it on darknet market to have more money.
has over 15 years of experience in cybersecurity. He is currently handling multiple SOC in Happiest Minds Cyber Risk Protection Platform – A new and enhanced SOC platform to help clients fight against the bad actors. Samit has made a significant contribution in various security design solutioning and mentoring blue teams.
