What is ransomware?
Ransomware is a type of malicious that threatens to publish or block access to data or a computer system, usually by encrypting it until the victim pays the attacker a ransom. In many cases, the ransom demand comes with a time limit. If the victim does not pay on time, the data disappears forever or the ransom increases. Ransomware is a malware, sometimes wrongly called “virus”, or rightly so if it duplicates and spreads by itself, whose final goal is to extract money from its victim. The infection occurs by downloading a malicious software, sometimes hidden in the attachment of a booby-trapped email or at the end of a link. It can also be spread through hacked web pages that try to use vulnerabilities in computer systems or software.
How is work
Vectors of infection and distribution
Ransomware, like all malware, can enter an organization’s systems in a variety of ways. However, ransomware operators tend to favor a few specific infection vectors. Phishing emails a malicious email may contain a link to a website hosting a malicious download or an attachment that includes download functionality. If the recipient of the email falls for the trap, the ransomware is downloaded and executed on their computer. Another common infection vector for ransomware exploits services such as Remote Desktop Protocol. With RDP, an attacker who has stolen or guessed an employee’s login information can use it to authenticate and gain remote access to a computer on the company network. With this access, the attacker can directly download malware and run it on the machine he controls.
Data encryption
Once the ransomware has gained access to a system, it can start encrypting its files. Since the encryption functionality is built into the operating system, it is simply a matter of accessing the files, encrypting them with a key controlled by the attacker and replacing the originals with the encrypted versions. Most ransomware variants carefully select the files to be encrypted to ensure system stability. Some variants also take steps to delete backup and shadow copies of files to make it more difficult to recover them without the decryption key.
Ransom demand
Once the file encryption is complete, the ransomware is ready to demand ransom. Different variants of the ransomware implement this demand in different ways, but it is not uncommon for the wallpaper to be replaced with a ransom note or for text files containing the ransom demand to be placed in each encrypted directory. Usually, these notes demand a fixed amount of crypto-currency in exchange for access to the victim’s files. If the ransom is paid, the ransomware operator provides either a copy of the private key used to protect the symmetric encryption key or a copy of the symmetric encryption key itself. This information can be entered into a decryption program (also provided by the cybercriminal) that can use it to undo the encryption and restore access to the user’s files.
Although these three essential steps exist in all ransomware variants, each ransomware may include different implementations or additional steps. For example, ransomware variants like Maze perform file scanning, registry information, and data theft before encrypting data, and the WannaCry ransomware looks for other vulnerable devices to infect and encrypt.
How prevent ransomware
Back up your files
This advice is valid for ransomware but also for computers in general. Hard disks or other memory systems are not infallible, so it is advisable to have your important data (photos, documents, etc.) always duplicated in two different places. Ideally, the backup should be made on a regular basis on a medium that is only linked to the device to be backed up when the files are copied (USB key, external hard drive, online backup, etc.). Indeed, ransomware can also spread to storage media connected to the infected device.
Update your system and software
Ransomware, or more generally malware, spreads by using software or system vulnerabilities as a gateway. This is what allowed hackers to conduct the WannaCrypt cyberattack. Keep your Windows, Linux, Mac, Android, iOS, or other systems up to date and regularly check that you’re running the latest version of your favorite software, especially browsers. Finally, some operating systems or software are no longer supported and no longer receive security updates.
More details will follow in the next article.