Cyber attacks have been around for as long as the internet has existed. As soon as people got the access to the web, those who wanted to exploit it followed as well.
Lately, however, there have been more of them than ever before. From 2014 to this day, there was a continuous rise in the online threats. And they are not only more often, but also more and more powerful.
Just a few months ago, the biggest cyber attack in the entire internet history has struck. Even now. half the world still suffers the consequences. We are talking, of course, about the ransomware known as WannaCry. During a single weekend, this ransomware has spread its infection to thousands of computers around the globe.
Its targets were Windows computers that belong to companies, banks, hospitals, post offices, and alike. It was using a vulnerability in the system that the NSA found. The same flaw went public after the hacking group known as the Shadow Brokers stole this info from the NSA during a hack.
But that was not the end of the problems. A month and a half after that, a new ransomware did the same thing. At first, everyone thought that it is the infamous Petya. However, soon after the initial outbreak, the researchers realized that this is something else.
The ransomware got the name GoldenEye. Even though it hit many different institutions in many different countries, its main goal was to damage Ukraine. This was the culmination of an ongoing ransomware trend, and these attacks are becoming more and more dangerous, as well as common.
These attacks were at first targeting individuals, or small groups that hackers would trick via spear phishing. Now, however, major companies, institutions, and even governments are fair game.
That still doesn’t mean that individuals can’t become new targets. The world is big, and someone is getting this kind of infection right now, while you are reading this. They are not even aware that any second now, their entire data collection might end up under lock and key. Soon after it happens, they will receive a message that demands hundreds of dollars. Otherwise, their data is gone for good.
Would you pay if it happens to you? Of course, you would. Your data is not the point of your life, but it is still important to you. And, depending on what you do, it might very well be unreplaceable. The hackers don’t care about that, and you can’t talk them into letting you off the hook. And if you don’t have a backup, as most people don’t, you will have some serious trouble.
Now, usually, people start looking for texts like this only after the problems appear. Hopefully, you are only reading it in order to prepare yourself for the possibility of an attack. Whatever the case may be, in the rest of this text, we will discuss a series of topics concerning ransomware. Those include:
- What is ransomware?
- The history of ransomware
- Who are its regular targets?
- How does it spread?
- How does it work?
- Why can’t antivirus notice it?
- The biggest ransomware families
- How to protect yourself from it?
- How to get your data without paying?
So let us begin.
What is ransomware?
Simply put, ransomware is a type of malware. It is an online threat that can get to your computer, lock it down, and demand payment. Unless you pay, your computer is pretty much useless, and all of your files are under lockdown.
Ransomware comes in two types of its own. The first one is an encrypting ransomware. This one encrypts your files and makes them unreadable to you. The most notorious ransomware of this type are Locky, CryptoLocker, and CryptoWall. Of course, there are many others out there as well.
The second type includes locker ransomware, which locks down the computer completely. That means that you can’t access your desktop, nor any files, apps, or another kind of data. This time, your files won’t have encryption on them, but you still can’t get access, so you have to pay either way. Winlocker is the best representative of this type.
There are even some of the second type that can attack computer’s MBR (Master Boot Record). This is the section of a hard drive that allows booting of the system. Ransomware that attacks this section has the ability to prevent it from working properly. Basically, instead of booting the device, you just get the ransom note again. Petya is one such ransomware, but also is the one known as Satana.
As for the first type, they are known as crypto-ransomware, and they are the most often seen form. They will also be the focus of this text. Currently, they are the biggest problem, and they have been for several years now.
Ransomware is a unique form of malware, and there are several things that make it different from the other ones. Those include:
- Unbreakable encryption – you can’t decrypt the files by yourself
- The ability to encrypt pretty much any type of files
- The ability to scramble the file names – this adds to your confusion, and you don’t even know what is under the influence of the attack and what is not
- It can add different extensions to files
- It shows you a message on the screen where it demands money
- Hackers mostly wants you to pay in Bitcoin since it is hard to track
- It will give you a deadline for making the payment, otherwise, the price will go up, or the decryption key gets destroyed
- It performs different complex evasion methods to escape your antivirus
- They can make your device a part of botnet
- It can infect other devices that use the same network as your computer (which is why they love big businesses)
- Ransomware can even steal your data, which hacker can then sell to other criminals
- It often targets only a certain region, from which it can then spread
Despite the fact that all of these features already belong to ransomware, this is not all that they can do. They get new abilities pretty much on a daily basis, and anti-malware companies are working hard to keep up.
And of course, with new features come new ‘models’, which means that malware families extend and multiply. These are terribly complicated and advanced threats, and you need at least a basic level of protection to even stand a chance against them.
And they won’t go away anytime soon, since using them is very profitable. It is, of course, a crime, but it still makes millions to those who don’t care about the laws or other people’s privacy.
The history of ransomware
The first ransomware was called AIDS Trojan, and it appeared 28 years ago. That was back in 1989, and its attack was the first of many to follow.
The way it was working and spreading around was almost ridiculous today, especially since it spread through floppy disks. Those who got it on their computer had to send $189 to one of Panama’s post office boxes.
With the appearance of cryptocurrencies like Bitcoin and online payments, there is no more waiting for payments to arrive. The entire process can now be over within a couple of hours, which has become quite productive if you are a hacker with ransomware in your possession.
So, as technology and the internet continuously developed, so did the ransomware. Now it is more dangerous than ever, capable of mass attacks, and still unknown to many. Many types have already seen massive upgrades. Thanks to that, even more versions of them are appearing. CryptoWall even has four of them right now.
Also, many attacks happen without reports, which means that many possible types are not even known to researchers. And if they don’t know about it, they can’t create a cure for it. Not to mention the new ones that appear all the time, always more powerful.
All in all, its development was swift, and it is still happening. And as for cyber criminals who use them, they are not just tricksters who want to raise trouble. They are here to make money, and they don’t care who suffers for it. And because of the fact that using ransomware pays well, there is no chance that it will go away. Not soon, possibly not ever.
Even now, there are hackers who make ransomware and give it to other hackers, who then use it to make money. They share the ‘prize’, and their business relationship continues.
Using cryptocurrencies makes it even harder to catch these criminals than it would usually be the case. They are basically untraceable, which is why hackers demand payment this way.
Also, since the constant development of ransomware, it is not possible for anyone to create a perfect security program. Whatever new security researchers try to implement, hackers just find another way to bypass it. This goes on and on, and this infinite cycle is pretty much the reason for so many different types and families that exist today.
The only way to reduce the ransomware rise is to raise awareness of what they are, how they work, and what to do to protect yourself from them. People need to know how to deal with this, otherwise, the current situation will only get worse.
Who are the regular targets?
At first, cyber criminals’ regular targets were individual users. However, it wasn’t long before they figured out that big corporations and organizations are far more profitable targets. Individual users have bad security and are easy to attack. However, companies have more money and care more about their data. Also, hackers do love a challenge from time to time.
Pretty soon, their targets were schools, hospitals, business companies, city councils, police departments, banks, post offices, and alike. And just to explain to you how much these organizations value their data, we should mention that over two-thirds of them usually pay the ransom.
And when we say big money, we really mean big. That is, between $10,000 and $40,000 per attack. Still, individuals were not forgotten, and hackers target them as well. This is for a majority of reasons, and here are some of them:
- Users don’t backup their files
- They are easier to trick into getting ransomware on their device
- They aren’t safety-aware and are easy to manipulate
- Their security is bad, or non-existent
- They don’t update their software regularly
- They don’t invest in security, not even in basic packages
- Many think that nothing like that can happen to them
- They believe that antivirus is enough to keep them safe
- There are so many of them to target
As for why hackers are targeting big companies, there a few reasons here as well:
- They have more money
- They value their files more, which means that they are more likely to pay
- Their computer networks are huge, which means that there are bigger chances to infect all of them if only one computer has a flaw
- Their systems may have decent security, but their employees are still unaware of many threats, which makes them a liability
- Once ransomware infects the computers, it is easy to go further and get to entire servers
- They are more likely to keep quiet about the attack so that they wouldn’t suffer legal consequences or damage their brand’s reputation
- If they are small businesses, their protection is likely still pretty bad and easy to deal with
And when it comes to targeting public institutions, here is why they do that:
- They have huge databases with a lot of confidential information, especially about their clients as well as personnel
- Their security is faulty due to often budget cuts and bad management
- Their workers don’t know how to recognize a threat when it arrives
- The software (as well as hardware) is old, and often out of date, which makes it an easy target for supreme ransomware
- An infection often causes big disruptions and has a huge impact on all branches
- Also, making successful attacks feeds the hackers’ egos, which is a pretty petty reason, but it’s still there
When it comes to devices or systems, ransomware doesn’t make a difference. It will try to infect anything, as long as it has a chance of either sneaking in or busting its way through. They will do whatever it takes just to get to the server. Once they are there, all the data they could possibly want is at their disposal.
Not only that, but the more they have, the bigger amount can they hope to get in return for the decryption key. And, while they are holding the data for ransom, why not steal some of it and sell it later. That way, they can get some extra payments from their fellow hackers as well.
These attacks are so often, so brutal, and so problematic, that even FBI and other agencies started warning all of the potential targets to take precautions. The biggest concern is that hackers will start targeting things like water or electricity. If they do, they won’t only hold data for ransom. They might hold people’s lives too.
How does it spread?
Ransomware spreads in pretty much any way it can, with the single goal of reaching and infecting a system. With that being said, there are still most common methods of achieving that, and those include:
- Large campaigns of email spamming, where each email carries a malicious attachment or link
- Exploits of software vulnerabilities
- Redirecting internet traffic to malicious websites
- Infecting legitimate websites with malware
- Drive-by downloads
- SMS messages for targeting smartphones
- Malvertising campaigns
- Spreading from one device to another by targeting a vulnerability upon discovering one
Sometimes, ransomware attacks include social engineering. This is a mix of psychological manipulation and technology attack. Basically, it all comes down to ransomware modification. Hackers are making them better, stronger, and more intrusive. WannaCry is a good example of this, where it didn’t even need user interaction in order to infect over 200,000 devices in 2-3 days.
Because of all these changes, even if the ransomware is made to be an enhanced version of another ransomware, they often still differ a lot. With each new experience, a hacker is capable of enhancing their ransomware even further, thus making it stronger, as well as more resilient.
How does it work?
Every ransomware is different, and thus it has its own unique thing. However, most of them follow one general path, with the same key stages. It goes like this:
- The victim gets a mail that contains an infection in form of an attachment. Alternatively, it might have a link that leads to a malicious page or a website.
- Opening the link or an attachment will start the download of a payload that will install itself on the PC
- This payload, or a downloader, will then start downloading ransomware
- The server to which it connects will send the ransomware, and also the data concerning its tasks
- After the ransomware installs itself, it will encrypt the content on the hard disc, as well as any other content that has connection to the PC
- A ransom note will appear before the victim, containing instructions on where to send the money, as well as a threat of what will happen if they don’t pay
The entire process is a bit long when it comes to describing it, but most of this will happen in a couple of minutes. Probably even sooner. Meanwhile, the victim can only watch as their content goes away under encryption.
Why can’t antivirus notice it?
Ransomware’s design is special, and it allows it to evade antivirus software in order to encrypt all the files without being stopped. It uses multiple evasion tactics, and they allow it to stay hidden from antivirus. Also, they can also hide from researchers, as well as law enforcement agencies.
Its goal is to stay on the PC as long as possible, and without detection too. If it can do that, it can damage more files, and demand more money.
When it comes to tactics ransomware uses, there are many. Here are some of them:
- It uses encryption to hide its communication with C&C servers
- It hides from law enforcement agencies by using built-in traffic anonymizers
- Ransomware hides from antivirus software by using anti-sandboxing mechanisms
- It hides the download of payload by employing domain shadowing
- It uses a technique called Fast Flux, which keeps the source of infection anonymous
- Payloads are often under encryption as well, which hides the malware from antivirus
- It can change its nature by mutating, which is the ability given to it by polymorphic behavior
- Ransomware can stay dormant once it gets to a PC. It will wait for the most vulnerable moment, and then use it to strike
The biggest ransomware families
Ransomware families are many in number, and each of them is quite big. They spread with each upgrade, and new version becomes a new ‘family member’. It is impossible to map them all out and keep an eye on their development. However, researchers are doing their best to do as much of the mapping as they can.
So, let’s visit some of these families and see their characteristics.
If we are going to do this, we might as well start with the one that the world still holds fresh in its memory. So, WannaCry. It started its attack on Friday, May 12. During the next two days, it quickly spread around the world, infecting literally anything it got its hands on. However, the attack did not end on Monday. No, after that weekend, it was only spreading at a slower pace.
By May 24, it had already made victim over 200,000 computers in 150 countries.
Petya is also a relatively new type, and it was first noticed last year. Its method is to infect the MBT, execute the payload, and proceed by encrypting the locally available data.
It was thought that another version of this ransomware has made another attack in June. However, it soon became clear that something else was responsible for this attack.
This is another encrypting type, and its goal was to try and replicate what WannaCry did. It even found a way to enhance itself by eliminating WannaCry’s weakness, which was a kill switch domain.
This is an older version of encryption ransomware. Hackers have been known to use it from time to time, with periods of inactivity in between. However, it was never forgotten, and multiple updates and new features were detected recently. Its popularity went through the roof again in the beginning of this year, and it doesn’t seem like it will go away just yet.
Locky is among the newest among ransomware families. It made its first appearance in February of last year, and with quite an impression too. Its first act as a ransomware was to attack and extort a Hollywood hospital when it took around $17,000.
But the attack did not stop there. Only two days after the initial alert, there was a report about a 150 email campaign. 149 of the emails got caught by a spam filter, but one still managed to evade it. Only half an hour later, multiple servers belonging to the company under attack were under Locky’s encryption.
The company managed to isolate the threat and restore their files from a backup. However, had they not have their files on backup, they probably wouldn’t exist anymore. Ever since that attack, Locky was attacking whatever it could around the world, with most of the attack in Central Europe. India and the US have also felt heavy attacks. China, South Africa, South Europe, Central America, and Brazil were also influenced but not as hard.
Another encrypting malware, this one from early 2014. Its attacks came through torrent files, but because of increase in awareness, hackers soon had to change their tactics.
Since then, it mostly arrives via email. According to reports, it mostly chooses its targets geographically. Also, attackers are now using much more detail when attempting to trick the users into clicking on malicious links. They were working on their grammar, which was, surprisingly enough, way more effective than anyone thought was possible.
Unsuspecting victims did not think that hackers would be so literate, and as it turns out, the change in method was working. This is a perfect example of how the hacking attack can improve when hackers pay attention to how their victims respond.
They understood the problem, worked to fix it, and the results followed. Soon, however, they came up with a newer version. This one had an even stronger encryption that nobody could break.
TorrentLocker’s ability to steal email addresses from computers it infects is also pretty impressive. After stealing them, hackers were all set for launching a new campaign.
This is a type of ransomware that scrambles your important files and generally makes a mess on your device. It was spread by the Gameover ZeuS botnet until authorities took it down.
The biggest trouble was this ability to scramble everything with an unbreakable encryption. Removing it was pretty easy, but the mess it made would remain. Most of its activity was in October 2013, Back then, it somehow managed to infect over 150,000 computers per month. It was also seen multiple times since.
This is a ransomware that looks up to CryptoLocker. The most interesting thing about it is its fast development, and it is already in its fourth version. Its main targets are businesses, government agencies, financial institutions, academic institutions, and alike.
It uses multiple ways of spreading which include malicious email attachments, drive-by downloads, as well as browser exploit kits.
This is a newer variant of CryptoLocker, but with much more sophistication. CBT stands for Curve Tor Bitcoin.
- Curve refers to Elliptic Curve Cryptography, which is its method of encoding the files.
- Tor refers to P2P network that this ransomware uses to hide itself.
- Finally, B stands for Bitcoin, which is the payment method that hackers who use it prefer.
This ransomware includes multi-lingual capabilities, which allows hackers to adapt their ransom messages to different geographical regions. The more people understand what they want, the more money they will receive.
This was also among the first malware that were sold on underground forums. Nowadays, it is mostly a norm, but not that long ago, it was a real trend to use it. More important is the fact that selling malware has become quite a good business thanks to this act. From that point on, cyber criminals could simply purchase a weapon, instead of actually having the skill to make one.
It spreads via email spam campaigns, and it poses as an urgent FAX message.
This is a pretty old one by today’s standards. It was a major threat back in 2012, and its base was Citadel Trojan. And Citadel Trojan was, in return a part of Zeus family.
Its most noticeable feature was displaying a warning from law enforcement agencies. Because of this, it got the name Police Virus or Police Trojan.
This was a locker, unlike the rest of the ransomware we are mentioning here. That means that it did not only restrict your access to files but pretty much the entire computer.
It would try to convince the victim that they need to pay a fine because their computer had a connection to illegal activities. They made a lot of preparations to make everything look real and official, and many people fell for it.
As for its spreading method, researchers say that insecure and old Java installations are to blame.
TeslaCrypt’s main targets were gamers, which was pretty specific. It didn’t even target all gamers, but only a specific group, bound by several games. Those were World of Warcraft, World of Tanks, Call of Duty, and Minecraft. It was exploiting vulnerabilities in Adobe Flash, which led to widening its reach. Before long, its new target were European companies.
Security experts found flaws in its encryption twice, which was useful for creating decryption tools. They kept it a secret from malware creators and were silently helping those in need.
The hackers eventually found out about the flaws and made a stronger version of their encryption. TeslaCrypt creators were planning on publishing a version 4.0 of the ransomware, but the project was shut down for unknown reasons.
Not only that, but they even apologized for shutting down the project. Researchers from ESET got their hands on the master decryption key. Thanks to them, the decryptor for this ransomware now exists, and you can use it if you ever fall victim to it.
Nobody knows what made the developers quit, but if one thing is certain, it is that everyone hopes that the rest of the malware makers will follow their lead.
Another thing that nobody knows is what will happen next. Each time, it is a new thing, a new method, a stronger version. However, it does seem that the future holds better attacks, those with more preparation, and careful targeting.
How to protect yourself from ransomware?
When it comes to protecting yourself, the first step is the most important one. And that is taking this threat seriously. It can happen to you, and it might only be a matter of time before it actually does.
You must do something before the attacks start because it is too late once it already happens. It might seem trivial on the grand scale of life, but ignoring it can take lives. Maybe not if your personal laptop got all of its files under encryption, but what if it happens to a hospital network?
What if doctors can’t get to your data and medical history because of this? That is why you must do whatever you can to protect your personal and work computer. Even better, try to make others do the same, and raise the awareness.
Here is what you can do to protect your PC:
- Don’t store important data only on the PC
- Make 2 backups of your data
- Do not let the app with your backup turn on automatically
- Update your system, as well as your antivirus
- Do not use an administrator account on your computer for everyday use
- Turn off macros in Microsoft Office suite
- Remove these plugins from the browser: Adobe Reader, Silverlight, Adobe Flash, Java. If you have to use them, make the browser ask for permission first
- Adjust your browser’s security and privacy
- Remove all outdated plugins from the browser and keep only those that you use every day
- Use an ad-blocker in your browser
- Subscribe to a VPN provider and use it as a method of protection. The best one is TorGuard.
As for your online behavior, follow these guidelines:
- Never open spam emails, or any other emails from unknown senders
- Do not open any links in such emails, even if you do end up opening them
- The same goes for attachments that they might carry
And finally, use anti-malware security tools that include:
- A reliable, premium version of a well-known antivirus with a good reputation and automatic update module, as well as a real-time scanner
- Use a traffic-filtering solution that can help protect you from ransomware
And one more thing. If you ever do get a ransomware, and it demands money, DO NOT PAY. There are several reasons for this. First of them is that you don’t have a guarantee that you will actually get your data back. Even if you do get it back, it might have suffered a damage, or a part of it was stolen. Not to mention that they might leave a backdoor in your system and might come back for another try.
How to get your data without paying?
Hundreds upon hundreds of ransomware are out there currently. Almost every day, a new one appears, or at least an old one gets an update that turns it into a new one. And they all have encryption.
Researchers are doing their best to find a way to break it, and they even did it a few times. However, every time that they do, ransomware simply updates its methods, and we are back at the beginning. Breaking these encryptions is currently impossible.
Still, you might just get lucky enough to get infected by a ransomware that actually was decrypted. If that happens, there are multiple tools that you can use to get rid of it. The only problem is identifying it first.
Anyway, the best thing that you can do is to familiarize yourself with how the tools work, and how to use them. They won’t exactly help in the majority of such situations, but it is at least something that you can try.
By now, you should know what ransomware is, how it all started, how it targets you, as well as what it does. On top of that, we added a little extra knowledge by introducing the most notorious ones out there, as well as methods of protection that might help you defend from it.
The cure doesn’t exist, and you shouldn’t rely on finding one if the attack hits you. The only thing that you can do is gather information and knowledge beforehand. After that, use it to protect yourself, take every possible precaution, and hope for the best.