What Is Ransomware?
Ransomware is malicious software that allows a hacker to access an individual or company computer, encrypt your data resident on it and then demand some form of payment to decrypt it. This lets hackers hold your data hostage – and hence the term “ransom”. Victims can regain access to their files only by paying the ransom, or by restoring from a backup that was hopefully not on a network that was accessible to the compromised computer.
Kaspersky notes in its reports that crypto-malware attacks are impacting individuals businesses around the world and one of the major ransomware – CryptoLocker – has already affected 234,000 computers worldwide.
How Does An Attacker Deploy Ransomware?
Ransomware requires the deployment and execution of a number of different stages to be able to make a considerable profit:
(1) The attacker uses software that will encrypt files using a unique encryption key and then it will display notices to the owner of the computer that they need to send money in the form of bitcoins (mostly) to get the key that will then be used to decrypt the files.
So the attacker needs systems to distribute the malware, keep track of the hacked systems, monitor the payments involved, and processes to return the files to the original state. And this has to be done without being tracked down by legal authorities or angry victims.
(2) The attacker needs to decide on how they will get control of your machine so they can run the above code in it. They do this by choosing some vulnerability that they will exploit. Examples that have been used are known Microsoft Word, Adobe Reader or Flash vulnerabilities. They build a file that exploits the target vulnerability and then they do some serious social engineering. In order to get someone to download a file with the exploit, they put it in an email (or on a web site) that is written in such a way to make it attractive or urgent to the reader to open the file. The exploited files often pose as e-tickets, invoices, 401K notices or FBI notices. This can be the weak link in the crime — often the language, spelling and grammar are incorrect and not appropriate to business correspondence. But they are getting better writers as they become more sophisticated.
(3) The attacker then sends out many emails with either the malicious file attached or a link to a site where the file can be downloaded as a drive-by download.
If you are a recipient of such an email, you read it and then decide if are going to open the attachment or visit the link or not. This is where you have control of the next phases.
(4) If you open the attachment, and your system is vulnerable to the exploit, you are “owned”. However, your system may not be vulnerable because maybe the exploit is designed for Windows and you are running a Mac – and so the exploit and file encryption code is not compatible. In some cases, the exploit may ask the reader to make the application less secure so it can take advantage. For example, the exploit may use a Word file that asks the reader to enable macros on Word so they can see the full message. If this is done, the exploit code runs with the privilege of the Word application.
(5) If your system is vulnerable, the exploit will create a unique key for your system (it probably will callout to get a key from its command and control system with the identification of your system) and start to encrypt all files on your system. If it can reach shared drives and has write access, it may do the same to those files. Now it will display a message that the files are encrypted and explains how you can pay the ransom.
You have a few options at this point:
- Pay the ransom
- Determine if you have a backup of the files and if you can restore from the backup
If you have a restorable backup, you then have to remove the malware from your system. This will involve booting into Safe mode and using a anti-virus tool to remove the ransomware (you can find a list of tools here). In either case, it is a pain — but in the second case you have the pride that you were able to defeat the evil empire.
If you decide to pay the ransom, you will learn a lot about bitcoins and receive the key to decrypt the files. In almost all cases, the criminal will provide the key if you have paid, cause they don’t want to be badly rated for customer support.
So how do you avoid the scenario described here? The current wisdom is to:
Keep your systems patched up to the latest versions
- Keep an anti-virus program up to date
- Do regular backups to systems that are only reachable from your computer with admin privileges and passwords
- Test your restore process of backups a few times a year to confirm you can do it successfully and that the data is current
But there are still risks that you can get tricked because the criminals are building versions of the malware faster than the anti-virus can identify and then detect them. The next article will describe a simple process to help with the decision to pay a ransom or not.