A Brief Overview of Ransomware

What it is and how to protect yourself

What is Ransomware?

Ransomware is a type of malicious software that encrypts data, holding files or entire devices hostage using encryption until the victim pays a ransom in exchange for a decryption key. This key will allow the user to access the files or systems encrypted by the program. 

Ransomware is transmitted in a number of ways. The most common is through downloading infected files which executes a program that infects everything in sight or visiting malicious websites.

However, some also spread through vulnerabilities in your operating system or installed applications.

The Beginning

The first known ransomware attack was the AIDS Trojan (also known as PC Cyborg after its claimed creator) in 1989. Joseph L. Popp, a Harvard-trained evolutionary biologist, sent 20,000 infected diskettes labelled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. 

The AIDS Trojan hid directories and encrypted the names of the files on the customer’s computer. To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama. Dr. Popp was eventually caught and indicted for blackmail, as it was the most relevant charge at that time.

Luckily, the AIDS Trojan was incredibly simplistic and included a number of fatal flaws, allowing users to recover their data without being required to pay Popp's demand. 

Unfortunately for us, however, the AIDS Trojan was only the beginning and virus makers did not make the same mistakes again.

(source: wikipedia)

Evolution of Ransomware

The evolution of Ransomware has changed from wanting to cause disruption for a little bit of fun into actually turning a profit. The important thing to remember is that people have learned from the mistakes of others and further developed programs/software to exploit users. 

There were a few minor attacks but these mainly used blackmail tactics rather than encryption. The encryption side of ransomware wasn't fully exploited until people could have a secure and non-traceable way of getting money off their victims. 

Bitcoin and Ransomware - CryptoLocker

From this point onwards, everything changed. Encryption-type ransomware once again rose to prominence, with the meteoric rise of CryptoLocker in late 2013 signalling this return. 

CryptoLocker utilised Bitcoin to securely and anonymously collect the ransom money.

In addition, CryptoLocker encrypted everything, not just files in the My Documents directory. This proved much more damaging, especially to businesses, as many machines were often connected to the same share drives. Thus, it only took one infected machine to bring down an entire company.

Due to the fluctuating prices of bitcoin, it is somewhat hard to estimate the total amount lost to CryptoLocker. However, in late December 2013, ZDNet estimated that, in the span of 2 months, Cryptolocker’s operators had obtained around US$27 million.

CryptoLocker did, however, have one flaw. It didn't spread by itself and instead relied on users downloading an infected file and running it, often through abusing Windows' default setting to hid file extensions, tricking users into running it. 

WannaCry

In May 2017, a new form of ransomware once again emerged. This time in the form of WannaCry.

Wannacry was, for the most part, very similar to CryptoLocker, with it encrypting files in the same manner and also utilising Bitcoin as a ransom collection method. The difference, however, was in how it spread.

WannaCry was, in addition to ransomware, a computer worm. This means that it was able to spread by itself and infect computers without intervention by a user. No longer was it required to trick users into opening files.

Instead, WannaCry utilised an exploit, codenamed EternalBlue, which exploited a bug in all versions of Microsoft Windows from Windows 95 through to Windows 10. EternalBlue allowed WannaCry to quickly spread through the internet and infect entire networks from a single point of entry. 

which was developed by the U.S. National Security Agency. EternalBlue was leaked from the NSA in April 2017 and a month later, in May, WannaCry was released.

Within a day of its release, WannaCry was reported to have infected more than 300,000 computers in over 150 countries. Parts of the United Kingdom’s National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack, causing a great deal of issues.

 Much of the attention and commotion around the event was caused by the fact that the U.S. National Security Agency (NSA) had developed the EternalBlue exploit and, instead of reporting the vulnerability to Microsoft so that it could be patched, kept it secret to use as an offensive cyber-weapon. 

Microsoft did eventually discover the vulnerability without prompting by the NSA and, in March 2017, before the release of EternalBlue and WannaCry, released an update to fix the exploited bug.. This update, however, was still uninstalled by many users in May, when WannaCry was released, thus allowing its prolific spreading and large uptake.

Luckily, researchers quickly discovered a ‘kill-switch’ built into WannaCry, which allowed them to stop it from spreading further. This, alongside the patch by Microsoft, helped to slow, and eventually stop, its spread only 4 days after release.

 
 

Following on from the original outbreak , however, were a number of copycats; identical to WannaCry except for the removal of the kill-switch. The spread of these copycats was significantly smaller, due to the hysteria and mass-updating pushed by the original WannaCry outbreak and soon they too disappeared.

This is not the end of ransomware. The next version of WannaCry, this time utilising a new, un-patched exploit, is likely already in development and the makers are just waiting for the perfect time to strike.

How to Prevent ransomware?

So, with the history of ransomware in mind, what can be done to stop an attack?

The unfortunate reality is that, in some cases, particularly when newly-developed exploits are used, there is little in the way of prevention. However, when looking at WannaCry as an example, it is clear that the most important prevention tactic is to ensure that you are installing updates as soon as possible.

In addition to updating, we recommend that you implement the following to prevent a ransomware attack:

  • Train users to report phishing and suspicious system activity and not to fall prey to easy mistakes. 

  • Use and update antivirus software n a regular basis.

  • Update third-party applications as soon as prompt. 

  • Remove administrative rights except from those who absolutely need it. This will limit the number of downloads into your network. 

  • Deploy a File Integrity Monitoring (FIM) solution. 

  • Ensure that backups are being maintained and cannot be overwritten by users 

  • Set important file-shares to read-only

  • Invest in off-site backups

Request a free quote today!

request