What is ransomware?
Ransomware is a type of malware designed to extort money from its victims. Their first main method of extorting money is by blocking or preventing them from accessing data on their systems. The second method is to threaten exposure of private or potentially embarrassing information. There are two predominate types of ransomware. The first Encryptors; as implied by its name, encrypts data on a system, resulting in the content becoming useless without the decryption key. Screen lockers; on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted. This form of crime allows an attacker to extort from victims by taking control of their digital assets. Both of these main types often will exfiltrate data outside of the organisation as an additional method of extorting money.
The dark web offers, Ransomware-as-a-Service (RaaS) as a franchise model, that allows people without programming skills or technical skills to become active attackers and take part in the ransomware economy. A study explains that this is a way of emulating crime, giving ordinary people and smaller players an easier way into the criminal market, while reducing the risk of exposure for the ones on top of the value chain. For instance, a dissatisfied employee might decide to partner up with a RaaS developer to effectively infect an organisation from the inside and then splitting the profit.
The most commonly used delivery system is through phishing spam, these are attachments that come to the victim in the form of an email, masquerading as a file they should trust. Once the victim downloads and opens the attachment, the attackers can take over the victim’s computer, particularly if they have built-in social engineering tools that deceive users into providing administrative access. Other, more aggressive forms of ransomware, such as NotPetya or the recent bespoke ransomware, used within the SolarWinds attack, exploits security holes and look for vulnerabilities in order to infect computers without the need of deception tactics.
How has ransomware evolved?
Over the years, it has become evident that cybercriminals do not discriminate, their end goal is to make money, therefore ‘everyone is a target’. However, there are several reasons an attacker may choose to target a certain organisation.
The old version of ransomware came in the form of a floppy disk; the first instance was the AIDS Trojan, 1989, when malware was used to target all delegates at the 1989 World Health Organisation AIDS conference in Stockholm. Each delegate received a floppy disk, containing malicious code, that encrypted the names of all the files and hid all the directories on the drive, after the system booted for the 90th time since being infected. However, as the encryption used by the Trojan was weak – security researchers were able to release a free decryption tool.
After the mid-2000s, ransomware continued to grow and evolve and attackers started using stronger, complex and more sophisticated encryption mechanisms. The attacks were still limited primarily to individual home users, often with ransoms asking for no more than a few hundred dollars. These restrictions can be attributed towards the logistical issues with payment.
In 2012, ransomware was qualified as a ‘trend’ that was temporary; this was one of the few early observations of the emerging new threat that was ransomware. It would have seemed clear at the time that ransomware, as a form of crime, was unlikely to go anywhere because it was just too difficult to get payment from the victim. Nowadays, the final quote seems ironic. The trend, as it turns out, was anything but ‘temporary’, as the chart below illustrates…
In recent history, ransomware has been recognised as one of the fastest growing cybercrimes, although the overall number of infections started to decline in 2018, according to Symantec. Current trends also show that businesses are becoming the primary targets, whereas regular citizens are less likely to be hit.
Ransomware and Bitcoin
Bitcoin turned out to be just what the flailing ransomware crime model needed. The bitcoin service provided threat actors a safe, cheap, simple and reliable means to receive payment from their targets. On top of the high degree of anonymity, hackers can simply watch the public blockchain to know if and when a victim has paid up. They can even make a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction. By 2013 the CryptoLocker ransomware strain – using Bitcoin to collect ransom money – had earned around US$27 million in just two months.
Who, what and why
Opportunity; attackers may target educational institutes due to resources and manpower. Schools and Universities tend to have a smaller security/IT teams and a contrasting user base that conducts high level of file sharing, which makes it easier to infiltrate their defences.
Success rate; some attackers tempt targets as they seem more likely to pay a ransom quickly, such as government agencies or medical facilities, that often need immediate access to their files. Other organisations such as Law firms with sensitive data may also be willing to pay the demands in order to keep news of a compromise quiet.
The No More Ransom Project and governmental agencies advise against paying ransom, this avoids from further encouraging the ransomware cycle. Additionally, half of the victims who end up paying the ransom are likely to suffer from repeat ransomware attacks.
The economics of ransomware
There is a very rich and sophisticated ecosystem around ransomware. Each part of the ecosystem is incentivised by the continuing success of ransomware. The value chain includes exploit developers, payload developers to deliver the software that delivers the exploit to the user, command and control providers to control the exploited endpoints, malware developers that develop the exploits and the ransomware, bitcoin launderers to obfuscate the bitcoin trail from the ransomware actor, insurers that insure against ransomware, technology companies providing solutions against ransomware and lastly unfortunately insiders that are often paid to deliver ransomware into an organisation. With this rich value chain it is easy to understand why the problem is growing and growing.
How to prevent ransomware attacks
- Defend your emails, devices, and web surfing against ransomware
- Monitor your server, network and back up key systems
- Educate staff and increase knowledge of cybersecurity and cyber crime
- Have a reliable breach detection service in place. Ransomware gangs will often be active on networks for weeks looking for embarrassing data or trying to set the right level of ransom. Detecting attackers early greatly reduces the impact.