Ransomware is a type of cryptoviral malware that threatens to release the victim’s data unless a ransom is paid, or permanently blocks access to the victim’s data.
Some simple ransomware locks the system so that a knowledgeable person can easily undo it, but more advanced malware uses a technique called cryptovirus extortion.
In a precisely implemented cryptovirus attack, it is difficult to recover files without a decryption key. In addition, the ransom is in a digital currency that is difficult to trace, such as paysafecard or Bitcoin, making it difficult to track and prosecute the perpetrators.
Ransomware attacks are usually carried out using Trojans disguised as legitimate files, and users are tricked into downloading or opening files that arrive as email attachments. However, some of the famous WannaCry worms move between computers automatically without user interaction.
Since around 2012, the use of ransomware attacks has been growing internationally. In the first half of 2018, there were 181.5 million ransomware attacks
This record represents a 229% increase compared to the same period in 2017.
In June 2014, vendor McAfee released data showing that the number of ransomware samples collected in the quarter more than doubled from the same period a year earlier.
CryptoLocker was particularly active, earning an estimated US$3 million before it was shut down by the authorities, while CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have raked in over US$18 million by June 2015. The FBI has estimated that CryptoWall had raked in more than US$18 million by June 2015.
Actual behavior
The concept of file-encrypting ransomware was conceived and implemented by Young and Yung at Columbia University, and presented at the 1996 IEEE Security & Privacy conference.
This is called “Cryptoviral extortion”, inspired by the fictional facehugger in the movie “Alien”. Cryptoviral extortion takes place in the following three steps between the attacker and the victim.
- Attacker -> Victim: The attacker generates a key pair and plants the corresponding public key in the malware. The malware infects the victim.
- Victim -> Attacker: To perform a cryptovirus ransom attack, the malware generates a random symmetric key and encrypts the victim’s data with that key. The public key in the malware is used to encrypt the symmetric key. This is called hybrid encryption, and it generates not only a symmetric ciphertext of the victim’s data, but also a small asymmetric ciphertext. The symmetric key and the original plaintext data are zeroed to prevent recovery. A message is displayed to the user with the asymmetric ciphertext and instructions on how to pay the ransom. The victim transfers the asymmetric ciphertext and electronic money to the attacker.
- Attacker -> Victim: The attacker receives the payment, decrypts the asymmetric ciphertext with the attacker’s private key, and sends the symmetric key to the victim. The victim decrypts the encrypted data with the required symmetric key and the cryptovirus ransom attack is complete
Symmetric keys are generated randomly, so they cannot help other victims. Also, the attacker’s private key is never disclosed to the victim, and the victim only needs to send a very small amount of ciphertext (the encrypted symmetric key) to the attacker to complete the exchange.
Ransomware attacks are usually carried out using a Trojan horse. Trojans enter the system via malicious attachments, embedded links in phishing emails, or vulnerabilities in network services. The program then executes a malicious program (payload) that either locks the system in some way or says it will lock the system but does not (e.g., a scareware program).
Malicious programs (payloads) may also display false warnings purporting to be from law enforcement or other organizations, falsely claiming that the system has been used for illegal activities, or that it contains content such as pornography or “pirated” media
Some malicious programs (payloads) consist of applications that are designed to lock or restrict the system until payment is received. Typically, they will set the Windows shell to itself or modify the Master Boot Record (MBR) or partition table so that the OS will not boot until it is repaired.
Most famous for a mechanism where a malicious program (payload) encrypts files, encrypts the victim’s files using strong encryption, and only the malware author has the necessary decryption keys.
Victims are forced to pay to obtain a program that can decrypt their files to remove the ransomware, or an unlock code that will undo changes to the payload. The attacker may simply accept the money without returning the victim’s files, but the decryption is supposed to be done as agreed upon for the attacker. The reason for this is that if the victim knows that the files cannot be decrypted, they will not pay.
“Convenient payment systems that are difficult to track” are an important element of ransomware attacks. A variety of such payment methods are being used, including wire transfers, premium rate text messages, prepaid voucher services such as paysafecard, and the cryptocurrency Bitcoin.
In May 2020, security vendor Sophos reported that the global average cost to repair a ransomware attack (taking into account downtime, human time, device costs, network costs, lost opportunities, and ransoms paid) was $761,106, and that 95% of organizations that paid the ransom 95% of organizations that paid the ransom were able to recover their data.
Types of Ransomware
Encryption Ransomware
The first confirmed malware ransom attack was the “AIDS Trojan” written by Joseph Popp in 1989, which had a design failure so severe that the extortionist did not have to pay at all. Its payload hides files on the hard drive, encrypts only the file name, and displays a message that the license to use a certain software has expired. Even though the decryption key could be extracted from the Trojan’s code, users were asked to pay US$189 to “PC Cyborg Corporation” to obtain a repair tool. This Trojan was also known as “PC Cyborg”.
In mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began using more sophisticated RSA encryption schemes, and the key sizes were getting larger and larger. Gpcode.AG, detected in June 2006, was encrypted with a 660-bit RSA public key.
Crypto-ransomware came back into the spotlight in late 2013 with the spread of CryptoLocker, which uses the digital currency Bitcoin’s platform to collect ransoms In December 2013, ZDNet reported that, based on Bitcoin transaction information estimated that the operators of CryptoLocker made about US$27 million from infected users between October 15 and December 18.
The CryptoLocker methodology has since been used in CryptoLocker 2.0 (which is believed to be unrelated to CryptoLocker), CryptoDefense (which initially used an encryption API built into Windows that allowed the private keys of infected systems to be had a serious design flaw of storing the private key in a location where it could be retrieved by the user), and in August 2014, a Trojan horse was discovered that specifically targeted network-attached storage devices made by Synology Inc. [40] In January 2015, ransomware-style attacks on individual websites via hacking and ransomware attacks designed to target Linux-based web servers were reported
Some ransomware is prepared with a two-stage payload that is common to many malware systems. When the user is tricked into executing the script, the main virus is downloaded and executed. In the early stages of the dual payload system, the script was contained in a Microsoft Office document with VBScript macros attached, or in a Windows Scripting Facility (WSF) file.
As security software and other detection systems begin to block these first-stage payloads, they are migrating to LNK files containing self-contained Microsoft Windows PowerShell scripts, and in 2016 PowerShell was found to be involved in about 40% of endpoint security incidents.
Some ransomware uses proxies connected to Tor’s hidden services to connect to command and control servers, making it difficult to track the exact location of criminals. Additionally, Dark Web vendors are increasingly offering this technology as a service.
On September 28, 2020, the computer systems of Universal Health Services, the largest healthcare organization in the United States, were attacked by ransomware. UHS chains around the country reported that they were aware of the problem, and some locations reported that their computer and phone systems had been locked since early Sunday (Sept. 27)
Comments