Ransomware

Of course, you have heard of ransomware. Even if you live in a cave in the Hindu Kush, you have heard of ransomware by now. My mother even asked me about ransomware at Easter brunch. For the last eighteen months, there has been a huge surge in the awareness about ransomware, particularly following the WannaCry and Petya attacks. What is it? Why the surge? What do you need to know?

Let’s start with a definition please. Ransom-ware. Software that is malicious and extorts ransom from users to be able to recover their encrypted data. Ransomware is not new; the first known example (AIDS Trojan) dates from 1989. However, in the last five years, there has been a significant increase in the number of ransomware attacks and the number of ransomware examples / variants. Much of that increase can be tied to the rise of anonymous cryptocurrencies, such as Bitcoin, which make the gathering of ransom monies paid far less risky for criminals than use of other payment methods.

Of course, the key to ransomware is encryption. Some ransomware uses secret key (symmetric) encryption (one key is used for both encryption and decryption), because it is fast. However, use of a single secret key means that that key can be fairly easily compromised. Instead, some ransomware variants use asymmetric encryption (i.e., a public for encryption and a private key for decryption), while some ransomware uses a combination of asymmetric encryption (i.e., public and private keys) and symmetric encryption (i.e., a single secret key is used for both encryption and decryption), with the secret key encrypted with a public key. The advantages to the latter, more sophisticated combination of encryption methods, are that symmetric encryption is far faster than asymmetric encryption, and that the secret key can be unique for every victim. These differences in type of encryption used are important because they are relevant to your chances of being able to recover your encrypted data.

What does ransomware encrypt? Ransomware encrypts a user’s data (e.g., your My Documents folder), but usually not system files. So your computer continues to operate (so that you can actually pay the ransom), but you have no access to your data.

While the Windows operating system (OS) is by far subject to the most ransomware attacks, MacOS and Linux are not immune to ransomware (e.g., KeRanger and KillDisk, respectively).

Most ransomware is spread using a Trojanized file (i.e., a malicious computer program designed to hack into a computer by misleading users of its true intent). Almost all ransomware distributed by a Trojan involves phishing (i.e., deceiving users to click -on / open a file that the user believes is legitimate). However, the extremely widespread ransomware WannaCry spread in May of this year using a worm (i.e., standalone malware that replicates itself in order to spread to other computers), instead of a Trojan with phishing.

Should you have pay the ransom demand? Even though the FBI previously said that users should pay a ransomware demand, you should not pay. You should not pay because encryption algorithms are very difficult to design and implement properly. In many cases, the key(s) needed for decryption of users’ data have been recovered by security researchers and made public. While you might be inconvenienced by not having immediate access to your data, your Bitcoin wallet may very well thank your patience.

What can you do to protect yourself from ransomware? First, be aware of and sensitive to phishing attempts against you and / or your organization. Second, be sure to back-up your data regularly, then ensure that your back-ups are off-line. Much more involved, but necessary from a security perspective, is to ensure that your organization’s (or household) network is properly segmented to stifle the spread of ransomware within your organization (or household). An excellent source of information about ransomware and how to protect against it is Europol, the European Union police organization.

Is ransomware limited to PCs? No, absolutely not. While you might pay more to get your data back, you would also probably pay to effectively get your TV, refrigerator, or car back from ransomware as well. And, while those products have yet to be plagued by ransomware, it’s only a matter of time.

Ransomware will be around for years to come, so it is worth your time to get educated about it.