What is ransomware?

Source: Vsoftsystems, 07/10/2018

This type of malware could hit you hard in the pocket...
Ransomware has hit the news over the last two years in a way not seen
since the “ILOVEYOU” virus of the start of the millennium.
The effects of ransomware are very visible, only DDoS attacks come
anywhere near in terms of noticeable effects. One of the most high
profile attacks came in 2017 when the WannaCry ransomware hit the NHS
and left many systems out of action for days. The same malware also
disabled several other large organisations.
Ransomware is increasing, not only in the level of attacks but also in
the diversity of them. The average demanded ransom amount is also
increasing. Worryingly, there is an emerging trend of ransomware that
targets specific businesses. This means it is very important that
everyone not only knows what ransomware is and how to best avoid it,
but also understand what to do in the unfortunate event of becoming a
victim.
What is ransomware?
Ransomware, as its name suggests, is to extract a ransom payment from
a victim in return for the victim regaining control of the files or
system. The cash payment is normally in the form of cryptocurrency,
such as bitcoin or Ethereum.
Much like other malware types, ransomware starts an attack by trying
to remain undetected, slowly encrypting files one after another to
avoid suspicion. It`s only once all the targeted files or system is
encrypted that the ransomware will make itself known, usually in the
form of an impassable splash screen.
It`s from this splash screen that users are first told that their
files are locked, and that in order to retrieve their data they`re
required to pay a cash sum. The exact wording of the demands vary
between ransomware strains, but most demand some sort of payment
within a specified timeframe.
Some messages are aggressive in the hopes of scaring the user into a
quick payment, while others attempt to masquerade as legitimate
organisations, such as the FBI.
Ransomware has grown in significance alongside the rise of
cryptocurrencies, which offer a means of transferring cash over the
internet anonymously. Most attackers favour Bitcoin or Monero, which
can cause issues with some victims that aren`t familiar with crypto
trading.
The first instance of ransomware was the relatively unsuccessful `AIDS
Trojan` which struck in 1989, encrypting the name of files, rather
than the content of the files, while the decryption key was hidden
within the malware`s code. Despite these errors in deployment, the
attack was the first case of a hacker demanding cash in exchange for
the secure return of stolen data.
Attackers still operate under the same core principles, but are
usually far more effective, and more often than not demand payment not
in physical currency, but in digital coins.
Ransomware has proven to be one of the most prolific forms of malware
in recent memory, largely because it requires comparatively little
effort on the part of the cyber criminal, and can yield incredibly
rich rewards.
Ransomware tools can be bought pre-assembled from black market
hackers, allowing an attack to be launched easily and cheaply with
little to no programming knowledge required. Ransomware payloads can
be delivered by phishing campaigns or malvertising - which are also
cheap and easy to deploy - meaning that the attacker basically just
has to sit back and wait for the ransom money to roll in.
The amount can vary, but according to Symantec`s Ransomware and
Business 2016 report, the average amount was between $600-$700, which
is up significantly from the previous year.
Should I pay the ransom?
The short answer is no. Experts strongly advise against giving in to
demands even when sensitive data or financial losses from downtime are
at stake.
One of the reasons there has been such a big jump in both the
frequency of ransomware attacks and the amount of money demanded is
that the attackers believe the tactic is a lucrative one. Paying out
will only encourage more attacks, and it may only be a matter of time
before it comes back around.
Secondly, there`s really no guarantee that the encrypted files or hard
drive will actually be released after the hacker has been paid, with
it just as likely that they will take the money and make a hasty exit.
There are more effective methods for resolving the issue, including
reporting this and other kinds of cybercrimes to Action Fraud, making
sure antivirus and antimalware software is up to date and working, and
ensuring you`ve installed the latest patches for your software.
Implementing a backup-and-recovery strategy can also be essential to
bounce back after such an attack.
2017 NHS ransomware attack
On 11 May 2017, a huge ransomware attack hit the NHS in England and
Scotland, as well as other organisations around the world, including
Telefonica in Spain, Deutsche Bahn in Germany, Renault and FedEx. In
total, tens, if not hundreds, of thousands of computers in 99
countries were affected.
The infection spread through three vectors. The initial payload (i.e.
the ransomware software known as WannaCry or WannaCrypt) was brought
into the organisations` network via a phishing email, with a user
clicking on a malicious link or downloading a malicious file.
The infection then spread rapidly through the network using two tools
thought to have been developed by the NSA �` the EternalBlue exploit
and DoublePulsar backdoor �` which were released into the wild by the
ShadowBrokers hacking group along with a number of other cyber
weapons. All the infected computers on the network consequently had
their files encrypted with a ransom message displayed on their screen
demanding of around $300 in Bitcoin to be paid within three days or
$600 within seven days. It`s unclear how many organisations paid, but
by Monday 15 May, the cyber criminals had made over $40,000 according
to the URLs associated with the ransom demands.
Microsoft had released a patch for the vulnerability, which affected
all Windows operating systems from Windows 7 through to 8.1, back in
March. However, it hadn`t been applied to all elements of the affected
organisations` network. There are several reasons this may have
occurred, including the need for organisations to carry out a staged
roll-out and potential conflicts with other critical systems and software.
Another reason is that many organisations still run Windows XP, once
again usually due to compatibility issues. As XP is out of support, no
patch for it was released in March, leaving all systems running it
vulnerable to this attack. 90% of the NHS` IT estate was known to be
running XP at the beginning of 2017, with its custom support contract
having been terminated in 2015.
Given the magnitude of the attack, however, Microsoft did create and
issue a patch for XP, but advised that organisations and individuals
should always apply the latest software updates as soon as possible to
protect against threats of this kind.