This is part two of a three-part series. Find part one here.
Ransomware is an epidemic. Every day more businesses, consumers, government and other organizations are finding their critical data held hostage and collectively paying millions of dollars to get it back. In some cases, such as attacks on hospitals, it is literally threatening lives. And with over 100,000 new variants released every day, ransomware is mutating like a nightmare virus, while the world’s cyber security forces work feverishly to stop it. In fact, ransomware is the number one cyber concern among healthcare organizations according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.
As with Ebola and Zika and other viral epidemics, experts and potential victims need to understand how the disease attacks and how it spreads so they can protect themselves. The first article in this series looked at the basics of ransomware and its costs to business and consumers. This article will look at some of the “strains” of ransomware and how it infects computers, networks, and other devices, to help your organization practice safer cyber hygiene.
Ransomware in a nutshell
Most ransomware either locks the interface or encrypts files on a computer or network, sends users a ransom message, and, ideally, releases the interface or decrypts the data after the ransom is paid. (Although Richard Walters, senior vice president of security products at Intermedia, recently told TechNewsWorld that companies have a 20 percent chance of not getting their data back after the ransom is paid.) The details of ransomware can and do vary widely, partly to keep attackers ahead of security experts and partly to keep victims off balance and paying.
According to The ICIT Ransomware Report, the first ransomware appeared in the 1980s, and, ironically, until ten years ago, most of it was fake. Fraudulent spyware removal tools and performance optimizers scared users into paying to fix problems that didn’t really exist. Although the first ransomware that actually denies access to data was developed in 1989, the malware didn’t become common until 2006.
At this point, there are two major types of ransomware:
- Locker ransomware restricts user access to infected systems by locking up the interface or computing resources within the system. It puts up a display page telling victims to pay through credit vouchers purchased from local stores or money transfer services. According to security software vendor Symantec, locker ransomware accounted for about 36 percent of ransomware samples they detected in 2014-2015. Attackers have moved away from locker ransomware because the disabled interface prevents victims from paying in crypto currencies such as Bitcoin, which are faster and less traceable, so better for the recipients. However, experts expect that locker ransomware may regain popularity with attackers because it can affect mobile devices and devices on the “Internet of Things.”
- Crypto ransomware encrypts files on the target system so that the computer is still usable, but users can’t access their data. It typically uses strong industry-standard encryption schemes, often with encryption keys that time out, adding urgency to the ransom payment deadline. Crypto ransomware leaves the user interface functioning, so that users can get to the Internet to make ransom payments in crypto currency. Symantec say that crypto ransomware makes up 64 percent of the samples that their software detects.
The success of any given ransomware variant depends in part on the technology and part on how skillfully the attackers are able to exploit the fears of the victims. On the technical side, successful ransomware needs to evade detection by security software long enough to install itself and do its dirty work, and it needs to employ locking or encryption strong enough that it can’t be easily broken. But powerful ransomware is now widely available on the Dark Web for free, so any “script kiddie” (a technically unsophisticated would-be hacker) can mount an attack in return for giving the developer a share of the profits. The successful cyber-extortionist is also able to work the psychological scam, scaring victims into paying rather than taking defensive measures, and giving them reasonable confidence that their systems will be restored plus enough technical support that they can figure out how to pay in cyber coin.
Ransomware attack vectors
As with other malware, the spread of ransomware often depends on user ignorance, but cyber-extortionists have come up with a few new tricks to infiltrate systems. Ransomware enters systems through four main channels:
- Social engineering: Ransomware is often downloaded by unwitting users. Phishing emails induce users to click on bad links or download and open malicious attachments. According to the ICIT report, criminals will hire services to redirect users from adult content sites or media piracy sites to their downloads (adding shame to the urgency of fear when the user is trapped) or they will use malvertisement services to bait users from ads on legitimate web sites. Bad guys are also now using social media messaging as an attack vector for malware. This is harder for organizations to defeat because the attacks are now running under HTTPS/SSL, so that it’s harder to detect the malware.
- Layered attacks: Criminals who have already infected a system sometimes sell access to ransomware criminals. The undetected malware on the so-called “zombie” machine can download the ransomware and remain after the ransom is paid, waiting for another opportunity to steal data or extort payment.
- Embedded: Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is so ubiquitous in browsers around the world. As this Symantec post shows, the fake update pages can be very convincing.
- Self-propagation: Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.
While user awareness can help deter the spread of ransomware, the other three sources are more difficult to isolate and stop.
Fighting fear itself
At this point, the technology behind ransomware is formidable, as developers employ stronger encryption and more tactics to elude detection. Eventually, security technology will catch up, but in the meantime, organizations and individuals need to avoid giving in to fear because that is the ransomware criminal’s greatest weapon. Just as the earliest forms of ransomware extorted users with non-existent threats, much of today’s ransomware is not as invincible as it seems, which is why attackers keep coming up with scarier tactics for their malware. One of the most brutal is the Petya virus, described in a recent Kaspersky blog. Not only does the malware attempt to lock the whole hard drive at once rather than slowly encrypting individual files, its user interface is a grinning skull and crossbones made mostly of dollar symbols.
While there is no perfect defense against ransomware, there are remedies that your organization can try before facing the ultimate question, “To pay or not to pay.” The final article in this series will examine preventions, some possible ransomware cures, and steps you should take after the crisis has passed.