What Is Ransomware

Government, business, and other organisations increasingly place cybersecurity atop their list of priorities as cybercriminals and terrorists grow ever more sophisticated. Malware in all its forms can immediately cripple a system or bleed it of vital information for years. Ransomware, however, comes from purely criminal intent.

Ransomware Defined

Ransomware, or ransom malware, seizes control of a computer. It “kidnaps” access to vital functions or information while simultaneously demanding payment in exchange for releasing the system’s functions. The earliest known outbreak occurred in the late 1980s. Criminals using ransomware continue to grow more sophisticated and dangerous in their attacks.

Ransomware costs the world economy billions every year. Despite the best efforts of the AFP, FBI, MI-5, and other legendary law enforcement and intelligence agencies, ransomware attacks have proved nearly impossible to control, much less stop. Earlier this year, Toyota Australia and the Cabrini Hospital in Melbourne suffered attacks. In the case of the hospital, 15,000 patient records fell under encryption.

what is ransomware

 

How Ransomware Works

Ransomware can infiltrate computer systems through a variety of means. One of the most common occurs during “phishing” expeditions. An individual receives an email directed to his or her organisational email with an attachment containing the ransomware. Once opened, the attachment frees the malware and compromises the system.

Other forms of ransomware probe the system itself, rather than personnel, for weaknesses. In this case, a layered cybersecurity system provides the best possible defence.

Ransomware uses algorithms to create difficult to break encryptions. Most use standard algorithms which simply lock up the information. Others use custom-designed algorithms which add words or phrases to each file including directions on how to pay the ransom. They also include the key to reopen the files.

At this point, the ransomware architects hold the advantage. Think of algorithms as a stone fortress built around what you hold vital. You only have sticks and rocks to break through. The most advanced law enforcement and intelligence agencies in the world have few answers to breaking down the most sophisticated ransomware encryptions, which explains why the American cities of Baltimore and Atlanta paid the ransom to release their systems. Indeed, some ransomware and other malware types may have come from stolen files originating in intelligence services themselves.

Generally, once the system gets locked down, the criminals demand payment through cryptocurrency, wire transfer, or credit card, which opens the door to more abuse and fraud. They may also claim to be law enforcement themselves, accusing the operator of criminal activity and calling the ransom payment a fine. Others purport to have discovered sensitive or embarrassing information in computer files, threatening to expose it if the operator does not pay. In most cases, they would have a difficult time identifying information from outside the system, relying on their victims’ fear to override all other considerations.

types of ransomware

 

Types of Ransomware

Ransomware comes in a variety of types.  As described earlier, one of the most basic types comes through email attachments. Criminals can easily access lists of people in certain organisations, learn the generic email address, and target individual staff. The number of strains and variants has expanded almost exponentially in recent years as criminals discover ransomware to be both safe and lucrative.

Below are several more well known and effective strains of ransomware.

Cryptolocker emerged sometime after 2013 and targets systems that run Windows exclusively. It uses an algorithmic public “key” to seize control of the system and a private one that only they can turn to free it. It accesses the system through attachments that end in doc or pdf, but hide the .exe that commences the download process. Cryptolocker remains dangerous due to the fact that its engineers continue to update the basic design to thwart defences.

The Bad Rabbit ransomware started attacking Russian media systems in 2017. It accessed networks through downloading of fake adobe updates. The average ransom requested at first equalled a little under US$300, but included a timer. When the timer hit zero, the ransom demand increased.

Almost everyone has heard of Wanna Cry, a ransomware variant most likely developed from stolen US National Security Agency cybertools and possibly deployed by North Korea. Like many other ransomware types, it preys on weaknesses in Windows. Researchers quickly found the “kill switch” while Microsoft created patches to block it. Experts, however, believe that over a million computers worldwide remain vulnerable.

Petya and NotPetya represent two strains of similar styles of ransomware that both infect the hard drive of computers. While Petya acts like standard ransomware that infects a computer through attachments, it has one key difference. It installs its own boot loader to block the computers’ own master boot system. The files still exist unaffected, but the affected computer is blind to their existence until the ransomware gets disabled.

Some believe that the author of Petya has familiarity with Germany, since its attacks originate there. The delivery also indicates a better command of the German language. The Goldeneye variation on Petya also started in that country.

NotPetya may serve as an evolution of the former Petya or a strain designed with the same attributes. While the precise origins of Petya remain unclear, most suspect NotPetya of coming from Russian intelligence. It differs from Petya mainly in that it spreads on its own and destroys the files encrypted, rendering it much more dangerous. It acts like ransomware, but operates like more malicious malware.

Jigsaw ransomware serves as one of the most aggressive forms. While other variants threaten destruction of files, Jigsaw actually commences the action along with the threat. It starts by deleting a handful per hour, going up to hundreds, then thousands if the ransom remains unpaid. Tampering with the virus or even restarting the computer triggers the destruction of thousands of files.

Locky ransomware’s aggressiveness stems from its ability to launch tens of millions of attacks in a short period of time. Hospitals have fallen prey  to this virus in large numbers since 2017. Locky uses a phishing technique that advises email users that they have received a communication from a company called “Herbalife.” Emails may also hook victims by informing them of a copier delivery and providing an invoice. In the invoice form, the attachment opens with no trace of the invoice, but follows directions to execute macros thinking they can then access the invoice. Of course, none exists.

mobile ransomware

 

Mobile Ransomware

Ransomware does not just strike your personal computers and laptops. As more people rely on their mobile phones to organise their everyday lives, criminals target these devices increasingly.

Mobile ransomware infections use the same personal weaknesses as conventional to get past the device’s security settings. They prey on people’s misunderstandings and beliefs that their phones, somehow, have less vulnerability than their computers. Criminals targeting individuals have discovered that victims will pay more to free their mobile devices than their home computers. While the average cost to unlock a personal computer hovers around US$300, the demand to free a mobile device has shot up in many cases to US$1,000 or more.

Criminals generally access mobile phones by tricking unaware users through social engineering tactics. Texts from shortened numbers with attachments often harbour dangerous ransom or other malware. Users can get fooled by false system updates, fake apps sent by third party stores,  or infections spread from other devices.

Google has blocked a previously popular means to access mobile devices by blocking bit.ly shortened links.

Ransomware Prefers Android, But Apple Users Have No Immunity

Mobile ransomware most often goes where the majority of users are. Criminals go after android users more often, just as they strike Windows systems more in the personal computer realm. They do not just decide to take it easy on Apple customers; they simply follow the usage. Apple users do not have total immunity, however. In 2017, a ransomware attack struck both iPhone and Mac computer users through iCloud. By using the “Find My iPhone” function, they gain access to user hands-on login credentials to lock down user phones.

Some Types of Mobile Phone Ransomware

“Police Virus” Types

In 2014, one of the first major ransomware attacks on mobile phones emerged. Users who downloaded an app called “Daboink” ended up in a conundrum familiar to many earlier personal computer users. When the ransomware locked their phones, the screen provided a message purporting to have come from the American Federal Bureau of Investigation. In broken English, it accused users of using their phone to access illegal pornography and demanded payment to unlock.

Another portal of entry occurred when users received a warning that someone has lifted personal photos from the users to create fake profiles. It then invited them to download a photo viewer app that actually installed the ransomware.

Wanna Locker

This ransomware originated in China and mainly targeted Android users in that country. It used invitations to download popular games to infect phones. Victims got off relatively easily, paying the equivalent of US$6 to unlock their devices.

Double Locker

Despite the similar name, this ransomware had a different origin and poses a much larger threat. It spreads as a fake Adobe flash update and both changes the device’s passcode and encrypts files, hence the name. Experts warn that the next evolution in double locker could directly access bank account information to steal funds.

Koler

The Koler ransomware struck users through a fake PornHub app that then locked phones using the familiar FBI screen. Initially, it targeted users worldwide, but later versions only hit users in the United States.

LeakerLocker

This ransomware does not lock down files, but threatens to share them with friends and family. Those with sensitive personal photos are obviously especially vulnerable.

Computer infected by malware ransomware wannacry virus

 

Ransomware Removal

Experts advise that taking common-sense precautions remains the best defence against ransomware.

Law enforcement advises that victims should never pay the ransom. They fear that paying only rewards the criminals and encourages further attacks. Also, no guarantee exists that paying the ransom enables safe return of function.  NotPetya destroys the files regardless of payment.

Some companies have developed free decryptors to release at least some function from encryption. These, however, target specific types of ransomware through precise design. No program at this time can free devices from all types of ransomware

Users can remove some of the less sophisticated types of ransomware from their personal computers by resetting the device back to factory settings. This often frees the device from ransomware, but also eliminates the files as well.

In many cases, users can remove ransomware from mobile devices by booting into safe mode. Different Android devices do this in different ways. In safe mode, users can then select which applications to remove. Restoring the device to factory settings also removes ransomware while wiping the device clean of all information.

How to Prevent Ransomware

First, you should approve all legitimate updates that your computer system requests. Experts blame the city governmentof Baltimore, Maryland, USA for ignoring suggested downloads of Microsoft security patches for two years.  The lack of updated protection allowed ransomware to invade their computer systems.

Also, back up your files on a regular basis in systems unconnected to your device. Having a secure and separate file storage system leaves you free to restore your device on factory settings. Experts suggest that you not save passwords on your device. This opens access to far more dangerous areas than just your phone.

While some malware have found ways to infect systems directly, most can still be prevented by maintaining personal device discipline. Never download from non-trusted sources and do not open emails or texts from unknown sources.

Using device protection programs represents the most effective way to prevent infection, beyond maintaining personal device discipline.

NeuShield Sentinel

The NeuShield Sentinel represents the most effective way to protect your computer systems from ransomware attacks. It creates a mirror image of your system to lure the ransomware into attacking it rather than your systems and data. The Mirror Shielding function also creates Data Engrams that create modified data at different points in time. This allows full file restoration if the originals get compromised. The boot protection function protects against specific custom ransomware targeting that part of the system to block user access.

NeuShield Sentinel also protects cloud and hard drive access while providing one-click restoration to remove malware and restore function.

Ransomware represents the greatest threat to your vital systems and data. Just as with your brick and mortar assets, taking basic precautions and using a security system protects you much more effectively than waiting until the malefactors get inside to act.