It’s becoming a depressingly common story:
Almost a year ago, following a malware attack on a school in Los Angeles, IT consulting firm recommended heeding a seven-day warning left by the perpetrators and sending a transfer of $28,000 in Bitcoins to avoid permanent loss of data.
The school duly paid and became another victim of a lucrative cybercrime known as ransomware.
So what exactly is ransomware and how does it work?
The Origin and Modus Operandi of Ransomware
Ransomware is malware which denies access to a user’s data and then attempts to extort money from them. The user is often given a time limit in which to pay before the data will be made permanently unavailable.
The first recognised example of a ransomware attack was in 1989. Using a trojan horse (malware hidden within another type of software), Joseph Popp installed a payload which hid users’ files on their hard drive, encrypted the file names and coerced some to make a payment of $189 to the ‘PC Cyborg Corporation’ in order to restore access.
In fact, the use of symmetric cryptography meant that a savvy user could find the decryption key in the trojan itself but many people didn’t know this and paid the money. When Popp was found out, he donated the proceeds to fund AIDS research and the ransomware became known as either PC Cyborg or the AIDS Trojan.
In 1996, a pair of cryptographers from Columbia University, Adam Young and Moti Yung, highlighted the potential dangers of a similar attack. Sure enough, by 2005 various ransomware attacks were using the RSA cryptosystem with the attacker holding the private key necessary to unlock the encrypted data.
Ransom Comes in Many Forms
PC Cyborg demanded payment in ordinary US dollars but there are many other, less traceable, ways in which cybercriminals can extort payment.
One method, used by the distributors of the 2010 WinLock ransomware forced victims to send a $10 SMS text to a special number. This tactic is thought to have netted them around $16 million.
Another Windows-based trojan attack, launched in 2011, conned people into making a long-distance phone call while the 2015 Fusob attack asked for iTunes vouchers!
The most popular form of ransom at the moment though seems to be electronic currency with many cybercriminals demanding payment be made in BitCoin. As a decentralised, largely unregulated currency, BitCoin is attractive. It is easy to move around and difficult to trace.
CryptoLocker: A Case Study
BitCoin was the ransom of choice for of the most notorious ransomware attacks to date:
CryptoLocker. Part of the Gameover Zeus botnet, CryptoLocker used a sophisticated encryption method to lock up the victim’s data. Only when a payment had been made would the criminals behind the attack send the private decryption key to restore access.
Although estimates vary wildly, CryptoLocker netted its distributors millions of dollars – perhaps tens of millions – mainly in BitCoins. Fortunately, the FBI eventually cracked Gameover Zeus, intercepted the gang’s database of victims and retrieved the private keys needed to restore the data.
Variations on Ransomware
An important point to note is that not all instances of apparent ransomware are necessarily what they seem to be.
Scareware is a type of malware which displays the kinds of messages used in a ransomware attack but without encrypting files. Some will try and frighten users into taking an action (e.g. clicking a button) which will then install real malware onto their system. A prominent window or screen graphic may prevent the user from navigating away although simply holding the power button until the device shuts down will normally be enough to avoid a problem.
Other ransomware attempts will disrupt the normal functioning of a device (e.g. by referring the Windows shell to itself) to give a false impression of a devastating attack. In reality, the malware may be relatively easy to remove.
As with other types of malware, the most common way ransomware ends up becoming installed on a device is through clicking a link or downloading a file from an unknown source (which may be disguised as a trusted source). The bigger the business, the higher the risk of human error creeping in.
Businesses of all sizes need to sharpen up on their security policies if they don’t want to become the next unwilling financiers of a sophisticated network of international cybercriminals.
Brent Whitfield is the CEO of DCG Technical Solutions Inc. DCG provides the specialist advice and Los Angeles IT security businesses need to remain competitive and productive, despite their often limited IT infrastructure expenditure. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. DCG was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Twitter @DCGCloud.