What is Ransomware?
Thursday, October 27, 2016
Ransomware is a sophisticated piece of malicious code (malware) that installs covertly on a victim’s computer and blocks access to their files. The code will encrypt the files and demand a ransom to decrypt them.
There are two types of ransomware in circulation:
- Encrypting ransomware, which generates a random encryption algorithm to disable access to the victim’s files and then demands a ransom for the release of the encryption key which can unlock and decrypt the files. Prominent threats currently include Cryptolocker, Locky, Cryptowall and various other strains.
- Master Boot Record (MBR) ransomware. The MBR is the sectors of a PC’s hard drive which launch the operating system. When MBR ransomware attacks, the computer can’t boot as usual, and a ransom note is displayed on the screen. Examples include Satana and Petya.
The most prominent ransomware is encrypting ransomware. Major security software vendors, including Trend Micro, Symantec and McAfee have classified ransomware as the most dangerous cyber threat of the moment.
Ransomware has some key characteristics that set it apart from other malware:
It features unbreakable encryption, which means that you can’t decrypt the files without the unique key;
It has the ability to encrypt all kinds of files: documents, pictures, videos, audio files and other data and system files. The list is growing;
It can scramble your file names, so you don’t know what was infected. This is one of the methods used to confuse and coerce victims into paying the ransom;
It will add a different extension to your files, indicating a specific type of ransomware strain;
It displays a message that informs you that your data has been encrypted and that you must pay a specific sum of money to get it back;
It requests payment by methods which are hard to trace, such as Bitcoins, because this crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies;
The ransom payment may have a time-limit, to add another level of psychological constraint to this extortion scheme. Exceeding the deadline usually means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
It evades detection by traditional security software;
It often recruits the infected PCs into botnets so cyber criminals can expand their infrastructure and fuel future attacks;
It can infect local data backups, meaning that restoring your data becomes even more difficult;
It can spread to other PCs connected in a local network, creating further damage;
It frequently features data exfiltration capabilities, which means that ransomware can extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals;
As ransomware variants mutate and multiply, basic protection, mitigation and education should be enforced. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. User education, offline backups and computer policies will help prevent and mitigate against ransomware.
Ransomware is a complex, lucrative and advanced cyber threat which uses all the tricks available to avoid detection because it makes cyber criminals a huge amount of money. We’re talking millions!