The ABC of Ransomware
Ransomware is a subcategory of malware that prevents access to your device, ie locks it, or kidnaps sensitive data until ransom is paid, usually in anonymous currency, ie in bitcoins via a webpage on the Tor network. It is distinct from other cyberattacks in that it doesn’t disrupt processes or steal user credentials such as personal data or bank details. Rather, it holds your data or device hostage until you pay. This makes ransomware very profitable for cybercriminals, so it is not surprising that it is spreading rapidly.
Recent 2016 survey shows that from 500 surveyed organizations, 48% suffered six ransomware attacks on average in a year. Luckily, 45% said that they managed to decrypt the attacked files so extortion payment was avoided. Still, this does not mean that attacks did not cost them. 37% of participants reported reputation damage not to mention that it took 33 employee hours to work on the encrypted data and replace it with a clean back-up.
Ransomware affect individual users, businesses and governments alike. It targets not only Windows OS, but also Android and Linux and can work just as easily on Mac OS X or smart TVs.
Let’s take a closer look.
How does Ransomware Work?
There are two types of ransomware: lockers and encryptors. Lockers block the victims’ device so that users are locked out of internet or desktop access, but still the damage can be reversed. Encryptors are more complicated. Without a special key the encrypted files are impossible to decrypt. It is for this reason that attackers can easily claim their ransom money.
Crypto ransomware attacks follow a common pattern. Cryptoware is often introduced through malicious links, email attachments containing invoices, pictures or torrent files. Once the malicious code is installed on the computer, it starts encrypting files with a special algorithm. It can be designed to encrypt only pictures and documents, but newer versions attack executable files as well. A warning screen appears to warn the user that they have violated the law and have to pay a fine or simply state that this is a cyberattack and even put a countdown timer after which the infected files will be deleted.
Attackers also target websites where the attacker exploits vulnerabilities in the operating system, web servers, web applications or website plugins. The most common line of attack is remote command injection where the attack runs arbitrary commands on the web server until the malicious code is downloaded and executed. Then it will encrypt anything important such as websites, scripts, or pictures. The warning message with payment instructions will be displayed on the website.
What can I do to Prevent Ransomware Attacks?
Ransomware is one of the most damaging forms of cyberattacks, so it is worth considering prevention measures such as:
– installing a quality anti-virus software and updating it regularly
– installing a firewall on your network and keeping it on at all times
– keeping all software updated
– avoid opening any attachments or links from suspicious senders. If in doubt, check the sender.
– being careful when downloading free software from the internet
– performing your daily activities from a limited user account, not from an administrator’s one
– setting up a back-up solution. A common practice is the 3-2-1 rule where you keep three copies of sensitive data. Two copies in different formats and one offline or offsite. That way, even if you’re hit, you wouldn’t have to pay the ransom to get your data back.
What to Do if my System has been Already Attacked?
The first thing is to turn off your device and disconnect it from the network. Depending on the type of ransomware, you can look for a remedy online since many security companies have cracked existing ransomware encryption.
If you don’t have any back-up of critical data, you can decide whether to pay the ransom, but keep in mind that paying does not guarantee you’ll get your files back.
Can Ransomware be properly Investigated?
As any cyberattack online, it leaves traces behind, though perpetrators have many ways to hide and law enforcement needs to catch up. Still, emails can lead to domain names or IP addresses or nameservers. Reverse queries such as reverse NS or MX will surface more domains which can in turn lead to some clues about their owners.
In any case, ransomware is very profitable to its perpetrators so it is likely to continue on. This means that prevention is still the best protection policy.
This post deals with one rapidly spreading form of cybercrime. To learn more about cybercrime and its prevention, go to <What Cybercrime is> and <Cybersecurity – one of the hottest topics nowadays>.