Ransomware

May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS).   Affecting more than 200,000 organisations in 150 countries.

What is Ransom?
 Ransom is the practice of holding a prisoner or item to extort money or property to secure their release, or it may refer to the sum of money involved.

In an early German law, a similar concept was called weregild.

When ransom means "payment", the word comes via Old French
What is Ransomware?

Ransomware Trojans are a type of cyberware that is designed to extort money from a victim. Often, Ransomware will demand a payment in order to undo changes that the Trojan virus has made to the victim’s computer. These changes can include:

• Encrypting data that is stored on the victim’s disk – so the victim can no longer access the information
• Blocking normal access to the victim’s system

Blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

 

Operation

The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and is the following 3-round protocol carried out between the attacker and the victim.

1. [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
2. [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker's private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.

How Ransomware gets onto a computer

The most common ways in which Ransomware Trojans are installed are:

• Via phishing emails
• As a result of visiting a website that contains a malicious program

After the Trojan has been installed, it will either encrypt information that’s stored on the victim’s computer or block the computer from running normally – while also leaving a ransom message that demands the payment of a fee, in order to decrypt the files or restore the system. In most cases, the ransom message will appear when the user restarts their computer after the infection has taken effect.

Ransomware methods – around the world

Across the world, Ransomware is increasing in popularity. However, the ransom messages and methods of extorting money may differ across different regions. For example:
 

• Fake messages about unlicensed applications

In some countries, the Trojans often claim to have identified unlicensed software that is running on the victim's computer. The message then asks for payment.

• False claims about illegal content

In nations where software piracy is less common, this approach is not as successful for the cybercriminal. Instead, the Ransomware popup message may pretend to be from a law enforcement agency and will claim to have found child pornography or other illegal content on the computer. The message will be accompanied by a demand to pay a fine.

What is Wanna Decryptor?

Wanna Decryptor, also known as WannaCry or wcry, is a specific ransomware program that locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor program itself.

When the software is opened it tells computer users that their files have been encryted, and gives them a few days to pay up, warning that their files will otherwise be deleted. It demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to.

Most computer security companies have ransomware decryption tools that can bypass the software.

It was used in a major cyber attack that affected organisations across the world including the NHS and Telefonica in Spain.

 

How to protect yourself against ransomware attacks

• The best protection against ransomware attacks is to have all files backed up in a completely separate system. This means that if you suffer an attack you won't lost any information to the hackers.
• It is difficult to prevent determined hackers from launching a ransomware attack, but exercising caution can help. Cyber attackers need to download the malicious software onto a computer, phone or other connected device.
• The most common ways of installing the virus are through compromised emails and websites.
• For example, hackers could send an employee a phishing email that looks like it comes from their boss asking them to open a link. But it actually links to a malicious website that surreptitiously downloads the virus onto their computer.
• Downloading a bad program or app, and visiting a website that is displaying malicious adverts can also result in an infected device.
• The best way to protect yourself is to be suspicious of unsolicited emails and always type out web addresses yourself rather than clicking on links. Another key defence is antivirus programs that can scan files before they are downloaded, block secret installations and look for malware that may already be on a computer.
• Cyber security companies have developed sophisticated defences against the cyber attack, including machines that fight back when they spot hackers in a system.