Commodity Ransomware

Ransomware definition

Ransomware is a type of malware that encrypts the files of a victim in exchange for a ransom. After that, the attacker demands a ransom from the victim, promising to restore access to the data if the victim pays the ransom.

Users are shown how to pay a fee to obtain the decryption key, which they must follow. A few hundred dollars to several thousand dollars can be spent, with the money being paid to cybercriminals in Bitcoin.

[Discover why ransomware may be your most serious threat and how to keep backups safe from ransomware. | Sign up for our newsletters to stay up to date on the latest from CSO.]

How ransomware works

There are a variety of approaches that ransomware can use to gain access to a computer. One of the most common methods of distribution is phishing spam, which consists of attachments that are sent to the victim via email and masquerade as a file that they should trust. Once they’ve been downloaded and opened, they can take control of the victim’s computer, particularly if they have built-in social engineering tools that trick users into granting administrative access. Some other, more aggressive forms of ransomware, such as NotPetya, take advantage of security flaws to infect computers without the need to deceive or trick their victims.

Once the malware has gained control of the victim’s computer, it can perform a variety of actions, the most common of which is to encrypt some or all of the victim’s files. To learn more about the technical aspects of ransomware, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files available. However, the most important thing to understand is that, at the end of the process, the files cannot be decrypted without the use of a mathematical key that can only be obtained from the perpetrator. It is explained to the user that their files have been encrypted and will only be decrypted if the victim makes an untraceable Bitcoin payment to the attacker.

For example, in some forms of malware, the attacker may pretend to be a law enforcement agency, shutting down the victim’s computer because it contains pornography or pirated software and demanding the payment of a “fine,” possibly to discourage victims from reporting the attack to law enforcement authorities. Most attacks, on the other hand, don’t bother with this ruse. There is also a variant of ransomware known as leak warm or do ware, in which the attacker threatens to make sensitive data on the victim’s hard drive public unless a ransom payment is made. However, because finding and extracting such information is a difficult proposition for attackers, encryption ransomware is by far the most common type of ransomware to be encountered.

Who is a target for ransomware?

There are a variety of criteria by which attackers select the organizations that they will infect with ransomware. The reason for this can be as simple as a matter of opportunity: for example, attackers may choose to target universities because they tend to have smaller security teams and a disparate user base that engages in a great deal of file sharing, making it easier to penetrate their defenses.

Some organizations, on the other hand, are attractive targets because they appear to be more likely to pay a ransom in a short period. Government agencies and medical facilities, for example, frequently require immediate access to their files and records. It is possible that law firms and other organizations with sensitive data will be willing to pay a fee to keep news of a compromise from spreading — and that these organizations will be particularly vulnerable to leak attack.

However, even if you do not fall into one of these categories, you should not consider yourself safe because, as we previously stated, some ransomware spreads automatically and indiscriminately across the internet.

How to prevent ransomware

The prevention of ransomware infection can be accomplished through a variety of defensive measures. In addition to being good security practices in general, following these steps will improve your defenses against a wide range of attacks. These steps include:

Maintaining a patched and up-to-date operating system will help to ensure that you have fewer vulnerabilities to exploit.

Installing software or granting it administrative privileges should only be done if you are completely familiar with what it is and what it does.

Consider putting in anti-virus software, which will detect malicious programs like ransomware when they first appear, along with whitelisting software, which will prevent any unauthorized applications from running in the first place.

And, of course, back up your files on a regular and automatic basis as well! While this will not prevent a malware attack, it can significantly reduce the severity of the damage caused by one.

Ransomware removal

Obtaining control of your computer after it has been infected with ransomware will be necessary for this situation. Fortunately, CSO’s Steve Ragan has created an excellent video demonstrating how to do this on a Windows 10 computer:

The video contains all of the specifics, but the most important steps are as follows:

Windows 10 should be restarted in safe mode.

Anti-malware software should be installed.

Scan the system for the presence of the ransomware application.

Restorative recovery of the computer’s previous state

This is important to remember: while following these steps can help you remove malware from your computer and restore control over it, it will not decrypt any of the information stored on it. If the malware is sophisticated enough, it will be mathematically impossible for anyone to decrypt the files without having access to the key that the attacker possesses. In fact, by removing the malware, you’ve eliminated the possibility of restoring your files by paying the attackers the ransom they’ve demanded as a result of the malware removal.

Ransomware facts and figures

Ransomware is a multibillion-dollar industry. There is a lot of money to be made in ransomware, and the market has grown significantly since the beginning of the decade. In 2017, ransomware caused $5 billion in losses, both in terms of ransoms paid and spent, as well as in terms of lost time while victims were attempting to recover from attacks. This represents a 15-fold increase over the previous year. In the first quarter of 2018, only one type of ransomware software, SamSam, was responsible for the collection of $1 million in ransom money from victims.

Some markets are particularly vulnerable to ransomware—and to pay the ransom demanded by the hackers. Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make for tempting targets because attackers know that, when lives are literally on the line, these organizations are more likely to simply pay a relatively low ransom to make a problem go away, which makes for a lucrative business model. An estimated 45 percent of ransomware attacks target healthcare organizations, and an estimated 85 percent of malware infections at healthcare organizations are ransomware-related. In addition, Is there another enticing industry? There’s money to be made in the financial services industry, as Willie Sutton once famously remarked. In 2017, it is estimated that a ransomware attack was launched against 90 percent of financial institutions worldwide.

Even if you have anti-malware software installed, it may not be enough to protect you. Because ransomware is constantly being written and tweaked by its developers, its signatures are frequently missed by traditional anti-virus programs. In fact, up to 75% of businesses that have fallen victim to ransomware had up-to-date endpoint protection installed on the infected machines at the time of the attack.

In recent years, ransomware hasn’t been as prevalent as it once was. The number of ransomware attacks has indeed declined since peaking in the mid-’10s, but the initial numbers were so high that it’s still a problem today, according to researchers. However, ransomware attacks accounted for 60 percent of all malware payloads in the first quarter of 201

Ransomware on the decline?

What is the cause of this significant decline? In many ways, it’s an economic decision based on the cybercriminal’s preferred currency, bitcoin, which he uses to conduct business. Extracting a ransom from a victim has always been a hit or miss proposition; they may or may not decide to pay, and even if they do, they may not be familiar enough with bitcoin to understand how to do so safely and securely;

The decline in ransomware has been matched by an increase in so-called crypto mining malware, which infects the victim computer and uses its computing power to create (or mine, in cryptocurrency parlance) bitcoin without the owner’s knowledge, according to Kaspersky. This is a simple method of obtaining bitcoin by utilizing someone else’s resources, which avoids most of the difficulties associated with obtaining a ransom, and it has only become more appealing as a cyberattack since the price of bitcoin skyrocketed in late 2017.

However, this does not imply that the threat has been eliminated. In the world of ransomware, there are two types of attackers: “commodity” attacks, which attempt to infect computers indiscriminately through sheer volume and include so-called “ransomware as a service” platforms that criminals can rent; and “targeted” attacks, which target particularly vulnerable market segments and organizations. If you fall into the latter category, you should remain vigilant, regardless of whether or not the recent ransomware boom has passed.