Malware 101: Ransomware
What could be more exciting than pirates? Villainous rogues sailing the high seas, searching for ships in the night to plunder. They come across an unsuspecting ship, ready their cannons – take aim – and in a split second, a barrage of iron and smoke rains from the sky. The shadowy ship positions itself next to the now broken vessel. Once the pirates begin to board, a frenzy of bullets flies through the air. It doesn’t take long for the ol’ skally-wags to overcome the poor boys, and they demand the crew to lay down their arms. Now prisoners of the pirates, there is only one thing left for the crew to do:
A ransom must be paid.
Although life in cyberspace isn’t as romanticized, there are plenty of pirates attacking unsuspecting web surfers. It is very common for computer-users to become victims of cyberextortion, an act in which an attacker invades an aspect of a user’s online life and forces the user to provide a demanded payment. Most of these ransoms are paid with cryptocurrency because it is one of the few forms of currency that doesn’t reveal the identity of the attacker, similar to the good old fashioned gold stolen by pirates.
The favorite tool of the cyberextortionist and one of the most dangerous forms of malware out there, is ransomware. Like spyware, ransomware is usually downloaded onto a user’s computer from somewhere on the internet. The difference this time is that it doesn’t just sit back and watch what happens. Ransomware is a malware created to actively encrypt a user’s data in order to extort money from the victim in return for the hacker decrypting the data. In a slight variation of the same scheme, the hacker may make a copy of the files on the computer, encrypt the user’s copy, then hangs those files on a string with the threat that they will be exposed to the world if the user does not pay the ransom to decrypt and retrieve the sensitive information.
What separates ransomware from most other malware is that the victims are explicitly notified of an attack. Depending on the hacker, the user may be notified either before an attack or after the malware has already taken hold of the system. And the methods of notification can be pretty creative.
Let’s say you are unknowingly the victim of a phishing scam, and accidently download a ransomware virus. Once downloaded, the virus can change the computer’s log-in credentials or encrypt files, rendering them inaccessible. The program then sends a notice to you, the user, disguised as a message from an official source. The message pops up on the screen and says that this authority has found something seriously wrong with your system, and offers to help you fix it (for a fee, of course). What makes this tactic special is the user may have no idea that he or she is actually the victim of a ransomware virus.
In 2013 and into 2014, we saw a ransomware attack on a massive scale. This ransomware was called CryptoLocker, and was able to spread like wildfire via infected email attachments (trojan virus). Its targets were computer-users operating under the Microsoft Windows OS. Once in the computer, the malware would encrypt the user’s files, then send a message to the user with an offer to decrypt the data in return for a fee, in the form of bitcoin or voucher, paid by a set time and date. If the user failed to pay the ransom before that date passed, the decrypted data would be permanently deleted.
Another massive ransomware attack used a trojan virus dubbed SimpleLocker – similar in code to CryptoLocker – disguised as a legitimate app to be downloaded by the target victims – Android OS users. The users’ phones would be locked under the guise that the user had been caught downloading “illegal” material or accused of viewing/spreading illicit material. If the user wanted his or phone to be unlocked, they would have to pay a fee of $20-30. This same virus is still being seen today, with some newer versions even hijacking the camera to take pictures of the owners as extra incentive to pay the ransom.
In 2017, there was an attack on the global scale. WannaCry is a worm that infects computers, much like CryptoLocker, with the Microsoft Windows OS. However, this malware took advantage of an exploit in the system’s base protocol. Even though a patch was released soon after the outbreak, many users were already infected or did not download the patch in time. What separates WannaCry from CryptoLocker is the exploit’s ability to spread from computer to computer without user authentication. Through the protocol, it can gain access to other computers on the internet and within the same network. This ability to spread so easily makes it possible for it to infect entire businesses before the business even recognizes the issue. In fact, many businesses have had to shut down after becoming victims, due to their computers being completely inaccessible. CEOs had to decide between paying the ransom in order to resume regular operations or waiting until someone else could decrypt their data for them.
Ransomware is so dangerous because of how easily it can be created, spread, and completely halt the regular operations of a business. Once ransomware is in a system, it is usually too late. However, a useful safety measure to mitigate the debilitating effects of getting hit with ransomware is to regularly backup all data. If a hacker encrypts a file or files, backups allow users to delete the encrypted files, have the malware removed, and reboot the computer without losing significant amounts of data. All the files are safe and no ransom is paid, denying the hacker the funding and encouragement they need to keep up their activities. Still, it is better to keep files from getting encrypted by malware in the first place. We at Mission Multiplier urge you to be careful while on the web, even when using your phone. These viruses gain access because someone somewhere was victimized. Don’t let that someone be you.
If you, your organization or company, or someone you know would like more information about our company or how to handle the threat of ransomware, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.