Ransomware example image your computer has been locked

Being held hostage seems like an uncommon event and more of what we hear from a TV drama. You may be surprised to know the experience of being threatened for a ransom payment in exchange for releasing valuables occurs much more often in the technology realm.

The type of security threat with a focus on restricting access to file or system while demanding payment for a release is known as "Ransomware". In this article, we will walk through the detail characteristics of Ransomware, common attack methods, and counter-measurements to take in case of infection.

Ransomware Definition

The term "ransom" means a payment to free captivity, which is what Ransomware exactly do to the victims. Ransomware is a type of malware with specialties to block user access to the entire host system or certain files until the demanded money gets paid to the hacker. Target victims are both individuals and businesses while the latter usually have larger payments due to the size of infection, spread-out rate, and data access urgency.

Today Ransomware is classified as "A new model of cybercrime with a potential to cause impacts on a global scale." according to U.S. Department of Justice. The total amount of financial damage against business throughout the nation is estimated to exceed $11.5 billion as of 2019.

History of Ransomware

The first known introductory of Ransomware was in 1989 created by Harvard graduate biologist sending out 20,000 floppy disks with the title "AIDS Information - Introductory Diskettes" to the participants of the international AIDS conference. This trojan program was designed to manipulate file names and directory paths when inserting the floppy disk, requesting $189 to be sent by mail for recovery consultant.

After 2006 when asynchronous RSA encryption became easy and popular, Ransomware tactics advanced by utilizing private/public key pair approaches. The technique was used in Archiveus Trojan which encrypts the entire MyDocuments folder and displays a password entry window where a victim can only unlock with a 30-digit password in exchange for a purchase.

What will Ransomware Do to You?

The primary harm caused by Ransomware attacks is driven by access restriction to file or system using encryption techniques. Victims will usually be informed with a generated warning that describes the situation, such as the area of access restriction, amount of ransom to pay, and accepted payment methods. There might also be a clock with a set time limit and threatening message alerting not to report the incident otherwise data will be destroyed.

While some access blockages impact the OS to entirely restrict users from device logins, some apply locks to specific storage devices or files with higher encryption. Attacks that applies data layer encryptions are much more difficult to resolve as data may not be accessible even through connecting the hard drive to a clean device.

There is no guarantee the access restrictions get released after the ransom is paid. There are many cases reported no action was performed by the hacker after the victim finalize the payment. Paying the ransom will only contribute to the success rate of ransomware attacks and encourage such activities.

Types of Ransomware

Locker Ransomware

As the name indicates Locker Ransomware attacks a victim with a lock approach instead of encryption. The lock usually gets applied to the entire system to prohibit any user interactions including login, safe mode, or recovery.

Crypto Ransomware

Utilize the RSA encryption program to partially or entirely encrypt victim data. In the worst case, a whole storage drive can get encrypted restricting data access even from connection through other clean devices. Decryption can only be performed using the public key provided by the ransomware creator.

Examples of Ransomware Attacks

WannaCry

Spread extremely fast rate during 2017 affecting over 150 countries. Most damages were observed at National Hospital Service in the UK causing financial damage estimated to £92 million.

Targets Windows OS vulnerability to encrypt profile systems and PC hard drives, demanding bitcoin payment in exchange for decryption. Some say it was developed by the U.S. National Security Agency and stolen by a cybercriminal group for misusage.

Bad Rabbit

Spread out in 2017 by utilizing an online infection technique called "drive-by" download forcing site visitors to unintentionally install malware. No download dialog, link clicks, or program execution requires for drive-by malware to trigger the infection other than browsing the compromised page.

Bad Rabbit disguised as dialog identical to Adobe Flash upload installer tricking visitors to unwillingly approve the malware installation. To decrypt the hard drive encrypted using DiskCryptor software, bitcoin payment of $280 ransom was demanded with 40 hours time limit.

Locky

One of the most flexible Ransomware able to encrypt over 160 types of files. Designed by a hackers group in 2016 to attack business through email attachment phishing. A hospital in Los Angeles had to pay $17,000 to request a release.

Ryuk

Crypto type ransomware affecting Windows OS in specific. Disables Windows' System Restore feature to restrict users from recovering data through system methods. Ryuk can also encrypt network drives causing a much wider area of data restriction. Financial damage during 2018 went over $640,000 in total.

Jigsaw

The name was inherited from the movie "Saw" as the ransom screen displayed an image of the puppet called Jigsaw. This ransomware had a unique feature of deleting part of data every hour until the demanded ransom was paid.

How to Remove Ransomware after Infection

When an attack is bundled with a ransom exit route, many people feel difficult to avoid paying due to the risk of potentially losing all their data. Although payment sounds like an easy solution, we strongly recommend not taking such an approach as there is a minimum to no guarantee the hacker will keep their promise.

Many antimalware software vendors have developed a feature specialize in ransomware to quickly discover and terminate the root cause. In the best-case scenario, all your data may be recovered and backed up to prepare for any further attacks.

There is some latest ransomware that is so advanced that antimalware software will not be able to provide a solution. To protect us from such threats, the best approach we can take is to keep up with a security practice to prevent infection. Never download third-party application especially from an unofficial website, avoid opening email attachments without a careful caution, and especially scan any files before installation.

References