What is Ransomware ? — How Ransomware Works — Exploitbyte
Ransomware is atype of a malware which restricts access to the computer system’s files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions.
Ransomware is a form of that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
History Of Ransomware:-
he first ransomware, known as PC Cyborg or AIDS, was created in the late 1980s. PC Cyborg would encrypt all files in the C: directory after 90 reboots, and then demand the user renew their license by sending $189 by mail to PC Cyborg Corp. The encryption used was simple enough to reverse, so it posed little threat to those who were computer savvy.
With few variants popping up over the next 10 years, a true ransomware threat would not arrive on the scene until 2004, when GpCode used weak RSA encryption to hold personal files for ransom.
In 2007, WinLock heralded the rise of a new type of ransomware that, instead of encrypting files, locked people out of their desktops. WinLock took over the victim screen and displayed pornographic images. Then, it demanded payment via a paid SMS to remove them.
With the development of the ransom family Reveton in 2012 came a new form of ransomware: law enforcement ransomware. Victims would be locked out of their desktop and shown an official-looking page that included credentials for law enforcement agencies such as the FBI and Interpol. The ransomware would claim that the user had committed a crime, such as computer hacking, downloading illegal files, or even being involved with child pornography. Most of the law enforcement ransomware families required a fine be paid ranging from $100 to $3,000 with a pre-paid card such as UKash or PaySafeCard.
Average users did not know what to make of this and believed they were truly under investigation from law enforcement. This social engineering tactic, now referred to as implied guilt, makes the user question their own innocence and, rather than being called out on an activity they aren’t proud of, pay the ransom to make it all go away.
In 2013 CryptoLocker re-introduced the world to encrypting ransomware-only this time it was far more dangerous. CryptoLocker used military grade encryption and stored the key required to unlock files on a remote server. This meant that it was virtually impossible for users to get their data back without paying the ransom. This type of encrypting ransomware is still in use today, as it’s proven to be an incredibly effective tool for cybercriminals to make money. Large scale outbreaks of ransomware, such as WannaCry in May 2017 and Petya in June 2017, used encrypting ransomware to ensnare users and businesses across the globe.
In late 2018, Ryuk burst onto the ransomware scene with a slew of attacks on American news publications as well as North Carolina’s Onslow Water and Sewer Authority. In an interesting twist, targeted systems were first infected with Emotet or TrickBot, two information stealing Trojans now being used to deliver other forms of malware like Ryuk, for instance. Director of Malwarebytes Labs, Adam Kujawa speculates that Emotet and TrickBot are being used to find high-value targets. Once a system is infected and flagged as a good target for ransomware, Emotet/TrickBot re-infects the system with Ryuk.
In recent news, the criminals behind the Sodinokibi ransomware (an alleged offshoot of GandCrab) have started to use managed service providers (MSP) to spread infections. In August of 2019, hundreds of dental offices around the country found they could no longer access their patient records. Attackers used a compromised MSP, in this case a medical records software company, to directly infect upwards of 400 dental offices using the record keeping software.
How Ransomware Works :-
There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.
There are several things the malware might do once it’s taken over the victim’s computer, but by far the most common action is to encrypt some or all of the user’s files. If you want the technical details, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files. But the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.
In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it, and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. But most attacks don’t bother with this pretense. There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.
Examples of Ransomware
By learning about the major ransomware attacks below, organizations will gain a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continues to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks are typically incremental.
- WannaCry-A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a killswitch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the killswitch and in deconstructing the ransomware. Learn more about Proofpoint’s involvement in stopping WannaCry.
- CryptoLocker-This was one of the first of the current generation of ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. Cryptolocker was spread via an email with an attachment that claimed to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
- NotPetya-Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper, since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
- Bad Rabbit-Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake Flash player update that can impact users via a drive by attack.
- ScareWare- Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe.
- Screen lockers :- Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you’re frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography, or other cybercrimes, they would go through the appropriate legal channels.
- Encrypting ransomware :- This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cybercriminals get ahold of your files, no security software or system restore can return them to you. Unless you pay the ransom-for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cybercriminals will give you those files back.
How to protect from ransomware?
Security experts agree that the best way to protect from ransomware is to prevent it from happening in the first place.
While there are methods to deal with a ransomware infection, they are imperfect solutions at best, and often require much more technical skill than the average computer user. So here’s what we recommend people do in order to avoid fallout from ransomware attacks.
The first step in ransomware prevention is to invest in awesome cybersecurity-a program with real-time protection that’s designed to thwart advanced malware attacks such as ransomware. You should also look out for features that will both shield vulnerable programs from threats (an anti-exploit technology) as well as block ransomware from holding files hostage (an anti-ransomware component). Customers who were using the premium version of Malwarebytes for Windows, for example, were protected from all of the major ransomware attacks of 2017.
Next, as much as it may pain you, you need to create secure backups of your data on a regular basis. Our recommendation is to use cloud storage that includes high-level encryption and multiple-factor authentication. However, you can purchase USBs or an external hard drive where you can save new or updated files-just be sure to physically disconnect the devices from your computer after backing up, otherwise they can become infected with ransomware, too.
Then, be sure your systems and software are updated. The WannaCry ransomware outbreak took advantage of a vulnerability in Microsoft software. While the company had released a patch for the security loophole back in March 2017, many folks didn’t install the update-which left them open to attack. We get that it’s hard to stay on top of an ever-growing list of updates from an ever-growing list of software and applications used in your daily life. That’s why we recommend changing your settings to enable automatic updating.
Finally, stay informed. One of the most common ways that computers are infected with ransomware is through social engineering. Educate yourself (and your employees if you’re a business owner) on how to detect malspam, suspicious websites, and other scams. And above all else, exercise common sense. If it seems suspect, it probably is.
Originally published at https://exploitbyte.com on March 25, 2020.