Ransomware

Introduction
Ransomware is a type of malware designed to extort victims into paying the attacker to not carry out a threat or to regain access back into the infected system. Ransomware is best known to encrypt files on a system and demand a ransom be paid in order to decrypt the files undefined. However, ransomware can also lock a user out of their computer by locking the screen, rather than encrypting the files, or the attacker can obtain certain files and information which they threaten to leak if the victim does not pay the ransom.

The first ransomware can be traced back to 1989 with the AIDS Trojan, which hid the victim's files and encrypted the file names. A message would come up stating that the user's software license has expired and that $189 had to be paid to the PC Cyborg Corporation. However the victim's would not have to pay the fee as the decryption tool could be extracted from the malware's source code undefined. As cryptography advanced, so did ransomware as it made use of new encryption techniques. As of 2012, ransomware has become a major global threat, with attackers able to spread the malware worldwide from remote locations and use cryptocurrencies as untraceable payments.

The risk of the ransomware is also dependent on the skill and knowledge of its developer. A proper ransomware would require a strong understanding of cryptographic practices, as the attacker would need to make the encryption almost impossible to break and obtaining the decryption key just as difficult. A strong understanding of operating systems is often also required so that the attacker can ensure no errors occur when the malware tries to encrypt files and also how to prevent recovery techniques and built-in security mechanisms from removing the malware. Ransomware developed by those who lack such attributes have been found to be unsuccessful in performing their objective.

Over the years, ransomware has cost individuals and organizations billions of Dollars in damages, with 2017 alone estimated to reach over $5 billion. Although organizations have security measures in place, with some being very advanced, ransomware has still been able to affect hundreds of high profile organizations because these organizations often fail to implement appropriate disaster recovery plans or the necessary patches that could prevent a particular ransomware from successfully infecting a system. One of the biggest risks of a ransomware is that even if the victim pays the ransom, there is no guarantee that the attacker will send the decryption key or the decryption key may not work. If the decryption key does not work, the attackers will not assist in resolving the issue as they wish to limit communication as much as possible to remain anonymous, and also they honestly couldn't care.

Ransomware is able to infect computers, mobile devices, servers and various Internet of Things (IoT) devices.

Types of Ransomware
There are three main types of ransomware that can be found, which are encrypting ransomware, non-encrpyting ransomware and leak ransomware.

Encrypting Ransomware
This type of ransomware is the most commonly used as it can be the most difficult to remediate. The first encryption ransomware in 1989 was basic and had one major flaw. It used a symmetric encryption with the decryption key hard-coded in the program. This meant that researches could extract the decryption key from the malware and decrypt the files.

There are a wide range of encryption ransomware variants in the world, each using different techniques of cryptographic practices. Most modern ransomware make use of public and private key encryption, which means the keys are not hard-coded in the malware and therefore cannot be extracted to decrypt files. The victim's files are usually encrypted with the attacker's public key, and would require the private key to decrypt which is usually kept on a server controlled by the attacker.

Non-Encrypting Ransomware
Some ransomware do not encrypt files, but rather use other techniques to lock down a computer until a fee is paid to unlock it again undefined. This is usually in the form of a screen locker, but this is not a common approach as this type of ransomware is easier to get around than encrypting ransomware.

One method used is the system's screen is locked and requires a password (which only the attacker knows) to unlock it again. In order to get the password, the victim either has to pay in Bitcoin or in some cases request an SMS at premium rates to get the password. Other types of screen locks are messages that appear to be from a law enforcement agency accusing the victim of a computer related crime, or being in possession of illegal content. The message will state that a fine needs to be paid and only once the fine is paid the user will gain access to their computer again undefined.

Denial of service (DoS) ransomware is another technique where the attacker threatens the victim that if they do not pay a ransom, their system or network will be subjected to a denial of service attack. This form of attack is usually targeted at specific and high profile victims, therefore this is often a rare type of ransomware to encounter.

Since these methods do not encrypt files, it is still possible and a bit easier to retrieve files and data than with traditional ransomware that does encrypt files. This is why encrypting ransomware is a more common type in use, however non-encrypting ransomware is easier and simpler than developing an encrypting ransomware which is why a significant number of amateur attackers use this approach.

Leakware
Leakware is a type of ransomware where the attacker claims to have stolen sensitive data from the infected system and threatens to make that data public unless a ransom is paid undefined. A significant number of these cases can be nothing more than a scare tactic to con the victim into paying the ransom, and even if it is true, it depends what data was actually taken. Often there is no way to prove what data was stolen which makes this type of ransomware a gamble to challenge.

Targeting the Victim
Ransomware is commonly spread via a Trojan, which means it will pose as a legitimate file or program to try trick the victim into running it. Once executed, the ransomware executes its malicious payload and infects the system undefined.

Emails
One of the most common methods of spreading ransomware is through emails. The malicious attacker will often spoof the email address of a legitimate organization and make it appear as though that organization sent the email. The reason for spoofing the email address is firstly to keep the attacker anonymous and secondly if the potential victim decides to research the organization before opening the email, they will find the organization's website and see that they are legitimate.

The ransomware is either contained in an attachment or there will be a web link in the body of the email that the victim will be instructed to click. Once the attachment is opened, the ransomware will run its payload, or if the link is clicked, the victim's system will be redirected to a server where the ransomware is stored and it will download the malware from the server and execute it.

Mobile Application Trojans
On mobile devices, some ransomware has been found to be embedded inside applications the attacker's developed. They will often develop an application that may be appealing to the user, in some cases use various techniques to give the application a high rating, and hope the user downloads the application. Once the application is downloaded the ransomware is executed.

Direct Approach
Some new techniques have been used to spread ransomware, but these are believed to be carried out by highly skilled attackers. The WannaCry ransomware was initially believed to be spread via email, however further research showed that was not the case. It's believed that the attackers had probed the internet for computers using the vulnerable SMBv1 protocol undefined, and broke into some of these systems to launch the ransomware. From there, the ransomware (coupled with worm-like properties) began spreading rapidly by itself worldwide with the use of the EternalBlue and DoublePulsar exploits.

Compromised Updates
The NotPetya outbreak, which was initially believed to be a ransomware but turned out to be a wiper, was initially spread via an infected software update. The attackers hacked into the servers of a software company in Ukraine and embedded the malware in their latest software update undefined. When that update was released to customers, they installed the update which ultimately installed the malware as well. From there NotPetya was able to spread using similar methods to WannaCry. This demonstrates that attackers may not always have to rely on Trojans anymore to spread their malware, instead they can infect legitimate software updates, which will reach the users through legitimate means and the users won't even question it.

Macros
Some Microsoft Office documents have options to add macros on them. A macro is a series of commands that can be executed on documents such as Word, Excel and PowerPoint files. These documents can also be sent as attachments via email and when the user enabled macros to view the content on the file, the ransomware gets executed and the system is infected.

Infection
Once the ransomware is on the system and executed, it will run a malicious payload that will install the malware and start encrypting files. Ransomware can often encrypt a very wide range of file types, thereby rendering a computer almost useless. However some variants tend to encrypt the hard drive or the master boot record (MBR) itself. From there the ransomware may also be designed to monitor for external devices being connected to the infected system and encrypt those devices as well. This can be a method of preventing recovery tools from being run or prevent the victim from trying to run backups.

Ransom Note
Once the encryption process is complete, a ransom note is displayed on the victim's screen explaining what has happened to their system and that a fee of 'X' amount in Bitcoin must be paid to decrypt the system. The ransom is generally kept relatively low, often a few hundred dollars. The reason for this is so that victims feel it's cheaper to pay the ransom rather than go through the costly process of recovering their system by security professionals.

There have been some cases where high ransoms were demanded but these were generally targeted at large organizations and businesses. The ransomware attack on British Lloyds Bank, which was a non-encrypting ransomware, threatened to launch a distributed denial of service (DDoS) attack against them unless they paid 75 000 British Pounds worth of Bitcoin undefined. To a small business or individual, they would most likely cut their losses instead of paying the ransom.

Scare Tactics
There are a number of scare tactics attackers will use to pressure victims into paying the ransom, and as quickly as possible. The following tactics are:

Limited Time
Some ransomware give the victim a certain amount of time to pay the ransom, usually around three days but no more than a week. If the payment is not made within that time limit, the attacker threatens to put the victim in a worse situation. This often pressures the victim to simply pay the ransom instead of trying to find alternative ways of recovering their system. This scare tactic plays a significant role for the ransomware to deploy other scare tactics.

Price Increase
When a ransom is not paid within the initial time limit, the attacker will often increase the price (usually doubling it). With the WannaCry ransomware, the initial ransom was $300 in Bitcoin. If the ransom was not paid within three days, the price doubled to $600 in Bitcoin. This can put the victim in a much harder situation, especially if the victim is a large organization that has to pay for hundreds of encrypted systems.

File Deletion
Some ransomware will threaten to permanently delete the encrypted files if the ransom is not paid. WannaCry also made use of this tactic, but whether it really did delete encrypted files remains uncertain. The victim initially had three days to pay a $300 ransom. After that the fee would double to $600, and after seven days, WannaCry threatened to permanently delete all the encrypted files.

Another ransomware called Jigsaw would encrypt the victim's files and demand a $150 ransom. For every hour the ransom went unpaid, it would delete a number of files from the system, and it's considered the first ransomware to every threaten permanent deletion of files and actually following through with that threat.

Data Leakage
The attackers may also claim they have the victim's personal information (or some form of sensitive information) and will threaten to leak the data or sell the information on the dark web unless the ransom is paid. This can also put the victim in a state of panic and possibly push them into paying the ransom quickly. However in some cases the attacker could be bluffing but it's a great risk to gamble.

Permanent Encryption
Another tactic ransomware uses is it threatens to either not decrypt the files or destroy the decryption key if the ransom is not paid within a certain time. If this is the case, the victim can lose vital files and data on their system, making this threat a very dangerous one to challenge. This is regarded as one of the more effective scare tactics as it is often one of the more difficult threats to disprove.

Final Risk
In the event a victim pays the ransom, the biggest risk is the ransomware may not decrypt the files on the system for any of the following reasons:

Development Error
If the author of the ransomware does not fully understand what they are doing, there is a possibility a programming error resides in the malware. If that error is in the decryption method, then the victim will not be able to decrypt their files. This could be an error involved with retrieving the decryption key, or there could be a run-time error, which is where something goes wrong with the program while it is in operation.

Poor Key Management
The ransomware may not handle the cryptographic keys correctly, and this could result in the victim obtaining the wrong key, or the server where the key is stored may be configured incorrectly. If the wrong key is used, the decryption will either not work, or it can permanently damage the files.

No Concern
Ultimately, the attacker could not care about decrypting the victim's files. At the end of the day the attacker has the ransom and that was their goal, they do not have any obligation to decrypt victims' systems because there is no backlash to affect them. Some ransomware has been found to only have an encryption method and no decryption method at all. This is the most prevalent risk involved with paying the ransom. There is no guarantee you will get your files back, and the attacker remains anonymous which means there's no way of reporting anyone to get your money back.

Protection
There are a number of ways to protect against ransomware, and if more organizations and individuals implement these measures, the damaging costs of ransomware in recent years may not have been as high as they are now undefined undefined.

Data Backup
One of the most common measures recommended is doing frequent data backups. This usually entails making copies of files and data on the system and storing them on an external device like and external hard drive or storage server. This external storage is often not connected to the internet and is often only connected to a network when a backup is being performed. In the event of a ransomware infection, the victim can resort to the backups made, and if done properly will not have to worry about the infected system.

Antivirus
Make sure you have a reputable antivirus installed on your system, and more importantly make sure it stays up to date. Antiviruses often make use of signatures to detect malware and can help prevent a ransomware from running on your system. In the event of an outbreak, security vendors often get samples of the malware and generate a signature as quickly as possible to send out to their customers. An antivirus becomes useless if it becomes outdated. Some suites come with specialized anti-ransomware mechanisms. Just make sure that you get a recognized antivirus and not fall victim to a rogue security system which will not provide you with any protection. Always do research before purchasing.

Patching and Updating
Make sure your system is up-to-date and has the latest security patches. These often fix vulnerabilities that ransomware can exploit. Microsoft released a critical patch for the SMBv1 vulnerability in March 2017. Two months later WannaCry was launched and exploited this vulnerability to propagate through networks. Since so many systems did not have this patch installed, they fell victim to the ransomware. Organizations and individuals often overlook patches because they are either time consuming, or can be costly (for organizations in some cases) and often people simply don't understand or believe the importance of patches and updates. This measure can play a huge role in preventing you from becoming a victim.

Only Download Content from Reputable Sources
A number of people become victims by downloading content from the internet. Often people download software and media files illegally from torrent websites, but some of these files are infected. Some software is downloaded from websites with poor security reputations and as a result download infected files. So what may seem to be a free computer utility tool ends up infecting your computer with ransomware once installed.

The same goes for mobile application downloads. The legitimate application stores charge fees for a number of their applications, but some third-party stores offer free downloads for full versions of an application. These illegal copies can contain files infected with ransomware or may only pose as the desired app but in reality is a ransomware.

Be Careful what Websites you Visit
Not all websites are secure and may pose a security risk. Some websites promote online adverts and some of these ads are created by attackers. When the user clicks on the advert, malware can be downloaded onto their device and installed without the user's consent. Sometimes this malware could be a form of ransomware. Other websites can be hacked and compromised by the attackers in such a way that when someone visits the site, a download is triggered (known as a drive-by download) and without knowing it, the user has a ransomware installed on their system.

Check File Extensions of Email Attachments
Email is one of the most common methods of spreading ransomware to potential victims, and the malware is often in the email attachment. The attacker will spoof a legitimate email address as the sender, and send an email, often regarding a payment and have the invoice attached to the email. The invoice usually has the ransomware embedded in it or is the ransomware file itself. The file extension of the attachments can often give away the true nature behind the attachment. However PDF and Microsoft Office files (Word, Excel, Powerpoint, etc.) are legitimate extensions but may have macros embedded within them that will run the ransomware. But some attachments have .exe (executable file), .vbs (Visual Basic Script) and .js (JavaScript) file extensions for example. Invoices will never have these types of extensions because an invoice is never an executable, and .vbs and .js extensions are to run programming scripts.

The image on the right is a screenshot of a blocked email. The sender's email address is a spoofed one to hide the attacker's identity, and the business claimed to be sending the email is a legitimate business, however they did not send the email. An attachment accompanies the email claiming to be an invoice called INV-000434. But if you look at the file extension, it's a Visual Basic Script file. If this attachment were to be opened, the ransomware would install and infect the computer. This email was part of the massive email spam campaign launched by the Locky ransomware developers, which sent out over 23 million spoofed emails within 24 hours. The image on the left is from the same email campaign discussed above but this relies on a malicious web link ("View your bill online") that, once clicked, downloads and installs the ransomware from the attacker's server and infects the computer. This helps avoid exposing suspicious file extensions and therefore making it a bit more difficult to determine if the email is malicious or genuinely emailed to the user by mistake.

If you ever get suspicious of an email, regardless of how legitimate it seems, contact the organization that appears to have sent you the email and confirm with them if the email is indeed legitimate. Some tools are out there that allow attackers to replicate email formats perfectly and make them look identical to those of the organization they are trying to pose as. Be careful of attachments with unusual file extensions, and be careful of allowing macros to run on Microsoft Office files that were attached to an email.

Disable Remote Desktop Protocol (RDP)
The RDP is a Windows tool that allows one user to remotely access another user's computer. Some attackers will try to exploit this in order to install ransomware and run it on the targeted system. This is usually used by organizations to work on client computers for various reasons, so for home computers or if your organization does not use this tool, disable it. This will be one less technique attackers can use to infect your system.

Disconnect from the Internet
In the event a ransomware is spreading on your network, it is advised to disconnect from the network and the internet immediately. This can prevent the ransomware from communicating with the attacker's command and control (C&C) server and prevent the ransomware from effectively encrypting all your files. However there has been reports of a ransomware that is capable of working offline. By disconnecting from the network during a ransomware attack, it may prevent the malware from reaching your device if it has worm-like properties.

Read Reviews
For mobile applications, always read the reviews and look for comments where users gave the lowest rating to see what could have gone wrong. Often Trojan applications do not work well because all they have to do is get the user to download the them and run them once in order to infect. Therefore very little effort goes into the functionality of the false app and more into the ransomware.

Notable Ransomware
Below are a list of some of the most notable ransomwares undefined undefined undefined:

WannaCry
One of the first ransomware to make use of worm-like properties to spread throughout networks by itself to infect computers.

CryptoLocker
Launched in 2013, this ransomware demonstrated how successful and profitable ransomware was. From there, other ransomware types have emerged and the threat of ransomware has been growing rapidly.

Locky
This is a ransomware that has been around since 2016 and still there is no form of free recovery. This ransomware uses very strong encryption and can even encrypt Windows Volume Snapshot Services to prevent victims from restoring files.

Mamba
This ransomware uses the DiskCryptor utility, which uses strong encryption mechanisms. It generates passwords for the utility on each infected computer and demands a ransom in return for the password.

Reventon
This is a type of ransomware that locks the victim's computer and displays a message appearing to be from a law enforcement agency. The note will claim the victim was found with illegal content on their computer and must pay a "fine" to unlock their computer.

KeRanger
This was the first ransomware to attack Apple computers and encrypted all files on the system.

TeslaCrypt
This ransomware targeted video game content that many gamers would download. As a result the victims would end up having their files encrypted. This ransomware would also receive constant updates and correcting flaws that could allow file recovery. This makes recovering files almost impossible.

SimpleLocker
This was the first Android-based ransomware that encrypted Android files.