A Beginner’s Guide to Ransomware

Srushti IyerCyber Security

In the last decade or so, cyber attacks have evolved tremendously in their size and impact. I am sure you would have come across the term ‘ransomware’ multiple times in newspapers and blog articles. Put simply, ransomware is a type of malware that holds your device captive until you pay the ransom. Usually, attackers ask for ransom in the form of cryptocurrencies.

How do Ransomware attacks take place?

Ransomware, like any other malware, has to be introduced into our system. Emails are considered one of the most prominent ways to spread a ransomware variant. Primarily, there are two attack vectors associated with emails. In the first type, emails contain deceptive attachments that trick the users into opening them. As a user downloads and opens an attachment, the malicious files execute and infect the system. The second attack vector, though less popular, redirects a user to a random website which may ask for downloading files or irrelevant permissions.

Ransom Screen for WannaCry Ransomware

Ransom Screen for WannaCry Ransomware

Another prominent way through which ransomware proliferates is the drive-by downloads. We often have a knack for searching for things for free. For example, there is an application that requires you to pay ₹100 to use it. Instead, we will search for free or modded versions on Google. The same applies to songs, videos, movies, and TV series. Perpetrators exploit this habit by adding malicious code to whatever we wish to download. On the face of it, you will only see a song getting downloaded. But alongside, there will be an unwanted guest that is most likely to hold your system to a ransom. In some cases, perpetrators can leave USB drives at certain places for individuals to pick up. Once they insert this drive into their personal system, ransomware comes into action.

Should you worry about falling prey to a ransomware attack?

When a ransomware infects your system successfully, it encrypts your files. The exact encryption method may vary from one variant to another. In most cases that I have seen, users have lost their files as there was no backup in place. The risk is even higher in corporate organisations as a successful ransomware attack would require them to invest additional man-hours in the containment of the incident. Further, the security teams will make changes to the IT infrastructure. On top of this, reputational and legal risks also come into the picture for corporate organisations. While whether you should pay the ransom is highly debatable, small and medium enterprises face a potential risk of going out of the business if they do not recover from the incident in the minimum time possible.

Common Ransomware Variants

1. Apocalypse: The security community discovered this ransomware in 2016. This variant used a custom algorithm for encryption instead of using standard algorithms. Before it could create any substantial impact, it was successfully eradicated.

2. Cerber: Discovered in 2016, this ransomware encrypts files on an infected system using a .cerber extension. It uses RSA and RC4 encryption algorithms.

3. CTB_Locker: This ransomware uses a more sophisticated algorithm than RSA. Alongside, it adopts AES and ECDH algorithms. ECDH is an anonymous protocol that deals with the key agreement.

4. Jigsaw: This ransomware encrypts files on an infected system using a .fun extension. It runs on the .NET framework and adopts the AES algorithm.

5. WannaCry: WannaCry exploited a vulnerability in Windows operating system. It is believed that this variant infected more than 400,000 systems across the globe. This ransomware demanded payments in Bitcoin. It wreaked havoc in the year 2017.

6. Petya: Petya is considered to be an advanced version of WannaCry. Similarly, it asked for the ransom amount in Bitcoins.

7. Conti: Conti emerged in 2019, and it was responsible for 13% of the total attacks in the year 2020. In one instance, the attackers were able to infect a school’s system and demanded a ransom of $40 million. The attackers also threatened to post the collected information online if the school did not pay the ransom.

8. REvil: REvil is an example of ransomware-as-a-service, which primarily targeted businesses in the engineering sector.

Prominent Ransomware Attacks in 2020-21
  • The recent attack on Colonial Pipeline, a US-based company, is a ransomware attack.
  • ISS World, a Denmark-based company, lost around $74 million due to a ransomware attack in February 2020.
  • Cognizant lost over $70 million because of the Maze ransomware attack in April 2020.
  • Sopra Steria, an IT-service firm, suffered an operating loss of €50 million due to a ransomware attack in October 2020.
  • Software AG, a leading Germany-based software vendor, disclosed that their systems were infected by the Clop ransomware. The attackers demanded $23 million in ransom.
  • The University of California San Francisco’s School of Medicine was targeted by ransomware in June 2020. UCSF negotiated with the attackers and paid $1.14 million in ransom.
  • Travelex, a money exchange firm, paid a ransom of $2.3 million in Bitcoins to regain access to their data.
The big debate: To pay or not to pay?

The biggest debate concerning ransomware attacks is whether one should pay the ransom or not. Organisations with poor security measures in place will not have multiple backups of their data. It will be virtually impossible for them to resume their business operations without accessing data in such instances. Hence, they would have no other option but to pay the ransom. However, there are plenty of examples we can find where organisations refused to make the ransom payment. These organisations had made sufficient investments in their security mechanisms. Their IT infrastructure was robust enough to survive the attack and resume business operations at the earliest.

Endnotes

We rely on a cyber space where cyber attacks will never decrease. As an individual, you have to ensure that you do not become an easy target. As an organisation, you should ensure that you invest in people, process, and technology and follow a comprehensive approach to your organisational security. Given that prevention is better than cure, here are a few things that we can start doing right now:

  • Take regular backups for your personal as well as organisational data.
  • Check for decryption keys on the internet and security forums.
  • Regularly update your applications as soon as your vendor releases an update or patch.
  • Do not insert USB drives from unknown sources into your computer system.
  • Explore the possibility of taking a backup in your preferred cloud service.

Recommended Readings


Featured Image Credits: Abstract vector created by vectorjuice – www.freepik.com