Ransomware

Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key.

Ransomware is a growing problem that is now affecting many computer users around the world.

Ransomeware Example

Ransomware is a form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or Trojan horse that takes advantage of open security vulnerabilities. Most ransomware attacks are the result of clicking on an infected e-mail attachment or visiting a hacked website.

Upon compromising a computer, ransomware will typically either lock a user's system or encrypt files on the computer and then demand payment before the system or files will be restored. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).

The ransom prices vary, ranging from $USD 24 to more than $USD 600, or even its bitcoin equivalent. It is important to note, however, that paying for the ransom does not guarantee that users can eventually access the infected system.

While initially popular in Russia, the use of ransomware scams has grown internationally; in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013—more than double the number it had obtained in the first quarter of 2012.[4] CryptoLocker, a ransomware worm that surfaced in late-2013, had procured an estimated US$3 million before it was taken down by authorities.

Some versions of ransomware are called "FBI Moneypak" or the "FBI virus" because they use the FBI's logos.

History

Encrypting Ransomware

The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by Joseph Popp, which triggered a payload claiming that the user's license to use a certain piece of software had expired, encrypted file names on the hard drive, and required the user to pay US$189 to "PC Cyborg Corporation" in order to unlock the system. Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research. The notion of using public key cryptography for such attacks was introduced in 1996 by Adam L. Young and Moti Yung. The two believed that the AIDS trojan was ineffective due to its use of symmetric cryptography, and presented a proof-of-concept cryptovirus for the Macintosh SE/30 using RSA and TEA. Young and Yung referred to this attack as being "cryptoviral extortion", an overt attack that is part of a larger class of attacks in a field called cryptovirology, which encompasses both overt and covert attacks.

Non-Encrypting Ransomware

In August 2010, Russian authorities arrested ten individuals connected to a ransomware worm known as WinLock. Unlike the previous Gpcode worms, WinLock did not use encryption. Instead, WinLock trivially restricted access to the system by displaying pornographic images, and asked users to send a premium-rate SMS (costing around US$10) to receive a code that could be used to unlock their machines. The scam hit numerous users across Russia and neighboring countries—reportedly earning the group over US$16 million.

In 2011, a ransomware worm imitating the Windows Product Activation notice surfaced that informed users that a system's Windows installation would have to be re-activated due to "[being a] victim of fraud". An online activation option was offered (like the actual Windows activation process), but was unavailable, requiring the user to call one of six international numbers to input a 6-digit code. While the malware claimed that this call would be free, it was routed through a rogue operator in a country with high international phone rates, who placed the call on hold, causing the user to incur large international long distance charges.

How it Works?

Attackers may use one of several different approaches to extort money from their victims:

• After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.
• The victim is duped into believing he is the subject of an police inquiry. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
• The malware surreptitiously encrypts the victim's data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.

Mitigation

• To avoid getting infected, ensure your computer's software and anti-virus definitions are up-to-date, and avoid suspicious sites.
• If your machine is already infected, do not pay the ransom. Instead, wipe the disk drive clean and restore data from the backup.
• The risk of individual machines like yours being infected is very low.
• Always run a good antivirus utility and keep Windows and browser-related components (Java, Adobe, and the like) updated.
• To protect against data kidnapping, experts urge that users backup data on a regular basis.

As with other forms of malware, security software might not detect a ransomware payload, or, especially in the case of encrypting payloads, only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data. Security experts have suggested precautionary measures for dealing with ransomware, such as using software or other security policies to block known payloads from launching, along with "offline" backups of data stored in locations inaccessible to the malware.

----

@NetwaxLab