Ransomware, a Changing Threat

In 2016, ransomware became the biggest malware threat on the Internet. It provides a direct financial return, without having to resell information, so it’s attractive to criminals. The availability of cryptocurrencies like Bitcoin lets them collect anonymously. Institutions have paid as much as $17,000 to get their files back. Ransomware pulled in an estimated billion dollars in 2016, and it continues to increase in 2021. The average demand is a few hundred dollars. Keeping the amount relatively low makes people more willing to pay instead of bringing in law enforcement.

How Ransomware works

A ransomware attack usually starts with a phishing email message. If the victim opens the attachment, it runs a small program that downloads the payload. The downloaded malware encrypts selected files, or sometimes the whole drive. It will then display a message informing the user that the files are encrypted. It will claim that the only way to recover them is to send a payment to a specified Bitcoin wallet. Once payment is made, the victim will receive a key with instructions to decrypt the files.

If the victim doesn’t respond, the malware may encrypt more files over a period of time, creating pressure to respond quickly. The amount of money demanded may also go up. The encryption usually affects any attached drives as well as the main one, so that the user can’t recover the files from a local backup.

There’s no guarantee, of course, that payment will result in getting the files recovered, or that there won’t be a follow-up attack. Crooks are, by definition, dishonest.

Encrypting files is just one possibility. Another variety locks up the computer, preventing the use of input devices or blocking applications. This kind is less effective, since it doesn’t damage the file system. It’s generally possible to remove the malware and get the system running again.

Some ransomware claims to extract personal information from the victim’s computer. It will threaten to sell credit card numbers and passwords, or to publicly expose embarrassing or incriminating information about the files on the computer. This variety is often called “doxware,” since it grabs documents for exposure. A large proportion of it is just a bluff, but how does the victim know for sure? Some attacks combine locking the computer with blackmailing, hoping to get a quick payment through fear.

A rogues’ gallery

Several names are prominent in the ransomware world. They generally refer to families of malware, since their maintainers keep changing them to circumvent defenses. Sometimes new kinds of ransomware adopt well-known names for the notoriety.

• Cryptowall runs on Windows and encrypts many types of files. Its demands increase if payment isn’t made quickly.
• CryptoLocker runs on Windows and encrypts data files using a sophisticated key generation technique. A number of unrelated forms of ransomware have adopted its name.
• Locky comes through a document file with malicious macros. It does a thorough job of encrypting files, going after backup copies, and attached drives.
• Petya takes a different approach. Rather than encrypting files, it encrypts the drive’s master file table. All the content is there, but the information about which sectors belong to which files, and in what order, is lost. It’s easier to recover from Petya than from the nastiest forms of file encryption.
• Satan is one of many new “ransomware as a service”, providing accounts, translations, and customer support to subcontracting criminals, and a payment website to victims. It tries to avoid detection before encrypting files.

How to guard against ransomware

The most effective defense against encrypting ransomware is an offsite backup with frequent updates. There’s no easy way to attack a backup that isn’t part of the file system. The more often it’s updated, the lower the risk. If the backup runs once an hour, no more than an hour’s work will be lost.

Good-quality security software is another key part of the defense. Spam filtering will reduce the chance of opening a phishing message. The software will prevent known forms of ransomware from running. There are always new variants, so it won’t provide 100% protection, but it will greatly improve the odds of staying safe.

Email is the most common way of deploying ransomware, so common sense in reading mail is a major help. The best thing to do with email attachments from strangers is to throw them out. Links claiming to give information about deliveries or contracts should be considered poisonous until proven otherwise.

It’s possible to recover files from some kinds of ransomware without paying the extortion fee. Recovery services know how to handle these cases. With new variants or ones that use the strongest forms of encryption, there might not be any way to recover. Backup is extremely important.

How ransomware is changing

The perpetrators of ransomware are increasing the range of techniques they use. Some have infiltrated legitimate online ads to insert malicious scripts. For a while, SVG images with embedded JavaScript, sent through Facebook Messenger, were a vector.

It’s easy for anyone to jump in; all that’s required is a little money, a little computer knowledge, and no scruples. Big operators run ransomware as a service, letting small-time crooks launch attacks through their facilities and collecting a cut. One gang offers a “lifetime license” for just $39. It’s not hard to see why thieves would find that an attractive investment. It’s a lot less work, and less dangerous, than mugging people in dark alleys.

Law enforcement is getting to understand ransomware better, and security experts are getting better at keeping up with it, but it will be around for a long time. When people find an easy way to take what belongs to someone else, they don’t give it up easily.