What is ransomware?

2018-10-07 -

This type of malware could hit you hard in the pocket... Ransomware has hit the news over the last two years in a way not seen since the “ILOVEYOU” virus of the start of the millennium. The effects of ransomware are very visible, only DDoS attacks come anywhere near in terms of noticeable effects. One of the most high profile attacks came in 2017 when the WannaCry ransomware hit the NHS and left many systems out of action for days. The same malware also disabled several other large organisations. Ransomware is increasing, not only in the level of attacks but also in the diversity of them. The average demanded ransom amount is also increasing. Worryingly, there is an emerging trend of ransomware that targets specific businesses. This means it is very important that everyone not only knows what ransomware is and how to best avoid it, but also understand what to do in the unfortunate event of becoming a victim. What is ransomware? Ransomware, as its name suggests, is to extract a ransom payment from a victim in return for the victim regaining control of the files or system. The cash payment is normally in the form of cryptocurrency, such as bitcoin or Ethereum. Much like other malware types, ransomware starts an attack by trying to remain undetected, slowly encrypting files one after another to avoid suspicion. It`s only once all the targeted files or system is encrypted that the ransomware will make itself known, usually in the form of an impassable splash screen. It`s from this splash screen that users are first told that their files are locked, and that in order to retrieve their data they`re required to pay a cash sum. The exact wording of the demands vary between ransomware strains, but most demand some sort of payment within a specified timeframe. Some messages are aggressive in the hopes of scaring the user into a quick payment, while others attempt to masquerade as legitimate organisations, such as the FBI. Ransomware has grown in significance alongside the rise of cryptocurrencies, which offer a means of transferring cash over the internet anonymously. Most attackers favour Bitcoin or Monero, which can cause issues with some victims that aren`t familiar with crypto trading. The first instance of ransomware was the relatively unsuccessful `AIDS Trojan` which struck in 1989, encrypting the name of files, rather than the content of the files, while the decryption key was hidden within the malware`s code. Despite these errors in deployment, the attack was the first case of a hacker demanding cash in exchange for the secure return of stolen data. Attackers still operate under the same core principles, but are usually far more effective, and more often than not demand payment not in physical currency, but in digital coins. Ransomware has proven to be one of the most prolific forms of malware in recent memory, largely because it requires comparatively little effort on the part of the cyber criminal, and can yield incredibly rich rewards. Ransomware tools can be bought pre-assembled from black market hackers, allowing an attack to be launched easily and cheaply with little to no programming knowledge required

Ransomware payloads can be delivered by phishing campaigns or malvertising - which are also cheap and easy to deploy - meaning that the attacker basically just has to sit back and wait for the ransom money to roll in. The amount can vary, but according to Symantec`s Ransomware and Business 2016 report, the average amount was between $600-$700, which is up significantly from the previous year. Should I pay the ransom? The short answer is no. Experts strongly advise against giving in to demands even when sensitive data or financial losses from downtime are at stake. One of the reasons there has been such a big jump in both the frequency of ransomware attacks and the amount of money demanded is that the attackers believe the tactic is a lucrative one. Paying out will only encourage more attacks, and it may only be a matter of time before it comes back around. Secondly, there`s really no guarantee that the encrypted files or hard drive will actually be released after the hacker has been paid, with it just as likely that they will take the money and make a hasty exit. There are more effective methods for resolving the issue, including reporting this and other kinds of cybercrimes to Action Fraud, making sure antivirus and antimalware software is up to date and working, and ensuring you`ve installed the latest patches for your software. Implementing a backup-and-recovery strategy can also be essential to bounce back after such an attack. 2017 NHS ransomware attack On 11 May 2017, a huge ransomware attack hit the NHS in England and Scotland, as well as other organisations around the world, including Telefonica in Spain, Deutsche Bahn in Germany, Renault and FedEx. In total, tens, if not hundreds, of thousands of computers in 99 countries were affected. The infection spread through three vectors. The initial payload (i.e. the ransomware software known as WannaCry or WannaCrypt) was brought into the organisations` network via a phishing email, with a user clicking on a malicious link or downloading a malicious file. The infection then spread rapidly through the network using two tools thought to have been developed by the NSA �` the EternalBlue exploit and DoublePulsar backdoor �` which were released into the wild by the ShadowBrokers hacking group along with a number of other cyber weapons. All the infected computers on the network consequently had their files encrypted with a ransom message displayed on their screen demanding of around $300 in Bitcoin to be paid within three days or $600 within seven days. It`s unclear how many organisations paid, but by Monday 15 May, the cyber criminals had made over $40,000 according to the URLs associated with the ransom demands. Microsoft had released a patch for the vulnerability, which affected all Windows operating systems from Windows 7 through to 8.1, back in March. However, it hadn`t been applied to all elements of the affected organisations` network. There are several reasons this may have occurred, including the need for organisations to carry out a staged roll-out and potential conflicts with other critical systems and software. Another reason is that many organisations still run Windows XP, once again usually due to compatibility issues. As XP is out of support, no patch for it was released in March, leaving all systems running it vulnerable to this attack. 90% of the NHS` IT estate was known to be running XP at the beginning of 2017, with its custom support contract having been terminated in 2015. Given the magnitude of the attack, however, Microsoft did create and issue a patch for XP, but advised that organisations and individuals should always apply the latest software updates as soon as possible to protect against threats of this kind.