Ransomware – It’s kidnapping Jim, but not as we know it!

Ransomware is nothing new and has, in fact, been around since 1989 in the form of the AIDS Trojan that was spread via floppy discs. The program waited until the computer booted 90 times and then hid the directories and encrypted file names. The ransom was $189 sent to PC Cyborg Corporation at a PO box in Panama.


AIDS Trojan was easily overcome but ransomware has evolved and now represents possibly the most common and serious threat to a business from cyberattackers. So what is ransomware and how is it adapting?


What is it?

There are essentially three types of ransomware in circulation:

  1. Encrypting ransomware blocks system files and demands payment for the decryption key. Examples are Cryptolocker, Locky etc.
  2. Locker ransomware locks the victim out of the operating system. The files are nor encrypted but payment is demanded to restore access to the desktop, applications and files. Examples are the police-themed ransomware or Winlocker.
  3. Master Boot Record (MBR) ransomware prevents the computer from booting and presents a ransom note on the screen.  Examples include Satana and Petya.  

The most common is crypto-ransomware which presents the most immediate threat to the business community.


How does it work?

Each ransomware is different but here are some typical stages:

  1. Firstly, the target is sent an email containing a link or infected attachment. (Sometimes, the malware can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC.) 
  2. When the target clicks on the link or opens the attachment, a downloader (payload) is placed on the PC.
  3. The downloader contacts a cyber-criminal controlled C&C server which sends back the ransomware.
  4. The ransomware then starts to encrypt everything on the PC including personal files and data stored in synced cloud accounts (Google Drive, Dropbox). It may also encrypt other PCs on the local network.
  5. The payment screen then pops up with instructions how to pay for the decryption.
  6. WannaCry (WannaCrypt) can spread via the SMB protocol thus infecting other computers on the same network  


Key Features

The following are some key features of ransomware:

  • Unbreakable Encryption
  • Encrypt a myriad of file types
  • Scrambling of file names
  • Change file extensions
  • Looks for payment in Bitcoins – the global unregulated currency
  • There’s a time limit to get your files back – or they’re gone forever
  • Evades detection by traditional anti-virus
  • Can extract other data from your computer such as usernames, passwords etc.
  • Can infect other PCs on a network


How it’s adapting

The ransomware business is evolving just like any other business. The most recent advance is the ransomware-as-a-service model. This allows even non-technical criminal organisations to ride the ransomware wave paying, in effect, a (significant) franchise fee to the ransomware author. This structure provides new revenue streams for the cyber criminals and allows them to concentrate on improving the ransomware product through increased complexity.

Earlier ransomware programs were reasonably simple in their design and concentrated on encrypting files on the computer. More recently, Malwarebytes warns of the evolution of MBR (Master Boot Record) ransomware which not only encrypts the files, but also denies access to the main operating system. The Malwarebytes report show an increase from one-third to two-thirds of all malicious payloads delivered to business in the year to November 2016 – double the rate with instances also increasing by 267%!

WannaCry is a departure from the traditional Ransomware profile, it can spread to other computers that reside on the same network which is behind the firewall. As a result, just one infected computer could not potentially infect all other vulnerable computers on the same network. After only a few days in the wild it has had an unprecedented effect on companies large and small globally

With nearly 400 different flavours combined with automation and driven by the ransomware as a service model, ransomware is a very serious threat to all businesses – not just the household names.

In our next blog we’ll discuss The Business Risk of Ransomware in Ireland and subsequently we’ll detail what business can do to reduce the threat. In the meantime, if the thought of a ransomware attack is causing you excess stress, don’t take a Prozac – make a backup!!