Recently, ransomware has replaced the banking Trojan as the preferred malware for online thieving. It is a software that still typically propagates as a Trojan, but once installed onto a computer, it restricts access to the infected computer system in some way so that the user can no longer access it and requires a payment in order to decrypt or release control back to the user. It can deliver a devastating amount of damage to infrastructure upon which modern society relies. For example, hospitals, police and fire departments, and other organizations have been known to fall victim to some instances of ransomware. Recently, the University of Calgary in Canada fell victim to a 10-day attack, eventually paying upwards of $16,000 just to attempt a recovery of the university’s research data. The email server was encrypted, but there is no evidence that any personal information or university research data were publicized.
Similarly, Hollywood Presbyterian Medical Center in Los Angeles was forced to pay a ransom of over $17,000 in bitcoin to its hackers, who took control of the hospital’s computer system. Staff could not communicate with one another, and the attack interrupted laboratory work, CT scans, pharmacy, and the documentation of activity for medical records.
A Brief History
The origin of ransomware was inspired by telephone scams. An example of a telephone scam is a phone call made by someone claiming to be a Microsoft support technician who has received notification from the user’s computer of a problem. This person instructs the user to install an application to fix the problem when, in reality, it is malicious software that creates a backdoor through which the caller now has control of the computer. The caller then asks for payment and persists, either by threatening to rescind the services or by calling repeatedly, until the user provides his or her credit card information. The caller is thus able to use the victim’s credit card to make fraudulent payments.
The very first manifestation of ransomware appeared in 1989 in the form of the AIDS Trojan, spread through 5 1/4-inch floppy disks. When a computer booted 90 times, the disk would encrypt all of the files and demand a $189 payment. This form of malware evolved into crypto malware around 2005, by which computer files would be encrypted and the originals deleted. The flaws in the new method were twofold: passwords were retrievable through the Trojan, and the transfer of funds was easily tracked. To help solve the issue, locker ransomware was born. When installed onto a computer, it blocks all access and control until the ransom is paid, this time in the form of electronic vouchers.
Current ransomware is strengthened by the use of anonymity services such as Tor and bitcoin, which allow attackers’ identity to remain anonymous and also anonymize an attacker’s financial footprints. Tor is a software that enables anonymous communications and scatters transactions over many nodes on the darkweb. It chooses indirect paths for data to reach their destination through a set of intermediary computers called relays, inhibiting the tracing of the given Internet activity. The more relays that are involved, the more difficult tracking becomes. Bitcoin is a cryptocurrency by which the transfer of funds is possible without any bank or other authority as a middleman. For example, BlackShades is a new form of ransomware that has made recent news, requiring a $30 bitcoin payment through PayPal in order to return the encrypted data. Another example is CryptXXX, the most recent version of which cannot be defeated by any current decrypting tools. In its first three weeks, CryptXXX managed to collect over 70 bitcoins, which values over $45,000. Due to the use of encryption with these two services, detecting the cybercrime can be difficult.
Following a standard set of best practices will help users strengthen their cyber hygiene and help lessen the impact that this type of attack may have on a system or network.
Recognition of the Malicious Software
Though ransomware can wear many masks (appear in the form of email attachments or links, fake advertisements on websites, etc.), most of the core characteristics by which it functions are similar across instances. These similarities aid in the detection of this malware and in the establishment of preventative measures against such attacks.
Attackers tend to operate through anonymity networks (like Tor) and currencies (like bitcoin) to transfer funds undetected. Some indicators of malware can include:
- Emails from an unknown sender (display name vs. email address shown)
- Emails with unknown attachments or links
- Links on an untrusted website
Even with the prevalence and advancement of ransomware, attacks can be prevented and/or mitigated with proper procedures in place. Most importantly, users should back up their data on a regular basis, preferably using the “3-2-1 Rule.” According to the 3-2-1 Rule, make 3 backup copies on 2 different media, 1 of which is stored in a separate location. As a result, a ransom payment will not be necessary for decryption, as the stolen information will be accessible from an alternative source. Another method is to update software and plug-ins as soon as the updates are available, as the updates may be able to detect and correct vulnerabilities that the outdated software could not. Additional protection and prevention methods include:
- Do not enable macros (Much of the ransomware out there today is distributed in Microsoft Office documents. There is a new macro control feature in Office 2016, and Microsoft released Office Viewers, which allows users to view a document without macros.)
- Execute the principle of least privilege (which grants users access only to the information that is necessary for them to fulfill their roles and responsibilities and nothing more.)
- Segment the network
- Bookmark websites (prevents typo squatting)
While ransomware is a serious and rampant offense, it is avoidable with smart computer usage and simple but powerful defense practices.
A reference guide on ransomware can be found here.
This post was written by: Lovila Nowak
Correa, R. (2016). How Fast Does Ransomware Encrypt Files? Faster than You Think. Retrieved from Barkly: https://blog.barkly.com/how-fast-does-ransomware-encrypt-files.
Dalton, A. (2016, June 8). University of Calgary Hands Over $16,000 in Ransomware Attack. Retrieved from Engadget: https://www.engadget.com/2016/06/08/university-of-calgary-ransomware-attack/.
Ellis, D. (2015, November 23). How to Confront Hospital Ransomware. Retrieved from Security Metrics: http://blog.securitymetrics.com/2015/11/how-to-confront-hospital-ransomware.html.
Goodin, D. (2016, June 27). New and Improved CryptXXX Ransomware Rakes in $45,000 in 3 Weeks. Retrieved from Ars Technica: http://arstechnica.com/security/2016/06/new-and-improved-cryptxxx-ransomware-rakes-in-45000-in-3-weeks/.
Kharraz, A. (2016, May 27). It’s Easier to Defend Against Ransomware Than You Might Think. Retrieved from Homeland Security News Wire: http://www.homelandsecuritynewswire.com/dr20160527-it-s-easier-to-defend-against-ransomware-than-you-might-think.
McDowell, G. (2014, April 1). Don’t Fall Foul of the Scammers: A Guide to Ransomware & Other Threats. Retrieved from MakeUseOf: http://www.makeuseof.com/tag/dont-fall-foul-scammers-guide-ransomware-threats/.
Mello, J.P. (2016, June 4). Banking Trojans Take Backseat to Ransomware. Retrieved from
Ragan, S. (2016, February 14). Ransomware Takes Hollywood Hospital Offline, 3.6M Demanded By Attackers. Retrieved from CSO: http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html.TechNewsWorld: http://www.technewsworld.com/story/83575.html.
Savage, K., Coogan, P., and Lau, Hon. (2015, August 6). The Evolution of Ransomare. Retrieved from Symantec: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf.