In days of old, pirates were hardy seagoing folk who overtook ships, pillaged, and plundered. Sometimes they took hostages and held them for ransom. These days, criminals don’t even need to leave their house to pillage and plunder - technology has made it possible to steal from people all over the world. They can even take your computer hostage and ask you for ransom. Welcome to the age of ransomware. It's important to learn about the dangers of ransomware and be able to protect yourself online.
There are basically two types of ransomware:
The first type of ransomware is called encryption. This type of ransomware uses software to encrypt some or all files on the computer, making them inaccessible to the user. To decrypt them the victim must send money, usually in the form of cryptocurrency or gift cards to the attacker. The attacker then (sometimes) sends the decryption key to the victim.
The second type of ransomware is known as doxware. This ransomware is basically the opposite of encrypting. The attacker threatens to publish files found after infecting the victim’s computer if a ransom is not paid. Sometimes, especially if you have personal or embarrassing files on your computer this can be worse than just losing the data. This can also be used on trade secrets or other intellectual properties. HBO was asked to pay $6 million in ransom recently when Game of Thrones episodes and other proprietary information were stolen. The criminals threatened to and did release some materials. Reports are that HBO did not pay.
Trojan or Worm?
Ransomware is usually introduced to a computer or network with a trojan or worm. A trojan requires an action by the victim to launch the malware. Usually, the victim is tricked into clicking on a link to open or download an innocuous-looking file which actually launches a virus. Often phishing is used to entice the victim into clicking on the link. A worm, however, can replicate and spread over a network with no user action if the network is not properly protected.
Social engineering is a type of con that tries to trick you into giving up confidential information or clicking on a link. The criminal can use many ways to try to trick you. One way is to mimic an email from a friend or a known company. Most people have received one of these. It might be “from” a friend with a short message like, “This is so funny,” “I can’t believe you did this,” or from a business saying “your account was compromised,” with a link to a site that installs ransomware. Sometimes a scammer can get creative and continue a conversation for a while, building trust, before asking you to click a link or for information on how to log in to a network where they then install the ransomware.
Within a day or two of the Equifax data breach being announced I was receiving emails claiming to be from them offering to “help” asking for my personal information. Whether they just wanted to hack my account or put ransomware on my computer I do not know as I did not click on the link. Hackers are always looking for something that might open a door.
A variant in social engineering is where someone calls, saying that they are from Microsoft or some other company’s tech support. Once they have convinced you they're legitimate, they tell you to visit a website masquerading as a tech or customer support site. They either ask you to and download the ransomware yourself, or they may ask you for your passwords to install it themselves. A real tech support agent will not ask you for your password or other sensitive information. If you receive a call from someone claiming to be from tech support, Microsoft, your internet service provider, etc., it's a huge red flag. Do not give that person any information.
Some Famous Examples
This is not just a history lesson, these versions of malware can be modified and brought back. Many of the new attacks are merely variants of older malicious code. New instances of ransomware attacks seem to be growing exponentially.
This is the first known extortion attack using malware. The code was so poorly designed that the decryption key could be found in the code of the malware. The creator of the malware was arrested but was found unfit for trial. He did promise to donate all ransom to AIDS research though.
Also known as “police trojan,” Reveton locks the computer of the victim and accuses them of doing something illegal and requires payment of a fine to some sort of police force with a gift card or prepaid cash service to unlock it. It infected computers that visited compromised websites and sometimes included a password stealer. A Russian citizen was arrested in Dubai in 2013 for allegedly masterminding the attack.
Another trojan malware encrypted files and demanded payment with Bitcoin or a prepaid cash voucher. FBI has issued an indictment for a Russian hacker named Evgeniy Bogachev in connection with this malware. The FBI has offered a $3 million reward for arrest and conviction of Bogachev. He is still at large.
This malware used fraudulent emails from the Australian post office to spread. Users were asked to go to a website and enter a captcha code to find out about a package to be delivered to them. The captcha code made it harder for antivirus software to ascertain that clicking it delivered malicious code. This one hit the Australian Broadcasting Corporation and briefly disrupted programming.
Affected many users in Australia and Turkey. It was spread mostly through email that claimed to be shipping notifications, traffic violation notices or government or corporate messages. The ransom note said it was CryptoLocker but was, in fact, an entirely new malware. The original distribution was easily decrypted but the hackers fixed that weakness.
This ransomware sometimes used malvertising that directed the user to malicious websites that installed ransomware through browser plugin exploits. It also used emails with disguised pictures that were in fact executables. It is estimated that over $18 million was collected through CryptoWall.
Last year the Locky ransomware was emailed to several million people. If you followed the instructions of a word doc, your computer was likely to be infected with ransomware that asked for money to decrypt your files. It had pretty much died out until recently. Toward the end of August, it was sent out to more than 23 million people. The emails had innocent sounding subject lines like, “photos,” “documents,” “scans,” and “pictures.” If you click on it and your computer gets infected, you are asked for a Bitcoin ransom to have your computer decrypted.
Ransomware known as Fusob checks to see if the language used on your cell phone is Russian or another type of Eastern European language. If so, it does nothing. Otherwise, it demands ransom after locking your device. Fusob presents itself as a pornographic viewer in order to infect devices. Again, this ransomware pretends to be some type of authority and demands payment of a fine to avoid criminal charges. What should probably make it obvious that it is not a real government agency charging the fine, is that the payment must be in the form of an iTunes gift card.
Petya was first found in early 2016 and infected Windows-based computer’s master boot record, blocking the Windows startup process until the ransom is paid. The original version was spread by email, but later variants used other means of distribution. It was named after the satellite that was used to carry an atomic bomb in the James Bond film Goldeneye.
More than 230,000 computers in 150 countries have been hit with the malicious software called WannaCrypt or WannaCry, which demands payment of $300 in Bitcoin. The malware is reported to use software leaked from the NSA, who apparently knew about the flaw for some time but failed to let Microsoft know about it. WannaCry infected computer systems at 16 hospitals in Britain which had to turn away patients and cancel operations. The malware only targeted computers that were out of date, as a software patch that would prevent it had been available for some time when it attacked and wreaked so much havoc.
NotPetya was a variant of Petya that mostly targeted Ukraine and seemed primarily designed to damage infrastructure. Data was unable to be decrypted even after the ransom was paid. One of the computers attacked was part of the radiation monitoring system of the Chernobyl Nuclear Power Plant, which was taken offline by the attack. The NotPetya variant used the NSA’s leaked exploit EternalBlue to access computers instead of attacking through email like the original version of Petya. It appears that the malware was initially spread through a compromised accounting software update.
Microsoft had already patched the EternalBlue exploit used by NotPetya but many computers had not been updated, which made them susceptible to infection.
This malware uses exploits found in Internet Explorer and Flash Player that launches malware against users who have visited compromised websites. Once the malware is installed, you get a message saying that your files have been encrypted and you must pay 0.077 Bitcoin in ransom. That comes out to a little over $350.00 at the time this article was written. If you don’t pay it within a week, you will be required to pay double the ransom.
Bitpaymer and Defray
Some of the more recent ransomware attacks have been focusing on hospitals due to the urgency of getting vital healthcare systems back online. Also, the ransom is higher than many previous ransoms with bitpaymer asking more than $200,000 for the decryption key. Defray’s ransom note includes the advice, “To prevent this next time use offline backups.” They have also been using more finely tuned phishing emails to infect the victim’s computers. One hospital in Scotland had to cancel patient appointments as a result of an infection by Bitpaymer.
Freeing the Hostage
Depending on the type of infection, you may be able to unlock or decrypt your computer without paying the ransom. Do some research online, consult your anti-virus software documentation, or take it to a local computer expert and you may be able to find another solution. Sometimes security companies find a way to decrypt without paying the ransom. Be extra careful you are researching reputable sites. Some malware hides under the name of anti-virus software.
Ransomware as a Service (RaaS)
Some resourceful cyber criminals even offer ransomware for sale on the Dark Web. Other criminals can either purchase it outright or work out a profit-sharing agreement between the creators and those that distribute it.
(Don’t) Pay the Ransom
Most experts agree it is not a good idea to pay the ransom. For one thing, if no one ever paid any ransom, criminal hackers would have no incentive to create ransomware. Another reason is that there is no guarantee that your files will ever be decrypted. You are dealing with criminals, after all.
Better to Protect Than Repair
The old adage “an ounce of prevention is worth a pound of cure” has never been truer than regarding ransomware. If you can stop it before it happens you are safe. Once you are infected there is a good chance that your files will never be decrypted. Making periodic backups in addition to virus software and being careful is the best way to prevent infection. Keep your operating system up-to-date with the latest security patches. A lot of the ransomware infections could have been prevented if victims had kept their computers up to date. Never divulge your passwords, or download anything unless you are 100% sure you can trust the person you are talking to.
World Backup Day
In addition to protecting your computers with updates, it is also imperative to back up your computer data periodically. March 31st has actually been designated “World Backup Day” but you shouldn’t wait all year before you backup all your data.
- By Wayne Porter