What is Ransomware?
You boot up your desktop one day after work expecting to enjoy your evening gaming or browsing social media but instead a red screen flashes onto your monitor.
It tells you that you need to pay some money or bitcoins to an unknown company in the next 24-48 hours or else you can kiss your hard drive goodbye. Everything on the system will be erased forever!
That might sound like a dystopian nightmare but ransomware, as I describe above, is a very real threat that affects people and even companies every day!
Ransomware is a particular type of malware that will encrypt your hard drive essentially holding it ‘ransom.’ If you pay up in time, then the shady people behind the virus will give you the encryption key, thus letting you back into your computer.
Hackers started resorting to more and more creative ways of extorting money from average users as antivirus programs get stronger and stronger.
Who Created Ransomware?
Ransomware is created by the hackers and criminals that have sophisticated knowledge of computer system. Their primary objective is to get the critical data of the users so that they can demand the ransom. However, the first ransomware was created by biologist Dr. Joseph Popp in 1989. This ransomware was called AIDS Trojan. Popp wrote the trojan program and distributed it via floppy disk to the mailing list of WHO International AIDS conference.
This trojan encrypts the name of all files on drive C, which makes the PC unusable. Then it asks users to renew the license and pay $189 to PC Cyborg Corporation in a post office located in Panama. However, later it was revealed that it was not necessary to pay the ransom as the decryption key was in the Trojan’s code.
The ransomware first appeared in 1989 as AIDS Trojan. This trojan was a failure as it was only encrypting the filename and also contains the decryption key in their code. Adam L Young and Moti Yung realized that AIDS Trojan only works on symmetric cryptography.
They developed a proof-of-concept trojan that uses RSA and TEA method to encrypt the user data in 1996. It was first proved that such ransomware could work that doesn’t reveal the decryption key. At that time electronic money didn’t exist. Still, Young and Yung proposed that electronic money could be extorted with encryption. Adam Young and Moti Yung first used the term Cryptovirology for the first time in their paper.
Later, in 2006 Archiveus Trojan appeared the first time that uses the RSA encryption. This trojan encrypts the My Documents folder and asks users to purchase items from an online pharmacy to get the password.
In 2007, a different kind of ransomware appeared that doesn’t use the encryption. It locks out the users from their system and extorts the ransom in exchange of access. WinLock ransomware displays the pornographic images on users computer until they sent an SMS to a premium number charging $10. WinLock ransomware collects more than $16 million, and Russian Police arrested 10 suspects at that time.
In 2013, CyrptoLocker ransomware appeared that uses the Bitcoin to collect the ransom. This ransomware infected more than 250000 victims and received more than $27 million. Since then Ransomware attacks are rising day by day.
Connection with Bitcoin
The cases of ransomware rise once the Bitcoin comes into the mainstream. Bitcoin is a digital currency that works on peer-to-peer technology. There is no central authority like Government or Bank that monitors the transactions. The transaction starts from one digital wallet and reaches to another wallet with absolutely no logging.
If cybercriminals use other forms of money for the ransom, they can somehow be traced. Bitcoin makes them complete anonymously, and security institution couldn’t catch them. With no fear of getting caught, the ransomware attacks widespread with the help of Bitcoin.
According to Statista report, in 2014 there were 3.2 million ransomware attacks, in 2015 it rises to 3.8 million, but in 2016 ransomware attacks were recorded all-time high with 638 million.
The reason for using Bitcoin to collect the ransom is not just the untraceable transactions. The rise in the price of Bitcoin also influences the cybercriminals to create ransomware.
Due to the vast popularity of Bitcoin, its prices started to rise in 2013; it reaches $946.92 from $13.30 by the end of 2013. In 2014, Bitcoin’s price dropped, and by the end of 2015, it was at $362.73. In 2016 it again started to rise, and by December 2016, the price of Bitcoin reach to $753.26.
That indicates the rise in Bitcoin’s prices influences the ransomware attacks. Another reason for ransomware rise is less awareness and neglecting the security measures on computer systems.
How it spreads?
Ransomware spread with the help of a Trojan, that uses several methods to enter in the user’s system. This Trojan then start encrypting the particular file types in the computer and then it leaves the ransom notes in every folder so that you know how to pay them.
Cybercriminals use social engineering methods to spread this trojan. Social engineering attacks are when criminals try to exploit common human behaviors such as fear and curiosity. The two most common way of ransomware spread is spam emails and free software.
It is the most common way that ransomware use to spread. Cybercriminals send thousands of spam emails to various users. They can choose random users or can target particular users who may be most likely to fall into the trap. The spam emails are designed in a way that creates a sense of urgency or curiosity to click on the link or download the attachment. The email could use the name of the popular services to look legitimate. Once the user takes the desired action, the Trojan enters in their system.
Free or Pirated Software-
Almost every user on the internet looks for free software. They even try to download the cracked version of paid software to avoid spending money. Cybercriminals take advantage of this behavior, they crack the paid software and bundles the trojan in it and make it available to download for users. When a user downloads such software, they infect their computer with ransomware.
Since the first ransomware attack, cybercriminals tried their hand on several new strategies to increase the impact of their ransomware. They could go beyond these two standard methods of spreading the ransomware.
It has been seen that fraudsters hack the legitimate websites and includes a redirection to a malicious page. Such page contains the exploit kit that gives information to hackers to plan their attack.
Since the first time ransomware surfaces in 1989, ransomware attacks causes the loss of billion dollars to several countries. Below is a table that lists the most damaging ransomware attacks.
|Name||Subtype||Duration||Area Affected||OS Affected||Estimated Loss||Source|
|Reveton||Zeus Trojan||Early 2012 to Mid 2013||Europe, US, Canada||Windows||$93640||1|
|CryptoLocker||Cryptovirus||September 2013 to May 2014||US||Windows||$3 Million||2|
|TorrentLocker||Cryptovirus||February 2014 to End 2014||Australia, Turkey, Italy,
|CryptoWall||Zbot||April 2014 to End 2014||US, Canada, Australia||Windows||$18 Million||4|
|Fusob||TrojanRansom||April 2015 to March 2016||Germany, UK, US||Android||Not Estimated||5|
|WannaCry||Cryptoworm||Initial 12 to 15 May 2017||All||Windows||$4 Billion||6|
|Petya||Cryptovirus||March 2016 to July 2017||Europe, US||Windows||$10 Billion||7|
|Bad Rabbit||Cryptovirus||October 2017||Russia, Ukraine, Bulgaria||Windows||Not Estimated||8|
|SamSam||Ransom.Samas||2016 to 2018||US||Windows||$30 Million||9|
Can it infect Mac or Linux?
Of course, ransomware can infect any machine. Its functionality is the same on Mac or Linux machines. Cybercriminals are now targetting Linux machines as most web servers are based on this platform. However, if we compare them with Windows, they are still considered safe. But why is it so?
Mac and Linux machines have fewer vulnerabilities, while Windows OS has lots of security loopholes which makes it an easy target. The other reason that Mac and Linux machines face fewer ransomware attacks is the number of users. Windows is the most popular and widely used OS that’s why cybercriminal target the Windows OS.
The first ransomware attack on Mac OS was KeRanger. It uses a legitimate BitTorrent client named Transmission to spread. It infected 7000 Mac users in 2016. Another Mac ransomware that hits several users was Keydnap.
In 2017, a South Korean web hosting company NAYANA got infected with Erebus Ransomware. The ransomware infected more than 153 web servers based on Linux platform. NAYANA had to pay $1 million ransom to recover their servers.
Ransomware as a Service (RaaS)
Ransomware as a service allows cybercriminals to run an attack without developing ransomware. Cybercriminals who have developed the ransomware offers their service in a franchise or affiliate model. So, other people with less coding knowledge can deploy the attack. The profit is shared between the author of ransomware and the people who implement the attack.
RaaS model makes it easy for the criminals to run the cyber extortion business with no technical expertise. The cybercriminals who writes the ransomware also get quick money with less effort. There is various ransomware as a service available on the dark web that claims to create ransomware in less than a minute. Some famous RaaS are Cerber, Satan, Hostman, Flux, and Atom.
The Viral Ransomware
In 2016, a new method was used to spread and infect others. Ransomware named after a popular BitTorrent Client Popcorn Time tries to become a viral meme. It encrypted the files of the users and asked for 1 Bitcoin about $900 at that time to get the decryption key. It also says that if you don’t have the money, you can still unlock your files, all you have to do is to infect two others who pay the ransom. The ransomware also gives the option to share the link of infected Popcorn Time program.
This ransomware tries its hand to spread quickly as the infected people itself suppose to infect others. It works like a multi-level marketing approach and spreads using the word-of-mouth phenomenon. If someone gets infected, they will try to know who has infected them; this will open lots of discussion on social media.
Not only this, but the maker of this ransomware also justified their cause and gave an emotional reason. They represent a group of computer science students from Syria and mention the status of the Syria war. They ask that the money collected from the ransom will be used for food, medicine, and shelter. Further, the makers of ransomware say, that “we are extremely sorry that we are forcing you to pay, but that’s the only way that we can keep living.”
Checker / Scanner
There are several checker and scanner that detects the ransomware and also helps to decrypt the files.
ID Ransomware helps to know which ransomware has infected your system. You need to upload the ransom note or encrypted sample file, and it will tell you the type of ransomware. It is capable of detecting more than 686 kinds of ransomware. It also guides to decrypt your files if it is available.
No More Ransom
No More Ransomware is an online scanner tool that analyzes the encrypted files and tells you the type of ransomware. It also suggests and provides the decryption tool if it is available for that ransomware.
Virus Total analyzes the file hash and report of any malware infection. It examines the sample file or URL with several antivirus engines to make sure you receive correct status.
Targets and Victims
Ransomware can attack anyone. Its victims are from every area and industry. However, it has been seen that specific industries are most affected by ransomware attacks. Cybercriminals want to infect computers that have valuable information so that the chances of getting the ransom increases. Choosing a particular area or industry is based on such facts.
Cyberattack especially ransomware targets small and medium-sized business. In 2018, such business received many ransomware attacks. It is because such organizations don’t have proper cybersecurity. They consider themselves a low risk of cyber attack as they don’t have much to lose. But when the attack happens, they lose everything. That’s the reason, cybercriminals who want easy money, targets such businesses. Below are some lucrative industries to cybercriminals.
Ransomware targets such industries that couldn’t handle the attack and quickly pay the ransom. Healthcare industry is one of them. Hospitals come under the emergency services as their system couldn’t go down even for a few minutes. They don’t have time to consider an alternative solution to the ransomware, and they quickly make the payment. In 2017, NotPetya ransomware attacked a series of U.S. Hospitals. Wanncry ransomware also hits various hospitals, and they had to cancel several appointments.
Educational institutes are more prone to ransomware attacks. Most of them don’t have updated software and runs on an open network. Any student could infect the whole institute with their device. In 2016 ransomware attacks, two-thirds of UK Universities were hit.
Government institutions cases are the same as education. Most of Government organizations don’t update their computers due to the budget issues. Thus they get infected. Lack of proper knowledge of computer security is also the case.
Energy & Utilities
Energy & utility sector is also an exciting area for cybercriminals. They could infect a single power grid and shut down the power supply to multiple cities. NotPetya attack took out the entire power grid in 2017 attack on Ukraine.
Ransomware simulator helps you to access the security of your network or PC against ransomware attacks. The simulator helps to test the defenses against real-world attack. It is also helpful in the spreading awareness in your organizations. RanSim is such a tool; it runs 13 ransomware and one crypto mining infection scenarios without any risk to the actual data.
Statistics and Trends
- Ransomware attacks rose 350% in 2017 compared to 2016. [Source- DimensionData]
- Ransomware attacks in 2017-2018 fell by 30% compared to 2016-2017. [Source- Kaspersky]
- 70% of ransomware payments were in the form of Bitcoin in 2016. [Source- Bitcoin]
- Small businesses are losing $75 billion a year to ransomware. [Source- Datto]
- Healthcare is the top industry that gets hit by ransomware. [Source- Beazley]
- The average ransomware demand decreased by half in 2017 compared to 2016. [Source- Symantec]
- Around 40% of ransomware victims paid the ransom. [Source- Malwarebytes]
- According to Google Researcher ransomware victims paid $25 million between 2015 to 2016. [Source- TheVerge]
- 99% of the ransomware attacks were on Windows OS in 2018. [Source- Statista]
- The cost of downtime to industries are 10 times higher than the ransom. [Source- Datto]
- Ransomware attacks are moving to could storage in 2018. [Source- ComputerWeekly]
- 17% of MSPs report an increase in Office 365 ransomware infections. [Source- Datto]