INTRODUCTION TO RANSOMWARE
RANSOMWARE is a particular class of malwares that demands payment in exchange for a stolen functionality, mostly data. This class of malware has been identified as a major threat to computer and network security across the globe Also Ransomware installs covertly on a victim’s device to either mount the cryptoviral extortion attack from cryptovirology that holds the victim’s data hostage, or the cryptovirology leakware attack that threatens to publish the victim’s data. The real target of this form of attack are critical data that are very important to individuals and enterprises alike. In fact, the attack has spread to mobile devices and mobile malware detection approaches are not so effective because of the subtle nature of the malicious programs. Therefore, billions of mobile device users are susceptible to this attack. Most of the ransomware variants depend on file encryption as a strategy for extortion. Data stored on victim’s device are encrypted while the hacker demands for ransom before the files can be decrypted. Ransomware may encrypt the Computer’s Master File Table (MFT) or entire hard drive. It is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key
WHAT IS RANSOMWARE
According to KASPERSKY, Ransomware is a type of malware designed to hijack computers so hackers can force victims to pay a ransom to regain access.
It can infect your computer when you download an innocent-looking email attachment or visit a website that surreptitiously executes malicious code that ultimately encrypts critical files or denies access to the computer.
VARIANTS OF RANSOMWARE
Ransomware is a growing problem that is affecting businesses around the world (read about these common infection methods). With new variants popping up all the time, it is difficult for IT Security solutions to keep up. Here are some of the more popular variants of Ransomware:
1. MSIL/Samas.A
Also known as samsam, it targets backups and is controlled by humans, not a machine or program. Samsam is a Java-based variant that deletes all VSS volume copies and wipes free space on your hard drive. Includes Active Directory harvesting utility that will collect information to be exploited at a later time. Human controlled to attack at most vulnerable time to maximize profit.
2. CryptoLocker
One of the most well known variants of Ransomware, CryptoLocker is a Trojan horse encryption virus. Files on the infected computer are encrypted and require the user to purchase a password in order to decrypt them.
3. Locky
Locky and its many subvarients work to corrupt your files by scrambling them and renaming them with the extension .locky. In order to unscramble your files, you are forced to pay for a decryption key.
4. KillDisk
A Ransomware variant that targets Linux. KillDisk sabotages companies by deleting data and altering files at random. KillDisk also does not save the encryption key on the disk or online, which makes it difficult to recover files without paying a ransom.
5. FairWare
Like KillDisk, FareWare also targets Linux users. FareWare attackers hack Linux servers and delete the webfolder. They then demand a ransom for the return of the files. The files are not encrypted by the attackers, just reuploaded to a server under the attacker’s control.
6. KeRanger
KeRanger is a Trojan horse Ransomware virus, and the first Ransomware virus to target Mac OS. It is an encryption virus that works to block access to your important files until a ransom is paid.
7. FileCoder
Another Trojan virus that encrypts files and tries to extort a ransom is FileCoder. Like KeRanger, FileCoder also targets Mac.
8. Angler
Angler is an exploit kit that is used to open a channel of communication with your system that cyber criminals can use to access your data. Often, attacks via angler are delayed. As the access channel is monitored by humans on the other end, cyber criminals wait for the opportune moment to attack.
9. WannaCry
I’m sure by now you’ve heard the news about WannaCrypt also known as WannaCry. This new malware (malicious software) or ransomware holds your computer hostage until you pay a ransom. It recently hit 150 countries and 200,000 computers shutting down hospitals, universities, warehouses, telecommunication companies and banks.
FAILED RANSOMWARE ATTACKS
1. HITLER RANSOMWARE: It claims to have encrypted the victim’s files, but in fact simply deletes file extensions for anything found in certain directories. After an hour it crashes the PC and, on reboot, deletes the files. The payment demanded is a cash code for E25 Euro Vodafone Card. Text found in the code suggests it originates in Germany.
2. FAKE WINDOWS 10 LOCK SCREEN: It tells the user that their license has expired, turns out to have the decryption key buried in the code. Researchers from Symantec discovered that, while the criminals had gone to considerable effort to set up fake tech support websites for the scam, the phone number they gave out for victims to call was never answered and was soon disconnected. On reverse engineering the code, the researchers found the decryption key (8716098676542789) plainly visible.
3. ‘POWERWARE’ AND ‘BART’ They have been cracked by security researchers who found flaws in the malware. A team at Palo Alto Networks found that PowerWare, while trying to emulate the notorious Locky strain, had weak encryption and hard[1]coded keys. The company published a decryption tool and AVG created a decryptor for Bart due to the malware’s poor encryption algorithm.
4. CHIMERA RANSOMWARE The decryption keys of the Chimera ransomware have also been published by a rival ransomware gang known as Janus. Janus aimed at ensuring there are enough victims available for its own malware, dubbed Mischa, which also uses some of the Chimera source code. The Chimera malware was never especially widespread, being aimed mainly at smaller German businesses. But it was notable for the threat from its creators that they would publish victims’ private documents and login credentials if they didn’t pay up. Security firms had yet to write a decryptor using the published keys. Victims are advised to keep the encrypted versions of their files safe for later decryption once the relevant tool is available.
PRECAUTIONARY MEASURES
In order to prevent the user’s data from getting into unrecoverable state, users should have an incremental online and offline backups of all the important data and images. In addition, all the in-built defense mechanisms and detection tools should be kept up and running all the time. Exposure to threats should be minimized, where possible, with common sense, site or IP address blocking and endpoint protection. Organizations and individuals should ensure that their electronic defense is as impenetrable as possible through the use of anti-virus, firewalls, IPS, web and mail filtering. Policies that prevent penetration should be enforced in organizations by ensuring correct system configuration and device ‘hardening’. A robust and incremental back-up system of business and personal-critical details should be implemented. Also, personnel must ensure that offline back-ups remain offline at all times so they are protected. Backups should be tested regularly to guarantee protection. Organizations should put robust policy and processes and a practical system of educating users on how to best prevent and deal with ransomware attacks in place. Users should enforce a general information policy pertaining to what websites are Safe for Work (SFW) and Not Safe for Work (NSFW) and educate themselves and their team on the risks and the methods by which ransomware is activated and attacks are carried out from beginning to end. Organizations need a system in place that looks for anomalous behavior such as rapid encryption or malicious non-human activity, to avoid falling prey to rapidly evolving and adapting ransomware attacks. The location where data is stored on file systems should be known, especially in unstructured formats in documents, presentations, and spreadsheets. Access to personal data should be limited on a need-to-know basis or through role[1]based access controls. The goal is to make it difficult for attackers to access important data after hacking an ordinary user – say, through a phishing email – and launching ransomware based on that user’s credentials. Organizations should also remove and/or archive outdated or stale personal data, further reducing the attack surface. Ordinary users whose credentials the ransomware is leveraging, do not perform a large-scale scans of crawling a file system, navigating through each directory and examining file. Therefore, monitoring software, particularly based on User Behaviour Analytics (UBA), should be able to detect the ransomware and limit the number of files that are encrypted. Companies should perform should regularly perform back-ups of their file systems, especially critical and sensitive data and have in place a recovery plan for restoring the data in the case of cyber-attacks. In order to handling a ransomware attack: systems mustbe aggressively patched; back-ups must be created and protected; an incidence response plan must be developed; and user awareness training must be conducted.
Ransomware attacks have become a global incidence, with the primary aim of making monetary gains through illicit means. The attack started through e-mails and has expanded through spamming and phishing. Ransomware encrypts targets’ files and display notifications, requesting for payment before the data can be unlocked. Ransom demand is usually in form of virtual currency, bitcoin, because it is difficult to track. The variants of ransomware has continue to increase because of the profitability of the illicit act. However, there is a growing effort to curb the spread of this malware. A good understanding of the behavior of ransomware will help individuals and enterprises to tidy up their vulnerabilities to this kind of attack. State-of-the-art research findings, proposed solutions, and precautionary measures are provided in this study. With the recent spread of ransomware attacks on Linux and operating systems, the analysis of ransomware on these platforms is needful. Kaspersky Lab and Intel have joined forces to avoid data theft and undue extortion of ransomware, individuals and organization needs robust network security platform.
