Ransomware

All you need to know about ransomware in 60 seconds

Ransomware is one of the biggest problems on the web right now. It’s a form of malicious software — malware — which encrypts documents on a PC or even across a network. Victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware.

Cybercriminals didn’t used to be so obvious. If hackers infiltrated your corporate network, they would do everything possible to avoid detection. It was in their best interests not to alert a victim that they’d fallen victim to a cybercriminal.

But now, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they’re holding your corporate data hostage until you pay a ransom in order to get it back.

What is the history of ransomware?

While ransomware exploded last year, increasing by an estimated 748 percent, it’s not a new phenomenon: the first instance of what we now know as ransomware appeared in 1989.

aids-info-demand-500.png

The AIDS demand for payment — by post.

How did ransomware evolve?

But it set off a new branch of computer crime, which slowly but surely grew in reach — and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.

However, if the victim paid a fine, the ‘police’ would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn’t anything to do with law enforcement — it was criminals exploiting innocent people.

While somewhat successful, these forms of ransomware often simply overlaid their ‘warning’ message on the user’s display — and rebooting the machine could get rid of the problem and restore access to files which were never really encrypted.

What are the main types of ransomware?

Perhaps the most notorious form of ransomware is Locky, which terrorised organisations across the globe throughout 2016. It infamously made headlines by infecting a Hollywood hospital. The hospital gave into the demands of cybercriminals and paid a $17,000 ransom to have its networks restored.

While not as prolific as it once was, Locky remains one of the most dangerous forms of ransomware, regularly going quiet before reemerging with new attack techniques.

Like Locky, Cryptowall has regularly been updated in order to ensure its continued success and even scrambles file names to make it harder for victims to know which file is which, putting additional pressure on the victim to pay.

ransomware attacks

  • Brace yourself for the second wave
  • Hospitals still struggling in aftermath
  • The blame game begins
  • New variant discovered in the wild
  • An executive guide to the ransomware menace
  • This is why NSA shouldn’t stockpile exploits
  • Microsoft issues emergency patch for Windows XP
  • Organizations around the globe pick up the pieces
  • Stop disabling automatic updates, people!

While some ransomware developers — like those behind Locky or Cryptowall — closely guard their product, keeping it solely for their own use, others happily distribute ransomware to any wannabe hacker keen to cash in on cyber-extortion — and it’s proved to be a very successful method for wide distribution.

Cerber has become so successful that after it has surpassed Locky — which appeared to mysteriously disappear over Christmas, although reemerged in April with new attack techniques — to become the most dominant form of ransomware on the web, accounting for 90 percent of ransomware attacks on Windows as of mid-April 2017.

But not content with just illicitly making money from ransom payments, Cerber now comes with the ability to steal to steal bitcoin wallet and password information, in addition to encrypting files.

Indeed, now some criminal groups offer this type of ransomware-as-a-service scheme to potential users for no cost at the point of entry. Instead of charging a fee for the ransomware code, they want a 50 percent cut of the ransom payments.

In the biggest ransomware attack to date, WannaCry — also known as WannaCrypt and Wcry — caused chaos across the globe in an attack which started on Friday 12 May 2017.

WannaCry ransomware infected Windows XP systems across the globe.

More than 300,000 victims in over 150 countries fell victim to the ransomware over the course of one weekend, with businesses, governments, and individuals across the globe all affected.

Of all the countries affected by the attack, Russia was hit the hardest, according to security researchers, with the WannaCry malware crashing Russian banks, telephone operators, and even IT systems supporting transport infrastructure. China was also hit hard by the attack, with 29,000 organisations in total falling victim to this particularly vicious form of ransomware.

What all the targets had in common is that they were running unsupported versions of Microsoft Windows, including Windows XP, Windows 8, and Windows Server 2003.

In response to the attack, Microsoft took the unprecedented step of issuing patches for unsupported operating systems to protect against the malware.

It was almost three months before the WannaCry attackers finally withdrew the funds from the WannaCry bitcoin wallets — they made off with a total of $140,000 thanks to fluctuations in the value of bitcoin.

The public dump of the EternalBlue exploit behind WannaCry has led to various hacking groups attempting to leverage it to boost their own malware.

What is Petya/NotPetya/GoldenEye?

This cyberattack first hit targets in Ukraine, including its central bank, main international airport, and even the Chernobyl nuclear facility, before quickly spreading around the globe, infecting organisations across Europe, Russia, the US, and Australia.

Petya ransom note

This second form of ransomware also exploits the same EternalBlue Windows exploit which provided WannaCry with the worm-like features to spread through networks (not simply through an email attachment as is often the case) and hit 300,000 computers around the world.

The attackers ask for a bitcoin ransom of $300 to be sent to a specific email address — which has now been shut down by the email service host. However, the way this very sophisticated ransomware was apparently equipped with very basic, non-automated functions for accepting ransoms has led some to suggest money isn’t the goal.

Whatever the aim of the attack, it significantly impacted the finances of the organisations that became infected. UK consumer goods firm Reckitt Benckiser said it lost £100m in revenue as a result of falling victim to Petya.

What is Bad Rabbit ransomware?

Dubbed Bad Rabbit, it infected at least three Russian media organisations while also infiltrating the networks of several Ukrainian organisations including the Kiev Metro and Odessa International Airport – at the time, the airport said it had fallen victim to a ‘hacker attack’.

Bad Rabbit ransom note

Like NotPetya before it, Bad Rabbit spread through networks using a leaked NSA hacking tool – but this time it was via the EternalRomance SMB vulnerability, rather than EternalBlue.

Bad Rabbit was named after the text which appeared at the top of the Tor website hosting the ransom note. Some security researchers joked it should’ve been named after the lines in the code referencing characters from Game of Thrones.

Obviously, the most immediate cost associated with becoming infected with ransomware — if it’s paid — is the ransom demand, which can depend on the type of ransomware or the size of your organisation.

The most common ransom paid amongst small and medium-sized businesses was between £500 and £1500, proving that there’s still easy money to be made from targeting organisations of this size.

Ultimately, whatever the size of the company, time is money, and the longer your network is down because of malware, the more it’s going to cost your business.

There’s also the risk of customers losing trust in your business because of poor cybersecurity and taking their custom elsewhere.

To put it simply: ransomware could ruin your business. Being locked out of your own files by malware for even just a day will impact on your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems go offline for so long not just because ransomware locks the system, but because of all the effort required to clean up and restore the networks.

How does ransomware infect your PC?

Like other forms of malware, botnets send ransomware out en masse, with millions of malicious phishing emails sent every single second. Criminals use a variety of lures to encourage targets to open a ransomware email, ranging from offers of financial bonuses, fake online purchase receipts, job applications from prospective employees, and more.

While some messages give away clues to their malicious nature with poorly-worded messages or strange return addresses, others are specially tailored to look as convincing as possible, and appear no different from any other message the victim might be sent.

But it’s not just email attachments you need to worry about: one recent malvertising campaign managed to infect PCs with ransomware without users even clicking on the malicious adverts. Visiting the compromised website was enough to be infected, because the hackers deploying the Astrum exploit kit to leverage an old Flash exploit, according to a security firm.

Any business can find itself a victim of ransomware, but perhaps the most high-profile incident occurred when the Hollywood Presbyterian Medical Center in Los Angeles became infected with Locky ransomware. The malware infection left doctors and nurses unable to access patient files for days, until the hospital opted to give into the ransom demands of hackers in order to restore services.

Locky is one of the most successful forms of ransomware.

Hospitals and other healthcare organisations are popular targets for ransomware attacks, because they are often willing to pay. Losing access to data is a life-or-death matter for them — and hospitals don’t want to be held responsible for letting people die due to poor cybersecurity. However, there are even cybercriminals who think attacking hospitals is too despicable an activity.

Why are small businesses targets for ransomware?

Why is ransomwareso successful?

If organisations weren’t giving in to ransom demands, criminals would stop using ransomware. But businesses do need access to data in order to function so many are willing to pay a ransom and get it over and done with.

What does bitcoin have to do with the rise of ransomware?

Cybercriminal gangs are becoming more professional — some even offer customer service and help for victims who don’t know how to acquire or send bitcoin, because what’s the point of making ransom demands if users don’t know how to pay? Some organisations have even hoarded some of the cryptocurrency in case they get infected and their files encrypted and have to pay in bitcoin in a hurry.

How do you prevent a ransomware attack?

There’s also something to be said for enabling employees to learn from making mistakes while within a safe environment. For example, one firm has developed an interactive video experience which allows its employees to make decisions on a series of events then find out the consequences of those at the end. This enables them to learn from their mistakes without suffering any of the actual consequences.

How long does it take to recover from a ransomware attack?

If your organisation is sensible and has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.

A month on from the outbreak, Reckitt Benckiser confirmed that some of its operations were still being disrupted and wouldn’t be fully up and running until the end of August — two months on from the initial Petya outbreak.

Outside of the immediate impact ransomware can have on a network, it can result in an ongoing financial hit. Any time offline is bad for a business as it ultimately means the organisation can’t provide the service it sets out to — and can’t make money — but the longer the system is offline, the bigger that can be.

How do I get rid of ransomware?

Initially launching as a portal offered portal offers decryption tools four for families of ransomware — Shade, Rannoh, Rakhn, and CoinVault — the scheme is regularly adding more decryption tools for even more versions of ransomware including Crypt XXX, MarsJoke, Teslacrypt, Wildfire and Nemucod.

No More Ransom recently celebrated its one year anniversary and has grown from offering a set of four tools to carrying 54 decryption tools covering 104 families of ransomware. So far, these tools have decrypted more than 28,000 devices, depriving criminals of £7m ($9m) in ransoms.

The No More Ransom portal offers free ransomware decryption tools.

Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware — many of these will post updates about these tools on their company blogs as soon as they’ve cracked the code.

Another way of working around a ransomware infection is to ensure your organisation regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it’s possible just to isolate that unit then get on with your business. Just make sure that crypto-locking crooks aren’t able to encrypt your back-ups too.

There are those who say victims should just pay the ransom, citing it to be the quickest and easiest way to retrieve their encrypted data — and many organisations do pay even if law enforcement agencies warn against it.

For example a type of ransomware targeting Linux discovered earlier this year demanded a bitcoin payment but did not store encryption keys locally or through a command-and-control server, making paying the ransom futile at best.

Ransomware is continually evolving, with an increasing number of variants now engaging in additional activities such as stealing data or weakening infected computers in preparation for future attacks.

And ransomware isn’t just a problem for Windows PCs; Apple Macs are vulnerable to it too.

Absolutely. Ransomware attacks against Android devices have increased massively, as cybercriminals realise that many people aren’t aware that smartphones can be attacked and the contents (often more personal than the stuff we keep on PCs) encrypted for ransom.

Researchers demonstrate ransomware in an in-car infotainment system.

Ransomware and the Internet of Things

There’s even the potential that hackers could infect medical devices, putting lives directly at risk.

Read more about ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *