2016 was the year of blackmailing ransomware. This consists of malicious programmes being smuggled into an infected system and encrypting the data on it, turning it useless. Only after paying “ransom” money is the data decrypted, thus making it accessible again.
First, some ransomware history
This kind of blackmail is not new. Back in 1989, the Trojan “AIDS.exe” was able to hide away files and make them unusable. However, the programme changed only the file names but the contents themselves remained unchanged. This process was modified in 2008, when malicious programmes began to encrypt the file contents. Without the correct key the data could not be “rescued”. The problem was – as with “real” abductions – the delivery of the ransom. This also was changed in 2013. By using Bitcoin as a means of payment, the flow of money was no longer traceable and the spread of the malicious software could no longer be stopped.
The malware spread with the help of contaminated advertising banners and websites. E-mail attachments were also used as well as the classic method of the “lost” USB-stick in the parking lot or the toilet, which contained a malicious programme that infected the computer once it was inserted.
In the meantime, the programmes have become more sophisticated as has the selection of victims. Whereas in the past there was a tendency for high quantities – many victims with low ransoms added up to a significant sum, nowadays middle and upper management are being targeted. With the help of Spear-Phishing, CEOs are spied on and directly targeted. The e-mails are written in such a way that the addressee assumes that they come from a well-known and high-ranking person, usually within the same company. Once the attachment is opened, the victim is requested to click on a link that starts a larger action in the background. The malware is then loaded and activated.
Ransom attacks: evolution
After the installation, the programme contacts one or more so-called Command and Control (C & C) servers. From there, the most modern hacker tools are loaded onto the infected computer, which nests inside the system and ensures that even in the case of an immediate disconnection from the network (which could still inhibit the encryption of the data in case of older malicious software), the programme will continue to work after the computer is restarted.
A part of the malware nests inside the auto start folder, while another part “takes care” of the registry. Sub programmes try to get inside the company network, which could increase the chances of success since the victims here tend to have higher access rights than “normal” employees. What it means, if such a programme is able to spread over the company network, is easily imaginable.
Modern blackmail software is particularly designed to attack backup media. These are now the first targets because with the help of up-to-date backups most problems caused by a ransomware attack can be bypassed. Therefore, malware software nowadays tries to ensure that even the files on a backup are no longer usable.
What lies beneath
All this happens in the background. Before the completion of the infiltration process no one even suspects the lurking danger.
Once all the preparations have been made, the data is encrypted and the ransom demand is displayed on the screen of the infected computer. The requested sum is calculated from accounting information of the company’s sales and is often in the five or six-digit range.
The success rate is alarmingly high. A survey conducted by Osterman Research in the US, Canada, the UK and Germany shows that of the 540 companies interviewed, who had an average of 5,400 employees each, almost 40% had experienced problems with ransomware. More than a third of these had lost sales, while 20% were ruined by the data loss!
Anyone interested in a more detailed description of the process of an attack with the latest and most dangerous blackmail programme – CryptoWall 3.0 (CW3) – can find an ecourse on sentinelone.com. The article however is highly technical and written for technically savvy readers.
Picture copyright: Markus Spiske raumrot.com/www.pexels.com/ CC0 license