What is RANSOMWARE?
Ransomware allows malicious software to gain access to files and systems, then blocks access. After that, files or entire devices are taken hostage by encryption, and the victim is required to pay a ransom. The key is used to gain access to files and systems that have been encrypted by the program. A CryptoWall 4 website offers instructions on how to purchase bitcoins to pay ransoms. Screenshot from Business Insider.
Ransomware has existed for decades. However, ransomware variants have become more sophisticated in their ability to spread, evade detection, encrypt files and coerce users into paying ransoms. Ryan Francis, Network World managing editor, and CSO managing editor says that new-age ransomware uses advanced distribution methods such as pre-built infrastructures to distribute new varieties easily and widely. Advanced development techniques like using cryptos are used to make reverse-engineering extremely difficult. “Additionally offline encryption methods are increasingly popular. This ransomware makes use of legitimate system features like Microsoft’s CryptoAPI. It eliminates the need for Command and Control communications (C2). After a ransom was paid by a victim, a CryptoWall website displayed decryption instructions. Screenshot from Business Insider.
Ransomware is still a major threat to individuals and businesses, making it no surprise that ransomware attacks are getting more sophisticated, harder to stop, and more dangerous to victims.
HOW RANSOMWARE ATTACKS THE WORK
Let’s now look at how ransomware can gain access to files and systems in a company. Ransomware is a term that describes the purpose of the software. It is designed to extort businesses or users for financial gain. The program must have access to files and systems that it is holding ransom for. This is done through infection or other attack vectors.
Malware, virus software, and biological illnesses share many similarities. These similarities are why deemed entry points are sometimes called “vectors” just like the field of epidemiology uses that term to describe carriers of harmful pathogens. There are many ways that systems can be corrupted and then ransomed. This is similar to the biological world. Technically speaking, ransomware is an attack vector.
Some examples of vector types are:
Ransomware can be distributed by using deception. Businesses are often given a compelling reason to open ransomware via an email attachment. It is possible to open an invoice if it reaches the business owner or accounts payable department. Like many others in this list, it uses deception to gain access to files and/or systems.
Ransomware attackers also use social media to deceive victims. This is the most popular channel used for this purpose, Facebook Messenger. Facebook Messenger allows users to create accounts that are based on their current “friends”. These accounts can be used to send files attached messages. Ransomware can gain access to infected networks and lock them down once they are opened.
POPUPSScreenshot via Fixyourbrowser.
Another ransomware vector that is common and proven to be effective is the “pop-up” online. These pop-ups mimic commonly-used software to make users feel more at ease with the prompts. They are ultimately designed to harm the user.
FIRST RANSOMWARE ATTACK
Ransomware is still a major threat, but the first ransomware attacks took place much earlier. Becker’s Hospital Review states that the first ransomware attack on the healthcare industry was in 1989. The healthcare industry is still a major target of ransomware attacks 28 years later.
PC CYBORG advisory since 1989. The screenshot was taken originally from Security Focus.
Joseph Popp, Ph.D. was an AIDS researcher who launched the first known attack in 1989. He distributed 20,000 floppy discs to AIDS researchers from more than 90 countries. The disks contained a program that assessed an individual’s likelihood of contracting AIDS by filling out a questionnaire. The disk contained malware that activated only after computers were powered on 90 times. However, it remained dormant for a while. The malware demanded $189 in payment and $378 to lease the software. This ransomware attack was known as the AIDS Trojan or the PC Cyborg.
THE EVOLUTION RANSOMWARE
Although the ransomware attack that was first launched was basic at best, and there are reports that it had flaws as well, it set the stage for more sophisticated ransomware attacks.
According to Fast Company, early ransomware developers often wrote their encryption code. Attackers today are more dependent on “off-the-shelf libraries that are significantly easier to crack” and are using more sophisticated delivery methods such as spearphishing campaigns instead of traditional phishing emails, which are often filtered out by spam filters.
Many sophisticated hackers are creating toolkits that can easily be downloaded and used by those with lower technical skills. Some of the most advanced cybercriminals are monetizing ransomware by offering ransomware-as-a-service programs, which has led to the rise in prominence of well-known ransomware like CryptoLocker, CryptoWall, Locky, and TeslaCrypt. These are just a few examples of advanced malware. CryptoWall alone has generated more than $320 million in revenue.
This type of cybercrime was first discovered in 1989. It was not common until the mid-2000s when sophisticated encryption algorithms like RSA encryption were introduced. The most popular during this period were Gpcode and TROJ.RANSOM.A. Archives. Kitten. Cryzip. And MayArchive. A ransomware worm was discovered in 2011 that mimicked the Windows Product Activation notice. This made it harder for users to distinguish between legitimate notifications and threats.
Kaspersky Labs (2014)-2015: Percentage distribution of ransomware variations Original image taken from SecureList.
Multiple variants of ransomware were infecting users on multiple platforms by 2015. Kaspersky’s SecureList shows that ransomware threats were most prevalent from April 2014 to March 2015. These included CryptoWall and Cryakl, Scatter. Mor, CTB Lock, CTB-Locker. Fury, Look. Aura. And Shade. According to the report, they were able “to attack 101,568 users worldwide, accounting for 77.48% of all users affected with crypto-ransomware over the period.” The landscape changed dramatically in just one year. Kaspersky’s 2015-2016 research shows that “TeslaCrypt”, CTB-Locker and Scatter were responsible for attacks on 79.21% who came across any crypto-ransomware.”
THE BIGGEST RANSOMWARE ATTACKS AND MOST PROMINENT VARIANTS
It’s not surprising that ransomware has been the most popular attack method in recent years, given the advances of ransomware. Ransom demand is also increasing. Reports show that the average ransom demand hovered at $300 in the mid-2000s but is now at about $500 today. Ransom demand is usually assigned a deadline for payment. If the deadline passes, the ransom request doubles, or the files are permanently locked or destroyed.
Ransom charges across 15 major ransomware families. Image via Northeastern University.
CryptoLocker was one of the most lucrative ransomware strains. CryptoLocker infected over 250,000 systems between September and December 2013. It was removed from the Internet in 2014 by an international operation.
Its encryption model was then analyzed and a tool is now available online to retrieve encrypted files that were compromised by CryptoLocker. CryptoLocker’s death led to several imitation ransomware varieties, including CryptoWall and TorrentLocker. In 2014 Gameover ZeuS was resurrected “in the form of a sophisticated campaign sending out malignant spam messages.”
A CryptoLocker ransom message. Image via Computer World.
From April 2014 to early 2016, crypto will be one of the most popular ransomware types. Many ransomware forms targeted hundreds of thousands of people and businesses. CryptoWall had already extorted more than $18 million from its victims by mid-2015. The FBI issued an advisory about the threat.
In 2015, ransomware is known as TeslaCrypt and Alpha Crypt attacked 163 victims. The attackers responsible raked in $76,522 TeslaCrypt demanded ransoms in Bitcoin. However, there were occasions when My Cash or PayPal cards were used. Ransom amounts vary from $150 up to $1,000.
In 2015, the Armada Collective also attacked Greek banks. They are hoping to persuade banks to pay the EUR7m each by targeting three Greek financial institutions and decrypting their important files. It is obvious that being able to pull off three types of attacks in five days is very worrying for bank security,” reported Digital Money Times. Each bank was offered a ransom for 20,000 bitcoins (EUR7m), but the attackers refused to pay it. Instead, banks stepped up their defenses and avoided any further disruptions of service, despite repeated Armada attempts.
Ransoms for attacks on larger companies have been reported to be up to $50,000. However, a ransomware attack against the Hollywood Presbyterian Medical Center (HPMC) last year allegedly demanded $3.4 million. The ransomware attack forced the hospital to revert to pre-computer times, preventing access to its network and email for ten days.
The company paid just $17,000 for access to its vital data. It had been blocked from all communications systems, including essential computer systems. HPMC has updated the report to show that initial reports about a $3.4 million ransom demand were incorrect. The hospital paid $17,000 (or 40 Bitcoins) for the hospital to speedily and efficiently restore its operations. Just over a week later, the Los Angeles County Department of Health Services became infected by a program that prevented the organization from accessing its data. The agency was able to isolate infected devices and didn’t pay the ransom.
Ransomware infected more than 9,800 computers. The attack on Ottawa Hospital occurred in March 2016. However, the hospital quickly removed the files. The hospital was able to defeat the attackers and avoid paying ransom thanks to its backup and recovery procedures.
Ransomware also struck California’s Kentucky Methodist Hospital, Chino Valley Medical Center, and Desert Valley Hospital that month. “Kentucky Methodist Hospital information system director Jamie Reid identified the malware like Locky. This new bug encrypts files and documents, and then renames them with an extension.locky.” BBC.com noted that no hospitals were harmed and that they had not paid the ransom. The attack was discovered on March 18, 2016. Most systems were repaired by March 24, and no patient data was compromised. The attack caused disruptions in several hospitals as well, as many shared systems were taken offline.
The Petya ransomware variant was also introduced in March 2016. Petya is sophisticated ransomware that encrypts computers’ master file tables and replaces them with ransom notes. This renders the computer inoperable unless the ransom has been paid. It had been updated to include direct file encryption as a failsafe. Petya was also among the first ransomware variants to be offered as part of a ransomware-as-a-service operation.
ZDNet published a May 2016 article stating that the top three ransomware families in the first quarter of 2016 were: Teslacrypt (58.5 percent), CTB Lock (23.5 percent), and Cryptowall (3.4%). These ransomware families infected most people through spam email attachments and links to infected websites.
Mid-2016 Locky was firmly established as the most popular ransomware type. PhishMe report stating that Locky had outpaced CryptoWall in February 2016.
PhishMe observed a breakdown of ransomware variants between January and September 2016. Image via PhishMe.
The ransomware attack on the San Francisco Municipal Transportation Agency caused disruptions in train ticketing and bus management systems. It occurred on Black Friday, November 25, 2016. The attackers demanded a ransom of 100 Bitcoins (equivalent in value to $73,000 at the time). However, thanks to a quick response and extensive backup processes, the SFMTA was capable to restore its systems within two working days. The ransom was not paid, but passengers were able to ride the train without having to pay fares for the two days when the systems were down. It is believed that the ransomware used to attack was Mamba or HDDCryptor.