Ransomware: a History and Taxonomy
Kaspersky Labs somewhat prematurely declared 2016 the “Year of Ransomware”, citing the emergence of 62 new families of ransomware and an attack on businesses every 40 seconds, and individuals every 10 seconds.
This article looks at what Ransomware is, where it has come from, and what you can do about it.
Excerpt from an article in https://portal.securitycolony.com. Login or register to see the full article.
What is Ransomware?
Ransomware is a type of malware that extorts users by preventing access to files or systems until a ransom is paid. Two common variants are Locker Ransomware and Crypto Ransomware:
- Locker Ransomware denies access to resources by locking the device’s user interface, such as severely limiting mouse and keyboard functionality. Often the only interaction possible is with the attackers and procuring Bitcoins. Locker ransomware doesn’t typically encrypt files however and data retrieval is achievable.
- Crypto Ransomware, by contrast, identifies and encrypts valuable files but otherwise allows the system to perform relatively normally as critical system files are untouched. Users are presented with a window demanding payment and typically threats such as file deletion for non-payment.
A Brief History of Ransomware
In 1989 the AIDS Trojan, named after the author’s purported intent to raise funds for AIDS research, marks the first occurrence of ransomware. It was relatively unsuccessful however, as the encryption process was inherently weak and the distribution mechanism — floppy disks — limited the number of viable targets. The rise of the Internet gave way to a new generation of ransomware and from 2005 variants started to emerge including fake spyware removal tools, fraudulent performance optimisers and applications that demanded payment to remove “corrupted” files. The diagram below illustrates Symantec’s observation of the meteoric rise of ransomware over the past decade:
Why has Ransomware been so successful?
Ransomware has enjoyed an exponential rise in popularity over the last two years in particular due to the emergence of strong, accessible encryption technologies and the rise of crypto-currencies.
Initially it was often possible for infected users to decrypt their data due to the use of weak encryption or shared encryption keys. As technology and the attackers grew more sophisticated however, ransomware increasingly used complex public/private key systems that locked users’ data with little hope of retrieval without a key. In recent years, this has even enabled ‘Ransomware-as-a-service’, as criminals with little to no technical skills distribute the software at their own risk while paying the creator a share of the profits — allowing programmers more time for innovation. Like any business that turns a remarkable profit with little overhead in a short time, reinvestment and mimicry were soon to follow as more criminals sought their share of the action.
All this profit had to be transferred anonymously and securely — and cryptocurrencies, digital currencies that use encryption to regulate the transfer of funds in the absence of a central bank, provided ransomware operators the ability to do just that. The rise of Bitcoin and the like has provided cybercriminals with an ability to avoid the attention of law enforcement and financial institutions while being publicly accessible enough to facilitate rapid payment from victims.
What can you do about Ransomware?
Education, system hardening and backing up critical data are the keys to defending your business from ransomware. One of the most common methods to distribute ransomware, like any other form of malware, is phishing as it allows cybercriminals to target a very large audience with little to no existing knowledge of the target. Ensuring personnel are educated on email, chat, and social media security is an effective first step towards protecting your organisation.
Cybercriminals can also use advertising networks to place ransomware in websites with a high volume of visitors; in some cases, even trusted websites have been used. Ensuring operating systems, browsers, and antivirus systems are up to date can provide protection against this form of ‘malvertising’. Most menacing however is the rise of ransomware driven by self-propagation, such as W32.Ransomlock.AO, W32.Cryptolocker.AQ and the infamous WannaCry.
Ensuring strong network security is in place — by disabling SMB V1.0 and restricting port 445 for example, the main delivery mechanism for WannaCry, allows ransomware to be contained before the entire network is compromised. Application whitelisting provides one of the most effective forms of protection against malware in general, and ransomware is no exception. Actively managing the applications that can be installed on a given device and restricting software to pre-approved applications can eliminate the risk of compromise almost entirely.
As ransomware is constantly evolving, it is also imperative to backup critical data to protect against next-generation malware. It is important to note that some attackers and ransomware families will actively seek out online backups, so maintaining an offline backup mechanism is highly recommended. Depending on the size of your business, both the time and resource cost for doing so can be high, so ensuring a thorough data value assessment and prioritisation process has been undertaken is essential to investing wisely. There is also the possibility that changes made to files between backup and encryption will be lost, so frequency of backup should be carefully considered. Finally, it is worth emphasising that in the event of compromise, Hivint strongly advises against paying the ransom as it motivates and funds cybercriminals to develop new techniques and technologies.
Article by: Eric Pinkerton, Lumina Remick, and Elliot Dellys
To find more detailed advice on how to protect your business from ransomware, as well as access to expert advice and an ever-growing collection of security resources, visit Hivint’s Security Colony (http:/portal.securitycolony.com)
