Ransomware – New and Growing Trend of Cyber Money Extortion

By Manish Tanwar

World Informatix Cyber Security

---

A new trend has emerged called ‘Ransomware’ where attackers are targeting enterprises to extort money by disabling large parts of their operations by encrypting specific file types and rendering them unusable by the enterprise. Internet is evolving into an ‘Internet-of Things’ (IOT) and billions of people worldwide are being connected via desktop/laptop or mobile devices. The ubiquitous nature of the internet brings with it new cyber security threats. Threat may include stealing identity information, user account compromise, defacing of websites, deletion of data from web portals/servers or information disclosure of organization personal data after breach.  This ‘Ransomware’ is the weapon of choice for cyber criminals and currency of extortion is Bitcoin.

What is Ransomware 

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid.

Ransom ware is malware computer program which is designed to encrypt files having specific file type extensions (txt, doc/docx, xls, ppt, zip, tar, jpg/jpeg, png, gif, php, aspx or any file which is meant for user personal use) with key  encryption method like AES-265 and RSA encryption. Once Ransom ware install itself in user system, it starts looking for specified file type extension and starts to encrypt them. Once encrypted, when touched by a user, the system displays a user message regarding current state of file – ‘File has been encrypted’ – and asks user to pay a ransom for decryption.

Amount of ransom varies on the ability of enterprises to pay and whether they have an operational risk mitigation plan.  Ransomware also asks users to pay quickly (within 4-7 days) otherwise the ransom amount will increase or user will not be able to get decryption key. Few ransomware start deleting files if user is unable to pay ransom within the specified time limit. Most of time method of payment of ransom is BITCOIN (digital form of currency). BITCOIN transactions are not easy to trace or almost impossible and are the currency of choice.

Few of ransomwares are

1. Cryptowall
2. Cryptolocker
3. Tesla Crypt
4. Locky
5. Coinvault and Bitcryptor
6. JIGSAW

Victims of Ransomware Campaign

Long story short, cyber criminals are targeting those users with predominantly windows machines and with limited knowledge of cyber security protection.

Well known ransom ware attacks include hospitals (a Kentucky hospital ransomware attack, a California hospital that paid a $17,000 ransom to get its files back, Kansas Heart Hospital hit with ransom ware), a Canada university (University of Calgary transferred 20,000 Canadian dollars as ransom) and many other sites.

Apart from this, normal users who download software from untrusted sources, open e-mail attachments from unknown senders, surf websites using outdated system software, are also reporting ransomware attacks and infection of  their machines.

How Ransomware Infects User Systems

Ransomware needs to be installed on the system for encryption of user files and attacker use different techniques gain entry. Common techniques to spread ransom ware are given below: –

1. Outdated system software.
2. Outdated web browser.
3. Spear phishing.
4. Drive-by-download.
5. Download from untrusted sources.

1. Outdated system software: – Users who don’t update system/software for latest security patches run the most risks of an attacker gaining access remotely. Once attacker successfully compromises the target machine, they can install any executable on victims machine.
2. Outdated web browser: – Flash player and java scripts are 2 common components used for web development. If the flash player or other plugins are not updated with recent security patches,  the attacker will redirect visitors to malicious domains which will use  browser exploit kit (BEK) like MPack, Phoenix, Blackhole, Crimepack, RIG and Angler. These exploit kits identify the user browser vulnerability or vulnerable browser plugin, and delivers the payload/exploit and compromises the system. After this, installation of ransomware follows and begins to encrypt the targeted file types.
3. Spear phishing: – Spear phishing is the technique where the cyber criminals craft a genuine-looking email having malicious binary/document/zip attached to it, This email is sent to the target victims.  The email content is carefully crafted after researching victim identity (mostly on social media)  in such way so that it convince user to open attachment. As soon, user opens the attachment, a malicious program starts its execution and installs ransomware on system.
4. Drive-by-download: – This technique is similar to the ‘Browser Exploit Kit’ (BEK), and will redirect vulnerable web browser and force them to download malware binary into the system without knowledge of user.
5. Download from untrusted sources: – Any user who is looking for a software (most of time free software)and reaches to a website which claims to provide free software, sometime those cracked or free software contains malware binded with original binary. In such case when user install downloaded binary, actually in back ground malware also execute itself and install it on system without knowledge of system user.

How to Protect against Ransomware

Malware evolution is what cyber criminals are focusing on. Everyday malware researchers are developing such techniques which make malware prevention hard but user can defend common malware attacks by using a few prevention tips mentioned below.

Limited privilege user account: – Malware needs to be installed on the target system and requires admin account privileges to make the installation possible.  User accounts should be defined with no admin privileges so that any document or file containing malware will not install on your system due to insufficient user privilege (user may see a popup to provide admin user credentials to execute program and this is the moment to cancel further execution).

Install security updates for system OS as well as software: – To defend against remote system exploits and browser exploit kits, always install security updates for system OS as well as other system software which can be exploited by an attacker to perform code execution on user system. Update anti-virus and keep system firewall enabled for system activity/traffic inspection.

Avoid opening attachments from unknown senders: –  E-mail attachment is one of the common trick for malware spreading technique so either avoid opening attachments from unknown senders or open in isolated environment like a sandbox or Virtual machine. These actions will prevent host OS and its file from infection.

Take backup of critical/confidential and important data on regular basis: – Good practice is to ensure backup of critical/confidential data on a regular basis on a separate storage device. In case system is compromised due to highly sophisticated attack by ransomware, users may be able to restore required files from recent backups.