What is Ransomware?
Ransomware is a security threat that has the potential to impact more and more people across the table.
Not only do individuals need to take measures to protect themselves from cyber threats like ransomware, but organizations also need to step up and put in place shields to defend themselves.
What Does Ransomware Mean?
As you might have guessed, the ransom in ransomware is used to describe the act of taking a sum of money in exchange for releasing the system from any harm that the ransomware might entail.
Ransomware is a subset of malware that stands out in the sense that its actual purpose is served after a system has been infiltrated, limits access to files and data present on the system and the owner or users of the system have been notified.
What is Ransomware in Cyber Security?
In the context of cyber security, ransomware can be explained as a type of malicious software, harmful/destructive code or malware, that limits or completely prevents you from accessing your files, systems, or networks and asks you to pay a ransom for their return.
Figure 1 Ransomware Attack
Ransomware attacks can be the cause of incredible disruptions and the loss of vital business and personal information and data.
An untrained eye can unknowingly download ransomware onto a system by opening something as trivial as an email attachment, clicking a display ad on a shady website, following a link, or even visiting malicious sites that are potentially embedded with malware.
As soon as the ransomware code is loaded onto a computer system, it will block access to the computer system itself or files stored there. More menacing variants can encrypt files on local drives, drives attached to the system, and even computers joined by the network.
Most of the time, users and even businesses won't know that their systems have been infected. It is often later discovered when you can no longer access your information or see computer messages demanding that you have to pay a ransom as you've become an infected target.
It is interesting to learn about the history of ransomware and how it has evolved and become more of a danger as it continues to evolve.
In 1989 one of the first known and highly infamous malware extortion attacks, the "AIDS Trojan" which was written by Joseph Popp took place. The AIDS Trojan had a key design failure so critical that it was not even necessary to give ransom to the extortionist.
The ransomware's payload hid the files present on the hard drive of the system and encrypted only the file names. Users were asked to pay $189 to "PC Cyborg Corporation'' if they wanted to get a repair tool. However, a testament to its lack of complexity and design thought, the decryption key could easily be extracted from the Trojan's code.
In 1992, David Naccache and Sebastiaan von Solms came up with the idea of abusing anonymous cash systems to comfortably and safely collect ransom from human kidnapping.
The idea of utilizing public key cryptography for data kidnapping attacks was put forward by Adam L. Young and Moti Yung in 1996 . Young and Yung highlighted the failed AIDS Information Trojan that made use of symmetric cryptography in its entirety, the fatal flaw clearly being that the decryption key could be extracted from the Trojan itself.
In May 2005, extortionate ransomware rose to prominence. In June 2008, a variant of the older ransomware known as Gpcode.AK was first detected. Gpcode.AK employed a 1024-bit RSA key, and was believed to be large enough to be computationally infeasible to break and hack without a focused distributed effort.
Back in 2011, a ransomware Trojan came into the spotlight that imitated the Windows Product Activation notice, and let users know that their system's Windows installation needed to be re-activated due to "[being a] victim of fraud".
The process of encrypting ransomware returned to prominence at the end of 2013 with the propagation of CryptoLocker which uses the Bitcoin digital currency platform to collect ransom money.
What Are the Types of Ransomware?
Ransomware is currently categorized in two main types.
Crypto-ransomware or a cryptor, is the most commonly used and widespread type of ransomware.
Cryptors programs encrypt data files on the victim's device and demand money or a ransom in exchange for a promise to restore access to the system and the data. The system UI may still be usable, but files will be inaccessible.
2. Locker ransomware
Ransomware lockers, also known as lock screen ransomware or blockers, don't affect the data files present on the computer system or device. Instead, blockers prevent the victim from accessing the device as a whole.
The victim is notified of the ransom demand via their screen, often impersonating real notices from law enforcement.
Apart from the two main types of ransomware, other types of ransomware will definitely make an entry to the market. One example variant that is being popularized by hackers is the master boot record (MBR) ransomware.
MBR ransomware alters the master boot record present in the hard drive, disrupting the normal boot process by showcasing a ransom demand on the boot up screen.
What Does Ransomware Do?
A ransomware serves the primary function of securing a ransom on behalf of its owners from intended victims.
In most cases, a system is infected, one of the most common reasons being that the user is not trained or unaware, and information is encrypted and the user is barred from entering the system.
The user is naturally puzzled and wants to gain access to their system and data. When they see a message or a notification that they can get access after paying a ransom, a number of people might actually consider doing so.
The orchestrator of the ransomware is the ultimate beneficiary that not only holds data and information, but also they become someone who can make their victims behave a certain way. If the attack is carried out successfully then the owner of the ransomware gets to keep the shares all for themselves.
How Does Ransomware Work?
Ransomware works by entering the victim's network in a couple of different ways.
The most popular way for ransomware code to infect a system is to be downloaded as an email attachment. The download then launches automatically and the ransomware code attacks your computer system. Other vectors of entry include downloads of malicious software from removable USB drives and by clicking on fake adverts that mask the ransomware.
The malware can also be dispersed through social engineering by spreading to different users.
Usually, the ransomware is hidden in an executable file that may be in a zip format, embedded within different kinds of macros, or incognito as other seemingly legitimate attachments.
The download file proceeds to encrypt the victim's data, adds a very uncommon extension to the victim's files and makes them inaccessible for the victim. More complex and sophisticated versions of the software can spread themselves and can execute without any human action.
What is the Purpose of Ransomware?
Unlike other kinds or types of malware, the primary goal of ransomware code is not to corrupt or damage files present on a computer system or destroy them. The real purpose or motive is to get financial gain from the victims in a fraudulent manner.
Ransomware attacks typically encrypt a user's important data and information, lock the user out of the system computers or prevent access to files, and demand a ransom doing away with restriction. In recent years ransomware attacks have targeted government institutions, healthcare providers, and other enterprises and small businesses which have led to a loss of incredibly significant capital.
Though ransomware attacks may request ransom and will probably grant back your access, it is not out of the question if your data is stolen. Since the hackers can access your data during the ransomware attack, there�s a high probability that the majority of your vital data may be out in public view or in the hands of your competitors.
Chances that ransomware criminals will sell their victims� data are high. As they can access the entirety of your information, this means that they�d most definitely sell it off if they have a higher offer or are prompted to act in haste.
How is Ransomware Detected?
Detecting ransomware early on is essential if you want to make sure that your devices and networks are safe from any ill intent.
The first thing that you should do is to have anti ransomware software. If you are particularly concerned about an impending ransomware attack, then you should consider purchasing a specialist solution instead of a generic antivirus or anti malware.
These software solutions are designed to block ransomware scripts from executing.
You will also notice a lot of early signs and warnings that something might be wrong or that your system might be compromised by a ransomware attack.
Here are some signs that you should notice if you want to detect ransomware before being locked out of your system or having all of your files encrypted:
- Unusual file system activity, like a significant amount of failed file modifications. This happens when the ransomware code is making ploys to gain access to those files.
- Increased CPU and disk activity for no solid reason. This increase in system resource utilization can be attributed to suspected ransomware searching, encrypting and hiding data files.
- Inability to access certain files. This happens when a ransomware has started to modify or encrypt your system files. Take note of the extensions of your files that can't be opened and start to do some research online
- Suspicious network communications that may happen as a result of the communication between the ransomware on your system and the attacker's control server
What is Ransomware Shield?
Ransomware Shield is an anti ransomware feature that is available for Avast Antivirus. It secures the users personal photos, documents, and other files present from being modified, deleted, or encrypted by hackers during a ransomware attack.
This feature scans for and secures folders on its own that may contain personal data and gives you to choose which other folders you want to protect in particular from untrusted applications. If this wasn't enough, you can specify which apps are allowed to change the files in your folders and which apps are always blocked.
Other cyber security solutions providers have their own version of the ransomware shield.
What is a Ransomware Attack?
Ransomware attacks usually follow the same pattern.
First the system is infected with ransomware. It moves on to encrypting the victim�s files or even locking them out of the system as a whole. Once done, a notification message is displayed that alerts the victim that they need to pay a ransom to recover their device or data.
But as new ransomwares are being developed by malicious actors, we can expect there to be a shift in the way ransomware attacks take place.
What is Ransomware Protection?
Knowing how individuals and businesses can protect themselves from ransomware attacks has become a necessity these days.
Here are some things that users should do to protect themselves from ransomware attacks and to mitigate any harm that might come onto them:
- Avoid clicking on links in spam like messages or on unknown, shady websites (they most likely won't have HTTPS).
- If you receive a phone call, SMS, or concerning email from an untrusted and unheard of source requesting personal information, don't reply. Legitimate authorities will approach you through proper channels and make sure to provide you with the relevant documents.
- Avoid opening any untrustworthy attachments. To ensure the email is legitimate, pay close attention to the sender and check that their address is correct. Never open or click on attachments that prompt you to run macros to access them.
- Never connect unknown USB sticks or other media storage devices to your system if you do not know who they belong to and where they came from.
- A reliable security software should be installed onto your computer. The software is able to prevent infected files from accessing your system when you download or stream something online, thus providing almost instant and real-time protection.
- If you don't want to protect your information on your own or manually, you can use a backup software.
What is Ransomware Protection in Windows 10?
Although it's not a popular Windows product, Microsoft Windows 10 users can make full use of the built-in ransomware protection.
Enabling is easy to do. Type "Ransomware Protection" in the search bar on Windows 10 that's usually at the bottom left of your screen. Choose the "Ransomware Protection" option.
Figure 2. Ransomware protection on Windows 10
Choose the "Controlled folder access." Then you get the option to pick and choose which folders you want to protect from ransomware in particular.
Figure 3. Adding a protected folder in Ransomware Protection on Windows 10
Select the "Protected folders." The Protected Folders screen should be filled by folders that are protected and hence safe by default. You're also given the choice to add other protected folders. If you have particularly sensitive data then you might want to add those folders here.
Additionally, you can add folders from Microsoft OneDrive, if you have a valid subscription.
What is Ransomware Protection in Linux?
Ransomware protection as discussed earlier includes putting in barriers between your system and ransomware via anti-ransomware software, optimized system control and updated software.
Like Windows, Linux systems are not immune to ransomware and steps should always be taken to ensure safety and protection.
Here are some steps that you can take to ensure that your Linux system is safe from ransomware:
- Regularly update software.
- Do away with single points of failure via backing up critical data and branching out the storage media.
- Control user access and put in place a Zero Trust security strategy.
- Set up Linux security extensions to control and limit access to data and resources.
- Use network segmentation to minimize the implications of a ransomware attack.
Start by implementing these steps on your Linux device but keep exploring further protection tools and techniques to safeguard your system.
What is the Best Defense Against Ransomware?
A proactive defense is going to be your best bet against ransomware attacks. Here are two strategies that you can employ to build up your security against ransomwares:
Reduce vectors of attack for the ransomware
Your first priority should be to reduce your system or if you're a business owner, your business's potential attack vector, that consists of the assets and inlets exposed externally that a bad actor can reach and potentially exploit.
The broader your attack surface is, the more chances you are giving for attackers to exploit. It is in your organization's best interest to reduce your attack surface as much as you can.
Conduct periodic software updates during off-peak hours, stick to the scheduled updates from software vendors, and avoid postponing patching. These updates help reduce known software vulnerabilities and can stop ransomware variants that use existing known weaknesses to get a foothold against you.
Prioritize protecting your most valuable data first
While it's certain that any sort of data loss is a loss for the business, you cannot be oblivious to the impact that the loss of high priority information can have on your business.
Backups are essential but in a modern cyber security context when you're building defences against ransomware attacks, you must also take data breaches into account and plan out how you're going to deal with them.
Encryption of data at rest helps solve this problem. By incorporating strong data encryption on sensitive data, in the case that data is stolen during an attack, then that data is not recognizable and useless.
Keep in mind that data encryption does not prevent the ransomware code from encrypting your data again. Likewise, be mindful to keep decryption keys inaccessible to the masterminds of the ransomware attacks and ensure that decrypted copies of highly sensitive data are not stored in caches or system RAM.
What to do if Your Computer is Infected with Ransomware
Not knowing what to do if your computer is infected with ransomware will put you at a severe disadvantage. Here is what you should to get started with:
- Disconnect your system from any other devices, and from any external storage drives. If you're currently on a network, go offline.
- Use a professional anti-ransomware or anti-malware software to clean the ransomware from the machine, but only attempt this if you have decided not to pay the ransom.
Keep in mind that removing ransomware code from your system will not decrypt your files, and it may significantly reduce your chances of getting the files back by paying the ransom.
- Check and find out if you can recover deleted files.
- Identify what kind of encrypting ransomware you're face to face with.
- Find the right decryption tools for your infected system.
- Choose to restore your files from a prior backup.
- If you're going to pay the ransom and your attempts to recover your files on your own have failed, negotiate first as you might be able to get a better deal.
What is the Difference Between Malware and Ransomware?
Malware attacks generally look like computer viruses or worms. Modern malware can be categorized into different combinations of a single or multiple viruses and worms.
This not only adds complexity to the malicious attack but gives malware the capability to stay incognito and propagate itself through different files on a host system. If the malware code is able to spread to another computer system then it's even better.
Malware is in a lot of cases tailor made for particular platforms like Windows, other OS, cloud service providers, or even a certain mobile app. This specificity allows malware to attack intrinsic security loopholes that may not have been exploited otherwise.
While malware may simply cause inconvenience or cause low to moderate amounts of harm, delete files on the system or change the system configuration. More complex and expertly designed malware may cause greater harm in the way of reformatting a hard disk or corrupting files on the computer.
Depending on the design of the malware and it's vector of attack, it may choose to hide itself within a system and establish communications with a control system over the network so it can orchestrate or be part of a DDoS attack.
Additionally, malware may try to capture personal and financial information from its victims, and then pass this information to its main control system.
Ransomware is different from malware primarily in the way it works after conducting a successful attack on it's intended victims.
Ransomware starts to take action and show its real menace when ransomware notifies the infected system's user that it has been compromised.
Once the ransomware has altered system files (usually by means of encryption) notifications are sent out and threaten or demand of the victim a sum or ransom to make things go back to normal.
Both ransomware and other forms of malware cause harm to their victims, the main difference is the thinking behind their design and the results they are able to produce for their owners.