# Ransomware

Ransomware is a type of malicious software that first infects a computer system. Once infected, users of the system can no longer access the system or parts of it. This means that important data stored on the system will no longer be accessible. If these systems are part of an organization, normal operations will be affected.

Those who control and distribute such ransomware often demand a payment (aka ransom) from the users. Once payment is done, often via untraceable cryptocurrencies, affected users are allowed to regain access to their system. Without a payment, it's often difficult if not impossible to regain access.

Since 2013, ransomware has become more sophisticated with the use of public key cryptography. The best defence is to adopt best practices in computer and network security, as well as user awareness.

## Discussion

• What are the types of ransomware?

There are basically two types of ransomware:

• Lockers: These deny access to the infected device and severely limit user interaction. Screen may display information on how to make payment. Mouse interaction may be disabled and only a few keys on the keyboard may be enabled to enter payment information. System files and user data are usually untouched. With lockers, tech savvy users with the right tools may be able to unlock the device and avoid the ransom. Lockers use social engineering to pressurize users into paying up.
• Cryptos: These identify important files on the system and prevent user access to these files. In most cases, they encrypt the files. Cryptos work silently in the background until files have been encrypted and then they inform the user. User can still use the infected device but without access to important data, and without proper backup, they usually have no choice but to pay up.
• What are the steps by which a crypto ransomware infects a system?

Crypto ransomware usually works in stages:

• Arrival: Ransomware gets triggered when user click a link in email or website. It downloads itself into the system and starts running in the background.
• Contact: It contacts its command and control (C&C) server to exchange configuration information. This may include cryptographic keys for later use.
• Search: It searches the system for important files by their file types.
• Encryption: It then generates encryption keys that might involve keys exchanged earlier with C&C. These keys are used to encrypt files identified by its search. Telltale signs include slowdown of the system and flickering of the hard drive light.
• Ransom: User is displayed the ransom messages once all identified files have been encrypted.
• What are the potential entry points for a ransomware?

Ransomware can arrive by email that can contain a link or an attachment. If it's a link, the user is lured to click it, download a file and execute it. If it's an attachment, the user is lured to open it. Attachments could be Microsoft documents, XML document, Zip file containing JavaScript file or a file with multiple extensions. JS script upon execution will download the ransomware. Microsoft documents may contain the ransomware embedded in them as a macro.

Ransomware could also arrive when user visits a malicious or compromised website. This is done using exploit kits. Some of these include Angler, Neutrino and Nuclear. These kits probe the user's device for vulnerabilities and exploit them immediately. These can spread more easily since they can infect without users clicking or downloading anything.

A common way to lure unsuspecting users is via what's called phishing. An email or website attempts to pass itself off as a trusted service provider. Text is worded in a manner that sounds convincing and legitimate. This is called social engineering.

• How is cryptography used by crypto ransomware?

Cryto ransomware uses a combination of symmetric keys and asymmetric keys. Typically, the symmetric key is used to encrypt the files while the asymmetric public key is to encrypt the symmetric key. Thus, to decrypt the files one requires the symmetric, which can be decrypted only when asymmetric private key is available. Asymmetric private key is kept secret at the C&C server.

For example, CryptoDefense uses a randomly generated AES key to encrypt files but this key itself is encrypted using RSA. RSA public key itself is downloaded from the C&C server. CTB-Locker does something similar except that RSA public key is embedded in the ransomware so that the attack can be completed even without an Internet connection. In fact, CTB-Locker uses a combination AES, SHA256 and ECDH (curve25519).

Cerber uses RC4 for encryption and involves an extra step of RSA key-pair generation. Petya uses ECDH (secp192k1) and SALSA20 algorithms.

• What are some variations among ransomware out there?

Ransomware come in many variations. They constantly evolve so that countermeasures are made ineffective. Here are some variations:

• WannaCry was also a worm, able to spread itself to other devices on the network without user intervention.
• WannaCry gave a deadline for payment and threatened that ransom would go up if not complied.
• In addition to denying users access, RAA ransomware and MIRCOP stole passwords and sent them to the C&C server.
• Many used social engineering to confuse and intimidate users, saying that users had broken the law in some way. If ransom is unpaid, they would be reported to the police.
• While most ransomware were executables (.exe, .dll), others used a scripting language: JScript for Cryptowall 4.0's downloader and RANSOM_JSRAA.A; PowerShell script for PowerWare.
• Jigsaw regularly deleted encrypted files until the ransom was paid. CryptoLocker instead threatened to delete private encryption key, which meant that data could never be recovered.
• Petya, Satana, and GoldenEye modified the hard drive MBR (Master Boot Record) with a custom boot loader.
• CTB-Locker used partners and revenue sharing to spread faster.
• Could you name some ransomware attacks that caused significant damage?

Ransomware can affect any device including laptops, servers and smartphones. Ransomware can affect home users and lock them out of their personal data. It can affect organizations such as hospitals, schools, government agencies, and more. Attackers don't care who's the target but they do set the ransom based on what they think the victims are likely to pay.

In February 2016, Hollywood Presbyterian Medical Center was infected by Locky ransomware. Ransom was 40 Bitcoins, about $17,000. San Francisco's transit system, Muni, was attacked in November 2016. Ransom was$73,000 in Bitcoins. In January 2017, Austrian hotel Romantik Seehotel Jaegerwirt was attacked. Electronic room keys did not work and the reservation system was paralyzed. The attackers demanded payment of $1,800 in Bitcoins. In June 2017, University College of London was attacked. The city of Atlanta was crippled for five days by ransomware demanding$51,000. Boeing plant in Charleston was hit by WannaCry in March 2018.

• Is the Internet-of-Things (IoT) vulnerable to ransomware?

With IoT, the attack surface widens: thermostats, security cameras, smart locks, connected cars, power grids and other industrial systems can all get infected. Unlike traditional ransomware that prevent users from accessing their data, IoT data is often in the cloud. Instead, ransomware in IoT will be about paralyzing systems: traffic jams, power outages, malfunctioning equipment, etc.

In 2016, Mirai botnet infected more than 600,000 IoT devices and then used these devices to launch a distributed Denial of Service (DDoS) attack on web services. Although Mirai was not a ransomware, it showed the potential of using IoT devices for large scale attacks. Mirai was possible because IoT devices at the time were (and perhaps even now are) less secure than enterprise IT systems. Mostly, routers and cameras were compromised. Users often use default credentials, don't upgrade or even login to these devices.

A variety of IoT devices exist and any ransomware must have variants or mutate on its own to infect this variety. Since many IoT devices lack display, ransomware will also need to figure out emails and phone numbers to notify users about the ransom.

• How can I protect myself from ransomware?

Take regular backups of critical data. Keep your security software and OS updated on a regular basis. Be wary of unexpected mails with links or attachments. Be wary of Microsoft Office attachments that ask you to enable macros.

If infected, disconnect the affected device from your network. Scan all other devices on your network. Identify the ransomware and try recovery if possible. If not, reformat device and restore data from clean backups. Report the incident to local authorities.

## Milestones

1989

Joseph L. Popp distributes 20,000 floppy disks containing what could be the first known ransomware. Called 1989 AIDS Trojan, it hides folders and encrypts file names. Victims are asked to send $189 to a post office box in Panama. 2009 Fake anti-virus programs become increasingly common. They inform users that they can "fix" problems in their systems for a fee. 2011 Without doing any encryption, Trojan.Winlock simply displays a fake Windows Product Activation notice. Users are asked to call a premium international number to obtain an activation key. Sep 2013 Ransomware gets modern and sophisticated with the release of CryptoLocker. It uses RSA public-key cryptography and keeps the private key safe at its command and control (C&C) server. The attack lasts from September 2013 to May 2014, in which period it collects$3 million from its victims. An improved version called CryptoLocker 2.0 arrives in December. It uses Tor and Bitcoin for anonymity and it's not detected by anti-virus or firewall.

2015

Ransomware that encrypts files on an Android device arrives on the scene. It's called SimpleLocker. It uses a trojan downloader. Another one called LockerPin resets the PIN on the phone and demands \$500 ransom to unlock the device.

2016

The number of variants of ransomware increases dramatically in 2016. From Q4-2015 to Q1-2016, ransomware increases by 3,500% and payments increase tenfold. The US Justice Department states that in 2016 ransomware attacks increased four times to 4,000 a day. MAC OSX gets infected by KeRanger via Transmission BitTorrent client.

May
2017

Ransomware WannaCry exploits a vulnerability in the SMB protocol, a vulnerability present in old unsupported versions of Windows. The attack is contained within a few days but not before it infects 200,000 computers across 150 countries. Kaspersky Lab reports that 98% of the successful attacks were on computers running Windows 7.

Jun
2017

Using the same SMB vulnerability that WannaCry exploited, once seeded, NotPetya spreads to computers on its own without needing spam emails or social engineering. It encrypts the Master Boot Record (MBR) and lot more. It tricks users into paying a ransom but in fact the encryption process is irreversible.

Dec
2017

SophosLabs publishes an article on Ransomware-as-a-Service (RaaS). These are available on the Dark Web, some even offering support. These enable non-technical folks to launch their own ransomware variant. Presumably, RaaS has been available on the Dark Web for a year or two.

Author
No. of Edits
No. of Chats
DevCoins
2
0
1626
3
0
20
1870
Words
4
Likes
7058
Hits

## Cite As

Devopedia. 2020. "Ransomware." Version 5, January 6. Accessed 2022-09-22. https://devopedia.org/ransomware
Contributed by
2 authors

Last updated on
2020-01-06 12:38:32
• Public Key Cryptography
• RSA Algorithm
• Phishing
• Cryptocurrency
• Diffie-Hellman Key Exchange