1 – What is Ransomware?

QUIZ:

What is RansomWare?

a) Hacker’s threat to post your sensitive information online unless you provide payment

b) Malicious software that encrypts your files and demands a payment to recover them

c) Electronic communication (e-mail, text) from kidnappers stating their demands for return of victim, occurring most frequently with tourists to Central and South American countries

d) A popular new game app for the iPhone

 

Ransomware has been around for quite some time, but it has been increasing in prevalence, especially over the last couple years. I have seen a great deal of talk about ransomware in security circles this year. I have also seen instances of companies making promises of protection from ransomware that they can’t possibly keep.

In looking for statistics, I have found a wide range of figures for losses and/or ransom amounts paid, depending upon the source of information. However, multiple sources suggest that the payments were in the range of hundreds of millions of dollars last year with a significant increase for 2016.

 

So, what is ransomware? The correct answer to the quiz above is “b.” RansomWare is software that holds your information hostage until you make payment to the perpetrator. The perpetrator says they will make it possible to restore your access to your files if you make the requested payment. There is usually a deadline. If you miss the deadline, you are out of luck and will no longer be able to recover them.

However, if you answered “a,” you may be choosing a secondary tactic used by some ransomware criminals. Although the “threat” is usually that you will forever lose access to your files, there have been cases in which they have added a second threat that they will release your information to the public, probably posting on a web site. If the loss of the files isn’t incentive enough, perhaps public embarassment or the exposure of your sensitive data might be enough to convince you to pay. So, while “a” is not the correct definition of ransomware, it may be part of the “threat” in certain instances.

 


Pay up OR ELSE
image

Ransomware typically acts in one of two different ways.

The first method is to prohibit access to your files and your computer. Your screen may be locked or blocked so that your normal ability to use your computer is prohibited. If you pay the ransom, they promise that they will unlock your system.

The second method is more serious. Your files are encrypted and you can no longer access them. Or, more accurately, the contents of those files are no longer available. As an example, if your file used to say: “Once upon a time….” it now may say something like: “.8Y%r&b4g.cX7|KWm]+/#+}RL0PQ>I.” The file is now worthless, until it has been unencrypted (decrypted).

With earlier versions of some types of ransomware, it was sometimes possible to decrypt the files without paying because of the criminal’s poor implementation of the “cryptographic algorithm.” In other words, the developer of the software that encrypted the files didn’t do a good job of implementing the technology to encrypt them. That meant their encryption could be broken.

However, ransomware has improved in sophistication and the developers have been fixing the problems with their software. Their software is becoming “better.” That means that it is not going to be possible to break the encryption that is now being used and the files cannot be recovered without the help of the criminal.

So, how do you get your files back? The attacker promises to provide the mechanism to decrypt (unencrypt) those files, but only if you pay them. And, there is a deadline. The ability to decrypt your files and make them usable again depends upon a “key.” They have the key and can use it to decrypt your files so you can access them again. However, when the deadline arrives, they will delete that key. If that key is deleted, you will never get access to your files again. Not even the attacker would be able to help you once the key has been deleted.

Typically, there is a countdown timer counting down to the deadline. There are also instructions on how to make payment. The method for making payment is typically by using “Bitcoins.” That is the new “currency” of the underworld, although it is also being used by legitimate people as well. Payment with bitcoins makes it harder to trace.

Use of bitcoins makes it harder for most people to make payment. How do you pay with bitcoins? Where do you get them?

To solve that problem, the attacker (extortionist) will typically provide instructions. However, some will provide an alternative for those that have trouble understanding how to make the payment. In some cases, the attacker will agree to unlock your files and restore access to them if you allow them to use your computer in their efforts to infect others to collect payment from other people.

 

So, you can either fund future criminal activities by paying the extortionist (attacker) or you can agree to become an accomplice in the crimes by allowing them to use your computer to carry out their criminal deeds. (Next week, I will talk about other choices you have, where you can avoid paying, thwarting the criminal’s attempts, and still not lose all your information.)

 

The most publicized victims are corporations. Businesses of all sizes and types have been victimized. However, individual home computer users are also victimized. The amount of the ransom demanded usually varies, depending upon the ability of the victim to pay and, sometimes, on the value of the data or the importance of the system attacked. However, the attacker’s goal is to get paid, so the amount they ask is typically an amount that they expect the victim will likely be able to pay, even if it is expensive for them.

You may think that paying is the best choice, if it is an amount that you are capable of paying. There are several problems with this approach. As mentioned above, you will be funding the extortionist’s future endeavors and also encouraging them to continue their exploits. However, there are also numerous instances where the victim has paid the ransom and has not gotten their files back. Furthermore, in a number of cases, the attacker repeats the attack. They have gained access to your system and can hold it ransom again whenever they want to. They may also have planted other malicious software on it and may have extracted your data already as well. If you pay once, it seems likely that you will pay again if they repeat their attack again in a couple months.

For a number of reasons, paying is not recommended. The best options are prevention and having an alternative response in place.

There are things you can do to greatly reduce your chances of becoming a victim. There are also things that you can do to minimize the impact if you do get victimized. You should do both. Reducing your chance of becoming a victim is an important first step, but it doesn’t guarantee you’ll escape. But, if you have also taking steps to minimize the negative impact, you can turn a catastrophe into a mere inconvenience. Check back next week to hear more about that.