When paying taxes is not enough, Ransomware attack
Ransomware is a type of malicious software that blocks access to the victim's
data or threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock
the system in a way which is not difficult for a knowledgeable person to reverse,
more advanced malware uses a technique called cryptoviral
extortion, in which it encrypts the victim's files, making them
inaccessible, and demands a ransom payment to decrypt them. In a properly
implemented cryptoviral extortion attack, recovering the files without the
decryption key is an intractable problem - and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making
tracing and prosecuting the perpetrators difficult.
Ransomware attacks are typically
carried out using a Trojan that is disguised as a legitimate file
that the user is tricked into downloading, or opening when it arrives as an
email attachment. However, one high profile example, the "WannaCry worm",
traveled automatically between computers without user interaction:
Now a quick history lesson, it may be difficult to imagine, but the first
ransomware in history emerged in 1989 (that’s 27 years ago). It was called the AIDS Trojan, whose modes operand seems crude nowadays. It spread via
floppy disks and involved sending $189 to a post office box in Panama to pay
the ransom. Damn how things have changed. The appearance of Bitcoin, and
evolution of encryption algorithms helped turn ransomware from a minor threat
used in cyber vandalism, to a full-fledged money-making machine. As a result,
every cyber criminal wants to be a part of this.
Ransomware in 2017, a study by IBM Security found that the number of
ransomware-infected emails increased 6,000 percent compared to 2015. Attackers
are trying harder to infect users’ computers right through their inboxes. These
emails generally have attachments disguised as invoices, statements,
spreadsheets, faxes or personal notes.
1)
Ransomware emails spiked 6,000%
2) 40% of
all spam email had ransomware
3) 59% of
infections came from email
4) 92% of
surveyed IT firms reported attacks on their clients
5)
Infections hit 56,000 in a single month
6) Attacks
expected to double in 2017
7)
Healthcare and Financial Services were the hardest hit
8) 70% of
businesses paid the ransom
9) 20% of
businesses paid more than $40,000
10) Less
than 25% of ransomware attacks are reported
11) Most
businesses face at least 2 days of downtime
The problem is that when an
attacker knows that it would be almost impossible for the government to trace
back the infection to him and most of the sources of the attacks are still
unknown, that will make these people go deeper inside this subject, like the
wannacry dudes, they were so confident about their ransomware that they patched
it when it was first solved, now they seen to be disappeared.
Ransomware-as-a-service, where malware creators sell its services in exchange
for a cut in the profits.
·
Anonymous payment methods, such as Bitcoin, that allow cybercriminals
to obtain ransom money knowing their identity can’t be easily revealed.
·
It’s impossible to make a completely secure software
program. Each and every program
has its weaknesses, and these can be exploited to deliver ransomware, as was
the case with WannaCry.
·
The number of infections would drastically shrink if all
users were vigilant.
But most people aren’t, and they end up clicking infected links and other
malicious sources.
Types of Ransomware:
1. Encryptors, which incorporates
advanced encryption algorithms. It’s designed to block system
files and demand payment to provide the victim with the key that can decrypt
the blocked content.
Examples include CryptoWall, Locky, CryptoLocker and more.
2. Lockers, which locks the victim
out of the operating system, making it impossible to access the desktop and
any apps or files. The files are not encrypted in this case, but the attackers
still ask for a ransom to unlock the infected computer. Examples include
the police themed ransomeware or WinLocker
3. Some locker versions infect the Master Boot Record
(MBR). The MBR is the section of a PC’s hard drive which enables the
operating system to boot up. When MBR ransomware strikes, the boot process
can’t complete as usual and prompts a ransom note to be displayed on the
screen. Examples include Satana and Petya families.
Now you tell
me what is the difference between the ransomware and a malware?
Usually, the ransom payments have a time-limit, It has the ability to encrypt all kinds of files, It feature unbreakable
encryption,
It can scramble your file names, It can spread to other PCs connected to a local network and
it frequently
features data exfiltration capabilities, which means that it can also extract data from the affected
computer (usernames, passwords, email addresses, etc.) and send it to a server
controlled by cyber criminals.
Why ransomware creators and distributors
target home users:
- · Because they don’t have data backups.
- · Because they have little or no cyber security education, which means they’ll click on almost anything.
- · Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers.
- · Because they lack even baseline cyber protection.
- · Because they don’t keep their software up to date (even if specialists always nag them to).
- · Because they fail to invest in need-to-have cyber security solutions.
- · Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware.
- · Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).
Why ransomware creators and distributors target
businesses:
-
Because that’s where the money is;· Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid;· Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;· Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;· Because ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core;· Because cyber criminals know that business would rather not report an infection for fear or legal consequences and brand damage.· Because small businesses are often unprepared to deal with advanced cyber attacks.
- Why ransomware creators and distributors target public institutions:· Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;· Because budget cuts and mismanagement frequently impact the cybersecurity departments.· Because the staff is not trained to spot and avoid cyber attacks (malware frequently uses social engineering tactics to exploit human naivety and psychological weaknesses);· Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;· Because a successful infection has a big impact on conducting usual activities, causing huge disruptions;· Because successfully attacking public institutions feeds the cyber criminals’ egos
How do
ransomware infections happen?
1. Initially, the
victim receives an email which includes a malicious link or
a malware-laden attachment. Alternatively, the infection can
originate from a malicious website that delivers a security exploit to
create a backdoor on the victim’s PC by using a vulnerable
software from the system.
2. If the victim clicks
on the link or downloads and opens the attachment, a downloader (payload) will
be placed on the affected PC.
3. The downloader uses a list
of domains or C&C servers controlled by cyber criminals to
download the ransomware program on the system.
4. The contacted C&C
server responds by sending back the requested data.
5. The malware then encrypts
the entire hard disk content, personal files, and sensitive
information. Everything, including data stored in cloud accounts
(Google Drive, Dropbox) synced on the PC. It can also encrypt data on other
computers connected to the local network.
6. A warning pops up on the
screen with instructions on how to pay for the decryption key.
How to protect yourself:
- Never open spam emails or emails from unknown senders.
- Never download attachments from spam emails or suspicious emails.
- Never click links in spam emails or suspicious emails.
- Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.
- Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
- Don’t store important data only on your PC.
- Have 2 backups of your data on an external hard drive and in the cloud
- Your operating system and the software used is up to date, including the latest security updates.
- Don’t use an administrator account on my computer. I use a guest account with limited privileges.
- Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.
- In the browser
- Remove the following plugins from my browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If I absolutely have to use them, I set the browser to ask me if I want to activate these plugins when needed.
- Adjust settings for increased protection.
- Remove outdated plugins and extensions from your browsers. Only keep the ones used on a daily basis and keep them updated to the latest version.
- Use an ad-blocker to avoid the threat of potentially malicious ads.
Comments
Post a Comment