Ransomware: Ransom + Malware.
Ransomware is a kind of malware in which the data files on a victim’s computer is encrypted, and payment is demanded before the ransomed data is decrypted and access is returned to the victim. Ransomware are of 5 types:
I. Encrypting ransomware
Similar to WannaCry & Petya, this kind of ransomware infected computers in 2006 as several modified version of GPCode Trojan. Ransomware remain unsuccessful until 2013. Cryptolocker infected several users and earned more than $27 million.
II. Non-encrypting ransomware
Unlike encrypting ransomware, this type of ransomware, such as Winlock in 2010, thwarts the usual operation of a victim’s computer.
WinLock ransomware blocked users from accessing their computer and displayed a pornographic image on their screens. WinLock generated $16 million. WinLock were last seen in modified form in USA and UK in 2013.
III. Leakware (also called Doxware)
Leakware or Doxware is just an upgraded version of encryption ransomware that encrypts your system and threatens to release very sensitive data, such as military details and nuclear codes, on the web. This type of ransomware was first noticed in 2003 and is generally referred to as a cryptovirology attack.
It is more dangerous than encryption ransomware because it can cause an organization go through financial loss and data loss and reveal their trade details and source codes.
IV. Mobile ransomware
Ransomware targeting the mobile devices has proliferated. Most of them target android smartphone devices, as it allows applications to be installed from unknown resources. The payload is usually distributed as an APK file from an unsuspecting resource. In iOS, one attacks the iCloud accounts and then use Find My iPhone application to lock the iPhone.
Wiper is the newest member in the family of ransomware. It locks the victim’s computer and deletes all data without displaying any alert or warning messages. It is introduced initially as ransomware even though its goal is to delete all data. It displays a pop-up that asks for a ransom. NotPetya, which infected the systems in July of 2017, was of the wiper variety.
1989 – The AIDS Trojan : The First Ransomware.
“AIDS Trojan” is the first known malware extortion attack written by Joseph Popp in 1989. It had a design failure so severe it was not necessary to pay the ransom at all.
Its payload hid the files on the hard drive and encrypted only their names, and displayed a message claiming that the user’s license to use a certain piece of software had expired.
The user was asked to pay US$189 to “PC Cyborg Corporation” in order to obtain a repair tool even though the decryption key could be extracted from the code of the Trojan.
1996 – Young & Yung: Cryptoviral Extortion.
The concept of using public key cryptography for data kidnapping attacks was introduced in 1996 by Adam L. Young and Moti Yung. Young and Yung reviewed the failed AIDS Information Trojan to find out that it relied on symmetric cryptography. The fatal flaw was that the decryption key could be extracted from the Trojan.
Both of them work on their version of malware, Cryptovirus, that only contains the encryption key. The attacker keeps the corresponding private decryption key giving them an upper hand over the situation. They referred to these attacks as being “Cryptoviral extortion”.
Cryptoviral extortion followed this basic format:
1. Attacker generates a couple of keys, implants this key pair into the malware and releases it into the web.
2. Victim’s computer is encrypted with the newly generated key.
3. The malware shows a message on the victim’s screen demanding for a ransom.
4. When the victim transfers the payment virtually, the attacker deciphers the key and sends the final key to the victim to decrypt the file
Fun Fact: The cryptoviral extortion protocol was inspired by the forced-symbiotic relationship between H. R. Giger’s facehugger and its host in the movie Alien.
2013 – Ransomware: Return, Success, & Love for Bitcoin.
Encrypting ransomware returned to prominence in late 2013 with the propagation of Encrypting ransomware rose back to fame in 2013 when CryptoLocker successfully infected several systems all around the globe. Collecting the ransom money became easy by using the bitcoin digital currency.
The CryptoLocker technique was widely used by others. Other malware-makers created their own version of CryptoLocker such as CryptoLocker 2.0 & CryptoDefense.
Growth in 2016 : Sophistication and Diversity.
From 2016, Ransomware has presented himself as the most profitable malware and is flourishing at a great pace, and the cybercriminal are making the most of it. the numbers are speaking for themselves as the 62 new ransomware families have made their appearance. There is 11 fold increase in the ransomware modifications from 2,900 new modifications in January/March, to 32,091 in July/September of 2016. Ransomwares like Cerber, Locky and CryptXXX spreaded widely through spam attachments and exploit kits.
Ransomware are now written in scripting languages. They are capable of exploiting new infection paths and the attacks are becoming more targeted than ever before. The result is not at all in the favour of us. For Corporate, they are attacked every two minutes in Q1 to one every 40 seconds by Q3. For individuals, they are attacked every 20 seconds in Q1 to one every 10 seconds by Q3.
Sonic’s Annual Threat Report has revealed that we saw that attacks grew 167 times over, from 4 million in 2015 to 638 million in 2016.
2017 – Ransomware: The most dangerous cyber threat
Global ransomware cost has increased 15 times in a period of two years. In 2017, in just 4 days, $1 billion in damages were caused by the WannaCry outbreak. Global ransomware costs are expected to cross the mark of $5 billion this year.
“No” to Phishing emails in 2017. It is so old-school.
According to Proofpoint, every seven out of ten malicious emails were delivering ransomware as a payload in 2016. Just three months into 2017, the percentage of 70% had dropped to 22% of malicious emails.
The reason behind the steep downfall is that users have become more aware of how to spot phishing mail, forcing criminals to look for other ways to infect the systems without requiring any user interaction.
“Yes” to Remote Access.
In 2017, Most of the ransomware attacks preferred avoiding user interaction instead of trying to trick users into download malicious email attachments or visit a compromised website.
The WannaCry epidemic is the best example. In this case, attackers exploited the vulnerabilities in Microsoft’s Server Message Block (SMB), a network file sharing protocol, to get remote access to victim machines and execute the ransomware directly.
Paying up doesn’t always work.
20% of the victim organization never retrieved their files even after paying off the ransom demand. Attackers either had no intensions to restore access to the encrypted files or these attackers are amateurs and never had the technical ability.
The future of ransomware
For now, ransomware is targeting computers and mobile devices, but in the upcoming years, it will target all of IoT devices. As the IoT devices are still facing a lot of problems from the perspective of information security, IoT targeting ransomware will only create more trouble for user and the IoT producers.