In May 2017, a ransomware called wannacry stormed the web and caused huge damage, perhaps the biggest to have ever been reported in the internet history. Wannacry used vulnerabilities in Windows Operating Systems infecting over 200,000 machines within the first couple of hours. This was not the only wave! A couple of weeks later, another strain of ransomware that resembled Petya stormed Europe and affected companies and institutions in the UK. Interestingly, it also attacked the radiation monitoring system in Chernobyl.
Ransomware is now automated and targeting virtually everybody. Some cyber experts have even warned that if you have not been attacked, ransomware is headed your way. In this post, we demystify ransomware and bring you the best strategies for protecting your system.
What Exactly is Ransomware? How Different is it from other Malware?
Ransomware is a highly sophisticated malware that blocks the target access to his/her files. To get the access back, you are required to pay a ransom. Ransomware can be categorized into two main types;
- The encrypting software: This strain of ransomware is made with complex encryption technology. It takes over the files in a computer, encrypts them, and demands a ransom to get a decryption key.
- The locker malware: Unlike the first malware, the locker malware locks the target victim from the computer’s OS. Therefore, you are unable to access the desktop, any files on the computer, and even apps. In this case, the files on the target computer are not encrypted, but a ransom is also demanded.
Ransom malware is different from other malware in the following ten ways;
- It has an unbreakable encryption. This means the victim cannot decrypt the files without the right key from ransomware.
- The malware can encrypt all types of files from videos, images, and even audio.
- It can also scramble the file names which mean that the victim cannot easily tell which one was affected.
- The malware adds special extensions to the files that can point to a specific ransomware strain.
- A message is also displayed on the infected computer screen notifying the victim that the data has been encrypted and demanding a ransom.
- The payments are demanded in Bitcoins because the currency is very difficult to trace who ends up with the cash.
- There is a time limit for ransom to be paid when a victim is attacked. This means that if you fail to remit the cash, the data will be permanently destroyed.
- Ransomware uses complex versions that easily go undetected by common antiviruses.
- Ransomware recruits the computers that have been infected into botnets so that the attacks can be expanded. This results to faster spread to other computers in the same network.
- Ransomware at times features geo-targeting especially when the companies and individuals of interest are located within a specific area/country/region.
Origin of Ransomware and some facts from the Past
To understand ransomware’s history and appreciate the efforts required for protection and removal, it is important to look at its definition and history. Ransomware history can be traced back to 1989 when it went by the name AIDS Trojan that used to spread through floppy disks. The ransom by then was $189 sent to a specific post office address in Panama.
However, the evolution of algorithm technology and the presence of Bitcoin that makes the cyber criminals to operate anonymously have made things completely different. Unlike in the past, the cyber criminals are not simply malicious hackers seeking recognition but are driven by mischief. They want cash to reward their efforts and will not give in if the victim does not pay the ransom. They simply destroy the encrypted data.
The worst thing about the wannacry ransomware attack is that it is here to stay! That is it. Because of its ability to make cyber criminals get cash from victims, the evolving strains as cyber-criminal experts agree will be here for long. By using Ransomware-as-a service, adopting anonymous payment methods, and inability to design a completely secure software, it is no doubt that ransomware is going nowhere.
The mode of Ransomware Infection and their Key Targets
To adopt the most effective method of protection, it is prudent to understand the wannacry virus and how the ransomware spread? The targeted victim gets an email with a malicious link or attachment with the malware. The infection can also come from a site designated to spread the virus.
If the target victim clicks the link or opens the attachment, a downloader enters the PC. The downloader utilizes specific domains that are controlled by the cyber criminals to download Ransomware on the specific PC. Then, the malware encrypts all the content on the hard drive, cloud, and the PC. Finally, a popup appears on the screen asking the victim to pay the ransom for a decryption key. The ransomware spreads using the following methods;
- Security exploits that use vulnerabilities in different software
- Malvertising campaigns
- SMS messages
- Spam email campaigns
- Redirecting internet traffic to malicious sites
- Self propagation
- Well-choreographed schemes by affiliates ransomware-as-a-service
Note that the attacks are getting refined with time and you can get a different strain that means you can get attacked again. The top target for ransomware includes institutions and companies that can make the largest payment. So far, they have attacked banks, data management companies, and government institutions. However, the malware is now going even after individuals.
- The malware targets home users because they know that they rarely store backups, employ little cyber security, and fall short of online safety.
- The companies and businesses are attacked because they have money and successful infection can cause a lot of disruption and losses.
- The government I institutions are targeted because they run huge databases and their staff often fall short of proper training on cyber security.
The ransomware is carefully engineered to avoid detection by antivirus. Your home or company antivirus cannot detect virus ransomware because the tactics adopted to encrypt files remain anonymous. For example, the communication with the command and control serves is fully encrypted so that they are very difficult to pick in the traffic. Besides, your antivirus cannot detect the virus because it adopts anti-sandboxing and domain shadowing that conceals exploits to keep communication hidden. Now, even if an antivirus picks a specific strain of the virus, it mutates, and the later strains remain undetectable.
The most dangerous strains of ransomware today
Ransomware attack 2017 has demonstrated the great threat that both companies and individuals face from the fast mutating strains of the malware. From the radiation monitoring system in Chernobyl to banks, the most notorious strains of ransomware include;
- The ransomware wannacry: This is the malware that attacked many institutions in Europe in May 2017. By 24th May, the ransomware fact 2017 indicates that over 200,000 victims had been hit in about 150 countries.
- The Petya ransomware: This strain was first noted in 2016 and goes by the trade marks that involve Master Boot Record to execute the payload before encrypting all available data. One of the Petya strains was used in one of the recent cyber attacks 2017 after depicting self-mutating capabilities.
- Cyber ransomware: This strain is considered relatively old though its use has gone up significantly in the recent past. ‘By the end of the first quarter of 2017, this malware had made it to the top names of ransomware strains having about 90% in the ransomware family.
- Locky ransomware: This is the latest and most daring strain in the ransomware list. It was first noted in February 2016 and hit the headlines for extorting $17,000 from a hospital in Hollywood.
- Uiwix ransomware: This is also a recent strain that operates like the wannacry (encrypting clients’ files). However, it does not have a killswitch domain, and it progressively mutates over time before and even after ransomware payments are made.
- Torrent locker: This is a file-encrypting ransomware that was first detected in 2014. However, makers tried to confuse the users by referring to it as the Cryptolocker to cover its awareness. It relies on spam emails for distribution.
- Cryptowall ransomware: Cryptowall is a variant of another ransomware strain, CryptoLocker, and attacks and has reached the third version. It spreads through infected vectors such as drive-by downloads.
The best methods of protection from ransomware
For many people, the first question is not even how does wannacry infect, but rather how to prevent ransomware? Note that the threat is so real that you must start working on prevention now, not tomorrow! The following are some of the top strategies to stay protected from Ransomware.
(i) At the PC level
- Do not store important data on the PC.
- Have several backups of your data.
- Ensure that the OneDrive or DropBox is not on by default.
- Always ensure that the OS is up-to-date.
- Turn off macros of Microsoft PowerPoint, word, excel, and suite.
- Remove plugins such as Flash and Adobe Reader from the browser
- Clear off outdated plugins from the browser.
- Use ad blocker to stay away from ransomware such as wannacry virus entry.
(iI) Change your online behavior
- Always use reliable, full version, and paid antivirus.
- Utilize traffic filtering solutions with proactive ransomware protection.
- Avoid opening emails and documents you are not sure of their authenticity
- Be vigilant by understanding that you are a potential target by ransomware. Consider learning the ransomware attack meaning as well as other threats.
- Note that ransomware can also attack your smartphone and it is prudent to be vigilant about the apps you download and sites you visit.
What to do if already infected: Can you get back the data without paying the ransom?
If you are already infected
If you are already affected by ransomware, the first thing should be disconnecting the infected computer from the internet to avoid further communication with the cyber criminals. You should also disconnect it from the network so that the ransomware does not spread.
You must share the information with the person in charge of system security for further action. If you are an individual, make sure to stay disconnected from the internet and contact a security expert. For companies, it is important to work with government authorities such as FBI to have the problem noted and get possible assistance.
Some companies even prefer to negotiate with the hackers. On 10th June 2017, Nayana (a South Korean company) was attacked by Erebus ransomware that encrypted all the data on its servers. Because of the sensitivity of clients’ data, the management preferred to negotiate with the cybercriminals and managed to bring down the ransom from $4 million to $1 million. It is a bitter choice to take, but, you must have all the options on the table. It is particularly crucial to weigh all the options when clients’ data is involved.
Can you get back data without paying a ransom?
Being able to get your data and system up and running is dependent on the level of preparedness and protection. At the moment, it’s very difficult to get your data back without paying the demand. However, new tools are being developed to help people who are hit by ransomware to decrypt their files and restore their systems. This is the surest way on how to get your data back without paying the ransoms. However, you need to have these tools beforehand and ensure to keep them updated because ransomware is progressively mutating. However, you must appreciate that this is a never ending battle like the FBI noted, and you should, therefore, try as to keep backups of the most important data.