Ransomware – A Quick Overview

Ransomware Ransom Request

Ransomware is a type of malicious software (known as malware) that restricts, using encryption, access to data on your computer. Once the restriction takes place, a ransom is requested to unblock your data and if paid the restriction is removed, in theory. In principle, ransomware is a simple threat, yet one that has caused a lot of pain and expense in recent months due to its increasing popularity. The purpose of this article is to give a quick overview of ransomware, keeping it as simple as possible.

While ransomware is certainly not something new, it made a comeback in 2013 after many years of quiescence, many users still find themselves victims of this threat often without knowing how their device got infected. The file that infects your computer with ransomware may have several sources: dubious downloads, malicious or compromised websites, malvertising etc. That said, cyber criminals are becoming a lot more creative with their approaches, often including the threat in files that are very hard to detect by the casual user as they both look and function as files that are used on a day to day basis.

But that’s not all. Ransomware has been evolving at a very fast pace. The key to a successful ransomware attack is avoiding early detection.

In the third quarter of 2014, ransomware that encrypts your data accounted for more than a third of all ransomware types found in infected systems, and it’s still increasing in popularity at alarming rates.

How does Ransomware work?
Ransomware works by having the criminals create a code specifically designed to take control of a computer and hijack or restrict in some form, several key files. The files are encrypted so the victim loses access to them, yet leaving the system accessible to post the payment. Once executed, which may or may not happen immediately after launching a specific file, the ransomware can either block the computer screen or encrypt a specific set of files. Backup copies, external harddrives and network folders connected to the infected computer are encrypted as well.

CTB-Locker Ransomware showing the list of encrypted files
CTB-Locker Ransomware showing the list of encrypted files

In the case were a screen is blocked or frozen, the infected system will show a full-screen image or simple notification that prevents you from using your system unless the ransom is paid. This is sometimes supplemented with instructions on how to do this, as well as to gain access back. In the case were specific files are blocked or restricted, like documents, spreadsheets and other important files, than a similar notification and process is applied to the end user. Most recent ransomware operate through TOR in order to hide and protect the server that controls the encryption keys used during the encryption process.

What is the cost of a ransomware attack?
Costs associated with ransomware is difficult to measure. Firstly, the cost of an attack can vary drastically from a few dollars to tens of thousands. Since ransomware evolves faster than signature based antiviruses are able to produce safety nets, the amount is becoming less important as it is a 100% profit. The real cost, or risk, is either loss of data or time. Having an accurate measure of it is hard though confidently it is much greater than the ransom itself. An important risk to take into account is the fact that paying a ransomware doesn’t necessarily equate to having data back.

CTB-Locker Ransomware requesting Bitcoin payment
CTB-Locker Ransomware requesting Bitcoin payment

There are several factors to consider, the most important being that control servers are relatively short-lived and might not be active when the ransom is received in order to restore the data. The second important fact is that there’s no assurance that the ransomware is totally removed after paying, another instance might indeed popup at a later stage and the ransomware itself can potentially be used as a vector for other type of threats like RATs (Remote Access Tools) or Trojans.

How do you prevent a ransomware attack?
There have been countless articles on how to protect against ransomware threats, and a lot of misinformation. First of all, once infected, ransomware can infect an increasing number of files until a payment is made. Secondly, as just explained, ransomware will attack back up files and network folders.

Antivirus and other software tools that offer cyber protection have been ineffective at protecting against malware because they are often too late in reacting, or can be bypassed. Behavioural based cyber protection systems are a more effective since they can monitor constantly what the applications are doing, what kind of data they’re accessing and can spot any out of the ordinary activity before any damage is done to the system.

Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!

ReaQta