What is ransomware?
Ransomware is a types of malware that prevents or limits access to a system or network by encrypting files on the system. Thus, when a system is infected with ransomware, either the screen itself gets locked or the files on the system gets locked. The affected person or organization would then have to pay a ransom to get the files decrypted and get access to the files or system.
Types of ransomware
There are basically two different strains of ransomware, namely crypto ransomware and locker ransomware. While crypto ransomware encrypts files, folders, hard drives etc, the locker ransomware would lock users out of their systems or devices and deny total access to the system/device itself.
Ransomware can also be classified as encrypting ransomware and non-encrypting ransomware. While the encrypting ransomware would encrypt files and block access to systems or files, the non-encrypting ransomware would restrict access without resorting to encryption. In this case, access to the system would be denied by displaying some image (pornographic images) or fake notifications or notices (software re-activation notice, warning notice accusing the user of accessing or downloading pornography etc) and the user would be duped into paying money.
There is also a different kind of ransomware called the leakware (or doxware), which would exfiltrate sensitive data and then threaten to publish that data unless a ransom is paid.
Mobile ransomware, targeting mobile operating systems, too are on the rise today.
Ransomware infection and behavior
Ransomware infection could happen in a variety of ways. An unwitting user could download ransomware from malicious or compromised websites. Similarly, a ransomware could also gain entry into a system as a payload dropped or downloaded by another malware that infects the system. Ransomware infection happens through phishing emails as well or could be downloaded through advertisements on malicious web-pages.
Once downloaded and executed on a system, a ransomware would either lock the screen or encrypt predetermined files. If the screen is locked, a full-screen image or notification gets displayed preventing the user from using the system. The notification would explain how to pay the ransom and regain access to the system. If files are encrypted, access to potentially critical or valuable files, including documents, spreadsheets etc would be blocked and the user would get a pop up asking him to pay ransom to get the files decrypted.
It’s only after the ransom is paid, in digital currency, that the files get decrypted and the user regains access to the files or the system.
The history of ransomware
The history of ransomware begins in 1989 when Harvard-trained Joseph L.Popp created AIDS Trojan and spread it through snail mail using 5¼” floppy disks. About 20,000 infected diskettes were distributed among those who attended the WHO’s International Aids Conference.
In 2006, another ransomware was released. Named Archievus, this was perhaps the first ransomware to use asymmetric encryption and the RSA algorithm. It encrypted everything in the “My Documents” directory on a system and asked affected users to make purchases from specific websites to obtain the password to decrypt the files. 2008 and 2009 witnessed many fake antivirus applications compromising computer systems and networks. 2011-2012 saw a rise in ransomware attacks. Hackers were using the locker ransomware and were demanding 150 to 200 US dollars, in bitcoin, as ransom. After 2013, ransomware attacks have been happening at an unprecedented rate and major organizations across the world have been attacked. Here’s a look at three major ransomware attacks that happened in recent times…
Top 3 three major ransomware attacks that happened in recent times
The Locky ransomware was discovered in February 2016 and was noted for its distribution methods. It appeared first as a macro in a word document and then was seen spreading via Adobe Flash and Windows Kernel exploits. Different versions of Locky have been seen. A notable feature of this strain of ransomware is its capacity to delete shadow copies of files and thus render local backup totally useless.
The WannaCry outbreak, which happened in May this year, was a global phenomenon and made the term ‘ransomware’ known even to the layman. WannaCry spread exploiting the EternalBlue vulnerability in Windows; the outbreak was unprecedented in scale and spanned over 150 countries, throwing major organizations out of gear. The attackers gave a 7-day deadline to victims, within which they would have to pay the ransom or else the encrypted files would get deleted.
Petya was first seen in March 2016. The notable thing about this ransomware was that it targeted the master boot record of an affected system and was delivered through very legitimate cloud storage services, like for instance Dropbox. The malware would encrypt the file tables of the NTFS system as soon as the system boots next after infection and thereby blocks the system from booting into Windows unless the ransom is paid. A modified version of Petya (also referred to as NotPetya) spread globally in June this year, using the EternalBlue exploit like WannaCry.
How to prevent Ransomware?
There are some very basic preventive measures that could help block ransomware attacks-
- Stay wary of phishing emails. Never open unverified emails or the links/attachments in such emails.
- Create backup of all important files. Regularly update the backup.
- Ensure that all software, programs and applications are regularly updated.
- Use all necessary computer security software and do free virus scan regularly.