What is ransomware?

What is ransomware?

There has been a serious amount of attention accorded to ransomware for a long time now. You probably have come across an antivirus pop up that warns you about some ransomware infection or heard about it at the office. Well, all this attention paid to ransomware is not baseless since it poses a legitimate threat to corporate, organization, and standard company processes of operation. This article aims at providing you with wholesome information about everything ransomware. We will discuss everything from the basics to the advanced topics of ransomware. This article is organized into parts, so you feel free to navigate to the specific sections that answer your question.

1. Ransomware definition

Ransomware, also known as ransom malware, is a specific type of computer malware that encrypts a victim’s files or systems in order to prevent the victim from accessing them. Consequently, the ransom attacker demands some payment – ransom –from the victim in order to allow re-access to the files or system.  Usually, this type of malware limits users from accessing their data by completely locking the computer’s screen or by restricting access to specific target files in their networks.

Victims of a ransomware attack are usually provided with a step by step guide on how to obtain a decryption key. In recent years, ransomware attackers prefer payments made via cryptocurrencies to eliminate the possibility of a trace. Ransom payment varies a great deal, from a few hundred dollars to millions of dollars. In 2017, the greatest ransomware demand was made to a Korean web hosting company (Internet Nayana). The company ended up parting with $1.14million in ransom payment.

2. How does Ransomware work?

In the current market, several types of ransomware exist. Most of them have the same overall target, which is to take administrative control of systems and file and ask for ransom. However, there is a significant difference in how these ransomware attacks are carried out. The engineering tactics around each attack if often unique, and this is meant to keep victims and other security developers continuously guessing. Let’s discuss some of the techniques used in order to have a deeper understanding of how ransomware works. This section is suitable for both technical and non-technical readers. We shall discuss how some of the most prevalent ransomware, like Apocalypse, Jigsaw, CTB_Locker, Cerber, Unlock92, CyptoWall, Locky, Petya, TeslaCrypt, and TorrentLocker work.

The section below is quite exhaustive since it dives a little deeper in an attempt to explain in a procedural manner how ransom malware works.

• Apocalypse Ransomware

Apocalypse was discovered back in 2016, and security experts quickly responded to it before it could widely spread. Apocalypse is unique in that it used a completely custom encryption pattern or algorithm instead of using the standard algorithms of encryption.

The encryption process of apocalypse is custom-designed, and the encryption key is saved inside a register. After successful encryption, a “dot extension” extension is added to the file name. Similarly, file decryption procedure is based on an algorithm from the symmetric-key algorithm class- making it relatively easy to decrypt infected files.

• Jigsaw ransomware

Jigsaw was released in 2016 and has seen subsequent version releases. This ransomware runs in a .net Framework. A “. fun” extension is appended to files encrypted using Jigsaw. It was however quickly thrashed by security experts. Arguably, the jigsaw ransomware has the simplest approach of all in this list. It primarily employs AES algorithm in the encryption procedure.

Decryption process is likewise very clear. All you need to do it perform a decryption on the encrypted files using the AES algorithm utilizing the exact key and iv.

• CTB_Locker ransomware

This ransomware is rather unique compared to others on the list. It is a relatively old one, but made a significant spread in 2014.  It uses a more superior encryption algorithm to RSA and encrypted file names have a 7-character extension that is randomly generated. CTB_Locker’s approach to encryption employs both ECDH and AES algorithms.  ECDH algorithm leverages an anonymous key agreement protocol and should not be mistaken as an algorithm of encryption. CTB_Locker encryption procedure also uses three encoding levels using ECDH keys that are randomly generated. Secondly, it uses the key to encode an AES randomly generated key and finally encrypts the targets files using AES algorithm of encryption.

The decryption procedure of files encrypted by this ransomware is simple and straightforward. Since it is impossible to obtain the private ECDH key that corresponds to the available public ECDH key, we only left with two procedural steps. Firstly, you get a private and randomly generated ECDH key from C&C server and use it to decode the AES key and then use the AES key to decrypt the encrypted victim files.

• Cerber ransomware

Cerber was also released in 2016, with a second version of it detected in 2019. The initial Cerber encrypts a victim’s files and adds a “dot cerber” extension to the file names. Cerber uses RSA and RC4 encryption algorithms. Cerber works in a fairly complex way. It employs three-different levels of encryption juggling between RC4 and RSA encryption algorithms alongside randomly generated keys.

However, a noticeable feature on how cerber works is that it only affects parts of a file and not the entire file. Decrypting cerber infected files is easy when you have access to the RSA keys that were randomly generated. These can be obtained from C&C server. Once you have the key, decryption is done by merely reversing the encryption process – decrypting the randomly generated RSA key, then consequently decrypt the randomly generated RC4 key and eventually use RC4 to decrypt the file.

• Unlock92 ransomware

This ransom malware was initially in June 2016 with subsequent versions following through to date. It operates in the .net framework and leaves “a dot CRRRT or a dot CCCRRRPPP” extension to the file name, dependent on the version of Unlock92 used.

In its encryption process, it utilizes the RSA encryption algorithm twice. Each of its sample has a prebuilt RSA key that is usually encoded by base64. Base64 is often used to encrypt RSA keys that are randomly generated which are then used to encrypt target files.

Unlock92 does not encrypt entire files, rather, it only encrypts the initial 0x300 bytes of a file.

Decryption of files involves restoration of the RSA private key from the C&C server and using the RSA algorithm to decrypt the encrypted files.

• CryptoWall ransomware

CryptoWall was first detected in 2014, and it has continued to release four different versions till date. CryptoWall uses both AES  encryption algorithm and RSA encryption algorithm. This type of ransomware primarily targets windows based operating systems. This is because the implementation of encryption algorithms involved is directly dependent on an API called CryptoAPI which is usually part of Windows based Operating systems

When decrypting CryptoWall, you need to go to C&C server to obtain the RSA private key and then decrypt the AES key that was randomly generated. Finally, by the use of that AES key, you decrypt the personal files.

• Locky ransomware

Locky uses both AES and RSA algorithms in its process of encryption although different versions offer completely different implementation procedures of the algorithms. In one of its ransomware versions, the AES key generated is initially encrypted by the RSA algorithm and of course the RSA public key used is obtained from the C&C server. The generated AES key is then used encrypt files.

Decrypting Locky encrypted files resembles decrypting files that are encrypted by CryptoWall. By simply the private RSA key to decrypt the AES key and finally decrypting the encrypted files using the same AES key.

• Petya ransomware

Petya was discovered in March 2016. It makes another uniquely engineered ransomware on this list. It works very differently from the others. Petya aims to encrypt the NTFS master file table and not personal files as you would expect. Typically, it interferes with the traditional initialization of Windows OS by overriding the bootstrap code in Master Boot Record.

In its encryption procedure, it uses both ECDH algorithm and SALSA20 algorithm. Petya usually uses the ECDH algorithm to encode a randomly generated SLALSA20 key. It is important to note that SALSA20 wholesomely runs in a 16-bit environment and is launched after the ECDH algorithm encodes the randomly generated SALSA key.

The decryption process is equally straightforward in Petya. By simply fetching the key for C&C server, you restore the MBR and MTF respectively by decrypting them using SALSA20.

• TeslaCrypt ransomware

TeslaCrypt surfaced back in 2015 and has continued to release more versions afterwards. It also uses a wide variety of algorithms in each of its release.  In its fourth version, the ransomware utilized ECDH and AES algorithms in its encryption process. It has a close resemblance to CTB_Locker discussed earlier.

As you would expect, TeslaCrypt’s decryption procedure also aligns with the CTB_Locker that has been discussed above.

• TorrentLocker ransomware

TorrentLocker was released in 2014 and it has continued to terrorize the market with newer version releases. Typically, this ransomware appends a “dot encrypted” extension to the name of the encrypted file. TorrentLocker uses a combination of RSA and AES encryption algorithms in its encryption procedure. By now you realize that a significant number of ransomware employs an RSA-AES pattern.

A significant difference with TorrentLocker is that it here, the AES key is generated by Yarrow Algorithm.

Whey decrypting, we have to obtain the private RSA key for the server and use AES to decrypt the encrypted files.

3. Ransomware Infection and Behavior

Ransomware infections occur in a number of ways. For a standard ransomware attack, infection is usually the first step. A complete cycle of a ransomware attack involves, Infection, Securing Key Exchange, Encryption, Extortion and finally Decryption. This chronological order describes the complete behavior of a ransomware.

The infection stage entails a lot of other variables of concern. For instance, how the ransomware files get to your system. There are four most prevalent ways in which ransomware spreads to different users. A good understanding of these techniques often help internet users in avoiding laid ransom malware traps and staying safe.

Although no one is safe from ransomware attacks, there are a few well-known vectors that these attacks take get their victims infected. Here are some of the popular infection routes.

• Phishing Emails

Hackers really love emails. Emails have become the most common method of spreading ransomware. Phishing emails are well thought and properly designed to lure target users to visit a link or click on an attachment that has a malicious file. These attachments could either be a ZIP file, a Word document, a PDF file or even a JavaScript file. A common behavior in this process, the ransomware attacks are designed to trick victims into “Enabling Macros” which then allows then to download malicious “.exe” files by running scripts in the background.

The executable files harbor methods and functions that encrypt specific data or system parts as earlier described in section 2. Ransomwares have become extremely advanced and can spread to other systems via a network. This makes it incredibly important for organizations be on the watch out since a single infection could cripple and entire organizations network of computers. Ransomware like Locky and cerber are popularly known to use email phishing as a way of exploiting target victims.

• Drive-By Downloads

This is also a very effective way of spreading ransomware. Drive-by downloads are malicious downloads that occur behind the scenes – without the knowledge of the victim, when visiting a compromised website. This attacking path is particularly dangerous since it doesn’t require much action from the users, making it extremely difficult to protect yourself from this kind of infection. Unsuspecting victims fall into this trap all the time, ransom attackers then exploit website vulnerabilities by embedding the malware or redirecting victims to a vulnerable site where they can then use exploit kits to give them backdoor access.

Drive-By downloads attacks does not only occur on small obscure websites, they have been encountered on popular global sites like The New York Times, the NFL and the BBC all of which were victims of a ransomware campaign via hijacked adverts.

CryptoWall is good example of ransom malware that uses this method of infection.

• USB and other Removable media

The popularity of ransom malware continues to increase and so are the means to make money from them.  USB devices and other removable media is another common way ransom malware experts have used to infect systems and machines. A popular ransom attack was spread to Australians in 2016 using flash disks disguised as a Netflix application on promotion.  The external drives, infected computers with ransomware once they are plugged into the computer. The ransomware had the ability to replicate itself in order to affect other machines connected to the removable drive.

• Remote Desktop protocol

Ransom malware attackers have perfected the art of using Remote Desktop Approach (RDP) to target victim computers. Typically, this involves controlling other computers in a network remotely, from another administrator computer. The RDP was initially designed to allow IT experts and administrators to configure corporate computers remotely and usually uses port 3389.

This feature offers attackers with a chance to exploit the opportunity for malicious acts. Using specialized search engines on the internet like Shodan.io, hackers search and target these computers running with open port 3389 and launch attacks. The most prevalent way these attackers gain access to administrative rights is by Brute-Force –  password cracking technique that involves attempting multiple passwords within a short time. This is done by the help of specialized password cracking software and tools such as John the Ripper, Cain and Able and Medusa among others.

Once they gain access with administrative access, they deploy ransomware and disable security features forcing organizations to pay up in order to re access their data. Some ransomware that have used this mechanism before are CrySis and LowLevel04.

4. Who is the target of ransomware

In the initial stages on introduction, ransomware mainly targeted individual PCs. Attackers often launched ransom ware with an aim to cripple individual PCs and later prompt them to make some payment in exchange for their data. However, over time this trend has shifted a great deal focusing on large corporations and Small and Medium Businesses. Ransomware developers realized the enormous opportunity that lies around targeting businesses and companies rather than individuals.

Targeting businesses and companies offer them a chance to charge even more since companies greatly rely on their systems to conduct businesses. A restriction to their systems seriously cripple these organizations forcing them to pay huge amounts of ransom to attackers for them to resume business. For this reason, the primary target for ransomware attacks remains to be companies and small to medium businesses that heavily rely on PCs and digital solutions for their daily business operations.

According to a study conducted by Malwarebytes , about 13 percent of worldwide enterprise detections were ransomware. Similarly, about 35 percent of all SMBs had been faced with a ransomware attack. In the same year, 22 percent of organizations were forced to cease business operations due to because of these attacks. A whopping 81 Percent of all businesses had gone experienced one or multiple cyberattacks. The statistics are endless and they all show that corporates, organizations, and small & medium businesses are more vulnerable to ransomware attacks than the average internet user.  You can find a more detail on ransomware attack on small and medium sized businesses here.

Although companies and businesses make up the larger percentage of ransomware attack targets, regular computer users like you and I are not completely safe either. You should be constantly on the lookout for suspicious emails and attachments. Since a good number of personal computer ransomware attacks come from email phishing attacks.

Geographically, ransomware attacks seem to be most prevalent in the East and Western countries. Organizations in countries like Saudi Arabia, Turkey, China, Spain, United Kingdom, United States and Mexico recorded the experienced the highest number of ransom attacks. Surprisingly, in South Africa about 60% of organizations also reported some form of ransomware attack.

5. Ransomware facts

Ransomware attacks have been around for a while and they do not seem to stop anytime soon. Arguably, 2017 was the worst ransomware year with several attacks made to personal and businesses. Cybercrime has continued to evolve over time, changing infection strategies, encryption procedures as well as target areas of encryption.

Here are some of the insane facts about ransomware in the previous years that will certainly understand the magnitude of threats that ransomware pauses to online businesses, corporates, governments and personal computers.

• In the US, about 66 percent of ransomware attacks in 2019 target local and state governments.
• Towards the end of 2019, the average ransomware payout rose to $41,000
• More than 500 Academic Institutions experienced a ransomware attack in 2019
• About half of small and medium sized business are willing to pay hackers a fee to regain access to their data.
• About 150 Local governments, medical institutions and police stations recorded a ransomware infection in 2019

Again, let’s look at some of the outstanding ransomware attacks that demanded successful or unsuccessful payouts made in 2019.

1. In June 2019, the Park DuValle Community Health Center faced a ransomware attack that saw records of about 20000 patients encrypted. This attack crippled the health center for two consecutive months locking them out of their system. The facility had to operate on manual paper and file system for seven weeks without the ability of making schedules and appointments. The health facility ended up paying $70,000 in ransom.
2. Again, ln April last year, according to Cybersecurity Insiders’, story, the urban town in Ontario, Canada faced a ransomware attack by deploying a malware that encrypted their servers and completely locked them out of data. The city had to pay ransom worth 10 BTC which converted to about $71000.
3. Similarly, in June 2019, the county of La Porte in Indiana was attacked by a ransomware. Luckily, the IT experts realized the spread of the malware and managed to contain it to a small portion of the network. The FBI attempted, in conjunction with forensic investigation firm failed to recovered the data, forcing the county to pay $130,000 in ransom. About $100,000 of this amount was covered by Insurance.
4. It seems like government organizations are a prime target for ransomware attackers because Jackson County in Georgia comes in fourth. This attack was made in March 2019 where Jackson County faced a terrible shutdown of all its services. The Ransomware only spared it’s the police emergency system (911) and the county’s website. This ransomware was later discovered to be Ryuk ransomware strain which was a nightmare for many schools in 2019 as well affecting more than 500 Schools. The county had to pay a ransom of $400000 in ransom to regain access to their system.
5. In Florida, The Lake City was also crippled by a ransomware attack in June 2019. This attack spread so fast managing to paralyze most of their systems. This brought about a lot of operational issues in the city. This attack restricted access to city council agendas, resolutions, ordinances, meeting minutes among others. After a few weeks, the Lake city, through its insurance, paid $500000 worth of ransom to recover some of their data. Not all the data was recovered to delayed agreements. This was another Ryuk ransomware.
6. We close the list with Rivera Beach City, again in Florida. This attack took place in May 2019 and it demanded the highest ransom payout in 2019. According to reports, a City employee felt in the trap of a phishing email and the attackers immediately gained access to the entire City’s system. This affected payment procedures, communication routes, and even utility pumps. The city officials agreed to pay $600000 as requested by the attacker, using about $300000 from their Insurance Policy. Sadly, this attack happened shortly after the Rivera Beach City invested about $1 million to replace its computer equipment.
7. Ransomware Infects Critical Files

As earlier mentioned, the ransomware industry is continually evolving and adopting new security barriers developed. In this section, we will discuss a bit about critical files, how ransomware targets them and why they are a priority target for ransomware attacks.  Critical file are essential files in a system that are necessary to the operating system to operate smoothly. Ransomware that affect the critical files often depend on patched malware in order to successfully infect systems. A patched malware is a file – a legitimate file – that has undergone modifications caused by a malicious code. Ransomware cyber attackers prey on these files to infect systems since they are used quite often when the system is running. This explains why cyber attackers target such files, since the higher the number of times a file is executed, the higher the rate of execution of the embedded malicious code.

For instance, some popular police ransomware notably targets and infects the user32.DLL – which is a well-known critical file. This technique makes it extremely difficult for security tools to detect malicious activities. Launching attacks at critical files has a couple of advantages such as acting as an evasion technique from security tools that monitor system behavior. Again, cleaning critical files is often a daunting task and require extreme care, for this reason cleaning tools often don’t touch critical files making it a relatively safe area of residence to malicious codes.

The infected user32.DLL file then acts in its own capacity, and eventually loads the actual ransomware to the system. At this point, the ransomware locks the screen and displays a ransom message.

6. History of Ransomware

In this section, we will discuss ransomware from when it was first documented and its journey up to date. Although ransomware only managed to become a global threat in the mid-2000s, the first attacks of this manner happened much earlier. The first ever recorded ransomware attack happened in 1989 and it targeted a healthcare facility.  In 1989, an AIDS researcher, Dr Joseph Popp, infected floppy disks with a malware and later distributed around 20000 copies of the floppy disks to other international researchers in 90 countries. According to the report, Dr Popp claimed that the disks contained a useful computer based program that could assess the risks of contracting AIDs based on a mere questionnaire. This ransom malware, however, infected the computers and later on demanded ransom payment. The malware remained dormant in the infected computers for days and it only got activated after the computer was re-booted 90 times. After this threshold, the ransomware executed itself and displayed a ransom message on the screen demanding payment to regain access. According to the report, the ransom payment requested was between $189 and $378.

This attack later was called the AIDS virus of the digital world. However, the ransomware was poorly engineered and contained a wide range of vulnerabilities. But it set the base for subsequent ransomware that became more sophisticated in their approach.  Subsequent ransomware creators usually wrote their custom encryption codes and algorithms. Over time, developers began to shift to pre-developed encryption algorithms that are offered as off the shelf libraries. These libraries are carefully developed and contain very complex algorithms that are often difficult to crack. Additionally, ransomware attacks have evolved over time to sophisticated and high-level of infection methods that often do not require physical devices like floppy disks as in the case of Joseph Popp.  Today’s ransomware attacks are launched via advanced methods such as spear-phishing campaigns as opposed to traditional phishing emails that most spam filters managed to fight.

7. Do you pay ransom?

At this point, it is clear that ransomware is a global problem that has the potential of attacking and crippling nearly any digital entity. For this reason, it is prudent to understand whether or not it is advisable to pay ransom when you face an attack.

This is a topic that has had its fair share of debate. There is a group that is against paying ransom while others argue that it is prudent to pay ransom in the event of an attack. With the current level of ransomware sophistication in the digital world, it has become a significant challenge for security experts, and even FBI to crack these encryptions leaving victims of the attacks at serious crossroads. Often when faced by an attack, particularly for corporations, companies and governmental institutions, an ultimatum is issued to them for when the payment should be made.

During this time, victims often think about options available to them to decrypt their files without succumbing to the demands of the hackers. Most of the time, not paying the ransom has proven not to be a good option for victims who are not ready to lose their data. Studies show that about 70% of small and medium sized businesses that have experience ransomware attacks have ended up paying.

So assuming that you are already attacked, the decision you will make is quite relative to what you stand to lose. In the case of a personal computer, you may consider not paying up the ransom payment requested and opt to replace our machine if there are no sensitive data on your machine that you would mind losing. However, business risk losing client data, financial records and appointments if they refuse to pay up, a quick cost benefit analysis can be done to determine what option is best, but according to previous events, its crystal clear that most would prefer to pay up and regain operations as they work on adjusting security features against future attacks.

Disclaimer:  Although most ransomware attacker offer solutions after pay, these are criminals who enjoy preying on people’s vulnerabilities and therefore, a solution to your problem is not always guaranteed.

8. Ransomware Types

1. The Evolution to CryptoLocker and Crypto-ransomware

-500

9. The origins of ransomware

-600

10.Mobile Ransomware

-400

11.Mac ransomware

-500

12.What to do if I’m infected

-400

13. How to prevent ransomware?

-500

14. How does ransomware affect your business?

-400

15. Ransomware statistics

-400

16. List of Top Ransomware till today

-600

17. Future trends of ransomware

-600

18. What is ransomware-as-a-service (RaaS)?

-500

19.Why is it so hard to find ransomware criminals?

-500

20. How to defend against ransomware?

-500

21.Steps to respond a ransomware attack

-500

22.Ransomware removal+

-200

1. How to remove ransomware?

-300

23. Ransomware Defense, Prevention, and Removal

-400

24. Anti-Ransomware Tools and Solutions

-500

25. Ransomware news quick overview

-500