CyberManipal

Ransomware—The Enigmatic Virus Attack

Ransomware—The Enigmatic Virus Attack

Manipal Information Security Team's photo
Manipal Information Security Team
·

5 min read

Ransomware in the virtual world is analogical to the kidnappers in the real world. These viruses literally threaten to delete all your files until and unless you pay the hackers the ransom they ask for. Even after you pay them, there is no guarantee that your data will be secure. Interesting and scary isn't it? Follow along to get a better insight into the entire Ransomware story.

What is Ransomware?

Ransomware is a type of malware from cryptovirology that controls the victim's data by encrypting their files, locking the user out of their system or even disrupting the normal usage of the user's device. The attacker demands a ransom from the victim and doesn't negotiate with the latter until the victim concedes to make a payment. Afterwards, the victim is likely to get a decryption key, which hopefully restores the data that was held for ransom. But does that ensure the safety of the victim's data in the future?

How did it all start?

AIDS Trojan was the first known malware attack written by Joseph Popp in 1989, but it failed in the design. The payload hid the files in the hard drive and only encrypted their names, and displayed a message saying that the user's license to use a specific piece of software had expired and then went on to demand a ransom of $189.

Non-encrypting Ransomware was first recorded in August 2010, when Russians arrested nine people connected to a ransomware trojan known as Winlock. As the popularity of ransomware on PC platforms increased, ransomware targeting mobile operating systems also grew in popularity amongst attackers.

What does it do?

The concept of file-encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. As it was called, Cryptoviral extortion follows a three-round protocol carried out between the attacker and the victim.

  • Attacker to victim: In the first stage, the attacker generates a key pair, places it in the malware, and releases it.
  • Victim to attacker: In the second stage, the malware generates a random symmetric key and encrypts the victim's data to carry out a crptoviral attack. The public key in the malware is used to encrypt the symmetric key—this is known as hybrid encryption and results in a small asymmetric ciphertext as well as a symmetric ciphertext of the victim's data. It nullifies the symmetric key and the original plaintext data to prevent recovery. Next, it displays the asymmetric ciphertext to the user and lists out ways to pay the ransom. The victim then sends the asymmetric ciphertext and e-money (digital currency) to the attacker.
  • Attacker to victim: In the third and final stage, the attacker receives a payment from the victim. The attacker gives the victim the key to decipher the encrypted data, thus completing the cryptovirology attack.

Ransomware attacks are carried out using the Trojan horse malware (it misleads users of its true intent). The Trojan usually enters the victim's device in the form of malicious attachments, a link embedded in a phishing email, or a vulnerability in the network service. The program then runs a payload, as described above, in the victim's device that gains access to his data and locks the system in different ways. These payloads may give fake warnings claiming themselves as government/ or any service by falsely accusing the victim of illegal activities or containing content such as pornography and pirated media as well.

Generally, it is almost impossible to trace the transaction details of the attacker, since most of them demand the ransom in bitcoin or other digital methods of payment.

Ransomware attacks and statistics

The Baltimore ransomware attack in 2019 and the Kaseya ransomware attack in 2021 are fitting examples of the damage that such viruses can cause to data in big organisations.

Below are a few statistics that take into account major, recent ransomware attacks.

  • The use of ransomware scams grew suddenly in the year 2012. Such scams have grown exponentially worldwide since then.
  • There were 181.5 million ransomware attacks in the first six months of 2018. This record points to a 229% increase when compared with the same time frame in 2017.
  • In June 2014, McAfee had released data they had collected and it turned out to be more than double the number of ransomware samples they had gathered in the previous year
  • CryptoLocker, a ransomware attack in 2013-14, was successful in procuring an amount of US$3 million from victims before the authorities managed to take it down.
  • In 2020, the IC3 received nearly 2,474 complaints, identified as ransomware, and incurred losses of over $29.1 million.

These are just the estimated losses reported by the FBI. There may be several other losses that the FBI has absolutely no knowledge of, thus presenting a scary picture of the impact of ransomware attacks.

Defend yourself

Defending yourself against ransomware is more of a precautionary measure than a corrective one. Staying on the lookout for any sign of damage or mishappening on your system can help you stay safe. A few measures to protect yourself are given below.

  • Have a data backup: It's the best way to avoid the risk of being locked out from your data. Always ensure you have backup copies of them on an external hard disk. So even if you are under attack, you can erase your device and reinstall files from backup. Backups won't save you from attacks but can help mitigate the damage caused.
  • Secure your backup: Always make sure your backup data is safe from being opened or edited by others, or even accessible for modification.
  • Use anti-virus if possible: Make sure all your devices are protected with security software and update them regularly.
  • Practice safe surfing: It would be best to be cautious with what links you are opening a website and where you click. It is always better not to respond to emails and messages from unknown sources. Download extensions or apps only from trusted and verified sources. This is important because attackers often use social engineering and get you to install dangerous files. Avoid using public wi-fi networks, as most of them are not secure. Keep following current ransomware threats so that you remain aware of these malicious practices and the ways to avoid them.

Written by: Devata Rohan

#cybersecurity