Ransomware, kidnapping your information, from files to photos
View(s):When someone is abducted or kidnapped against his will and held captive unlawfully, this is typically to obtain a ransom or is part of an extortion scheme. Ransom or money is extorted using force or threats. Such crimes have evolved over the years and are now prevalent in the cyber world and known as ‘ransomware’.
Ransomware is a piece of malware that denies access to a victim’s computer or device or encrypts most important files, and holds them hostage until a payment is made to the cyber-criminal. It essentially kidnaps the information viz, data files, photos and videos and extorts money from the vulnerable, technology dependent innocent users and organisations.
The high value and the dependency on the information have motivated cyber-criminals to exploit it for their own economic benefit. The ransomware is a product where the cyber-criminals seek to create a reliable source of direct income from victims worldwide. Some ransomware creators portray themselves as service providers offering technical support and discounts to their “customers”, i.e., the “victims.” The low risk, high reward incentive involved with ransomware has opened the floodgates for criminal pioneers to evolve financially motivated heists.
The problem of ransomware is on the increase in several countries. The problem begins when the victim clicks on an infected advertisement, email, or attachment, or visits an infected website. It is widely believed that the ransomware targets affluent or populous countries or the members of the G20 organisation which represent industrialised and developing economies that make up over 80 per cent of the world’s global domestic product (GDP). However, in recent times, ransomware attacks have been reported by individual users and organisations in Sri Lanka too, who were willing to pay a ransom to restore access to their computers and data. This is an indication that the cyber-criminals behind ransomware attacks do not care who their victims are, as long as they are willing to pay the ransom.
‘Locker’ and ‘Crypto’
There are two types of ransomware, namely “Locker” and “Crypto”. “Locker” ransomware is a computer locker which denies access to the computer or device. The locked computers or devices will often be left with limited capabilities, allowing the user to interact with the ransomware and pay the ransom. This means access to the mouse might be disabled and the keyboard functionality limited to numeric keys, allowing the victim to only type numbers to indicate the payment code. “Locker” ransomware can particularly be effective on devices that have limited options for users to interact with, such as wearables. This is a potential problem area considering the exponential boom in wearable devices and the Internet of Things (IoT), where millions of connected devices could potentially be at risk from this type of ransomware.
“Crypto” ransomware is a data locker which prevents access to files or data. “Crypto” ransomware is designed to find and encrypt valuable data stored on the computer or device, making the data useless unless the user obtains the decryption key. Users are storing important data on their personal computers and devices much more than ever before as their lives become increasingly digital. Many users are not aware of the importance of backups to guard against hard disk failures or the loss or theft of the computer, let alone a possible crypto ransomware attack. This is primarily due to their lack of knowhow or don’t realise the value of the data until it is lost. Setting up an effective backup process requires some work and discipline, so it’s not an attractive proposition for an average user.
“Crypto” ransomware targets these weaknesses in the user’s security posture for extortion purposes. The creators of “Crypto” ransomware know that data stored on personal computers and devices is likely to be important to users. For example, the data could include memories of loved ones, a project report, a financial report or a business plan. The “Crypto” ransomware, after it installs, will stay undetected until it can find and encrypt all of the files that could be of value to the user. The malware does not target critical system files or deny access to the computer’s functionality and hence the computer will continues to work normally. When the user attempts to access the data, the malware’s message will inform that their data is encrypted. The ransomware victims will become desperate to get their data back, preferring to pay the ransom to restore access rather than simply lose it forever and suffer the consequences.
Both “Locker” and “Crypto” ransomware target the digital lifestyle of the user. They are designed to deny users access to something they want or need and offer to return what is rightfully theirs on payment of a ransom. It is not easy for victims to decide whether or not to pay the ransom demand to get their data back. With data now being essential to a user and an organisation, not paying the demands and losing data could have catastrophic effects. On the other hand, paying the ransom demand will only encourage more “Crypto” ransomware campaigns.
Ransomware cyber-criminals seem to possess some business acumen. They realise that they have to build a trustworthy reputation to decrypt the files after the ransom demand is paid. In order to build trust, some “Crypto” ransomware schemes allow the victim to “try-before-you-pay” by decrypting some files for free. If the cybercriminals cannot be trusted, it’s bad for their business. However, there is still no way of being sure that when a victim pays the ransom, the cyber-criminals will decrypt their files.
Cyber-criminals have started to use crypto-currencies such as Bitcoin and Litecoin for ransom payments, making it more difficult for law enforcement to track any money laundering or spending of ill-gotten gains. The use of Bitcoins for payment holds additional advantages for cyber-criminals seeking out international victims, as the crypto-currency is not a national currency and is relatively easy to purchase from any of the existing Bitcoin exchanges online, fast, publicly available, decentralised, and provides a sense of heightened security and anonymity for the cyber-criminals.
Prevention
Looking at the evolution of ransomware in recent years it’s clear that cyber-criminals will continue to evolve their techniques and develop new families of malware.
All of which puts the emphasis on defence and stopping the ransomware malware before it has a chance to deploy its payload. Here are some guidelines to protect your computer and devices from Ransomware:
- Make sure you have updated antivirus software on your computer.
- Keep the operating system and web browsers patches up to date.
- Have strong passwords, and don’t use the same passwords for everything.
- Use a pop-up blocker.
- Only download software especially free software from sites you know and trust as malware can also come in downloadable games, file-sharing programs, and customised toolbars.
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organisation’s website directly.
- To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.
- User awareness education – most attacks begin with phishing emails.
- Use the same precautions on your smartphone as you would on your computer when using the Internet.
- As security vendors and law enforcement pay closer attention to their activities, cyber-criminals behind ransomware will be forced to continually innovate and evolve the way they operate. Protecting your computer and personal devices from ransomware requires ongoing personal vigilance.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA) and a board member of the (ISC)2 Colombo Chapter. He can be emailed at sujit@layers-7.com)