The ransomware is a type of malware used by cyber criminals to lock and encrypt victim systems and data. Then the attackers ask the victims for money, that is, ransom in order to decrypt the systems. For this reason, this malware is called ransomware, which comes from the English word "ransom", which means ransom.
The ransomware has been detected since 1989 when the "AIDS trojanWas used to blackmail victims and demand money. In 1996, researchers at Columbia University presented another ransomware at a conference that demonstrated the progress, power, and development of modern cryptographic tools.
Since then, cybercriminals have greatly evolved their methods and knowledge and created ransomware that can do great harm to victims while at the same time allowing criminals to make money. maintaining their anonymity. This type of attack takes advantage vulnerabilities in systems, networks and software as well as human errors.
The target device can be a computer, printer, smartphone, wearable, POS and more but the ransomware can spread throughout the network.
Ransomware attacks have become very common in recent years. Large companies in United States and Europe have fallen victim to such attacks.
Cybercriminals can target individual users, but they choose usually companies and organizations, as the chances of receiving ransom are higher.
Hackers usually put one deadline to pay the ransom. Until then, the data remains encrypted and inaccessible.
If the deadline expires and the victims have not given the money, the criminals can permanently delete the data or as usual, can publish data that has been stolen before the systems are encrypted.
The ransom demanded by hackers can range from a few thousand to hundreds of thousands of dollars, and in most cases hackers demand it in the form of cryptocurrency.
Several security experts and government agencies, including FBI, advise users not to pay criminals.
How does ransomware work?
As mentioned earlier, ransomware is a type of malware designed to encrypt important data and blackmail victims.
What are the stages of a typical ransomware attack?
- Ransomware attacks on companies usually start with one Phishing e-mail, containing one malicious attachment or link. The unsuspecting user opens the attachment or clicks on the malicious URL. This is how the ransomware agent is installed, which starts to scans the system to find important files.
- Then the ransomware starts to encrypts files on the victim's computer.
- In many cases, the malware steals data before encrypting them.
- After encryption, ransomware displays a message on the infected device. The message explains what has happened and gives other important information, such as the ransom amount, payment deadline and payment method.
- If the ransom is paid, the hackers will send a decryption key.
However, users should keep in mind that ransomware is not only installed through phishing emails and malicious attachments.
Users could infect their systems by doing so click on malicious links on social media, such as Facebook and Twitter, entering malicious ads, downloading unreliable programs and applications, entering unsafe sites etc.
Finally, ransomware gangs can exploit vulnerabilities in uninformed systems to develop their malware.
Examples of ransomware
WannaCry is one of the most popular and destructive ransomware. In 2017, it spread to 150 countries, targeting 230.000 computers and causing a loss of approximately $ 4 billion. The ransomware took advantage of a Windows vulnerability and had a mechanism that allowed it to spread and infect other devices.
Cerber belongs to the category of ransomware-as-a-service (RaaS) and is available to various cyber criminals. Cerber encrypts files and tries to prevent security and antivirus operations, to prevent users from resetting their systems.
Locky can encrypt 160 file types. It was first released in 2016 and is distributed mainly through exploit kits or Phishing. Hackers send an email with a malicious Word or Excel document or a ZIP file that installs the malware.
NotPetya and Petya
Petya ransomware infects a machine and encrypts the entire hard disk by going to the Master File Table (MFT). This makes the entire disk inaccessible, even though the actual files are not encrypted.
Petya first appeared in 2016 and only affects Windows computers.
The original Petya was not very successful, but a new variant, named NotPetya, proved to be more dangerous. NotPetya can be deployed on systems without human intervention. NotPetya initially spread using backdoor and later used the EternalBlue and EternalRomance vulnerabilities in the Windows SMB protocol. In fact, it is said that when it encrypts data, it destroys it so that it cannot be recovered. Users paying ransom cannot get their data back.
Ryuk infects victims' devices through phishing emails or drive-by downloads. It uses a dropper, which extracts a trojan to the victim's machine. Attackers can install additional tools such as keyloggers and other malware. In a Ryuk-based attack, ransomware is the last stage of the attack, as the attackers have already damaged and stolen the files they need.
As for the targets of ransomware attacks, as we said above, it can be so ordinary users as well as businesses.
Where hackers target will depend on many factors.
Others try to target organizations that believe that do not apply many levels of protection.
Others target organizations that they believe are more likely to give ransom.
These include them healthcare organizations and government services possessing critical information.
- Use reliable and sophisticated antivirus software
- Creation backup, especially for basic files
- Tactic information systems, applications and antivirus programs
- Education employees to identify suspicious emails
- Use filters for automatic blocking suspicious emails
- Use firewall and VPN
- Network segmentation
The above security practices can to some extent protect users and businesses from various cyber attacks.
However, in the event of a ransomware attack, the key is one. Do not pay the ransom and contact the competent authorities. The attackers are not people you can trust.
Even if the ransom is paid, it is not certain that criminals will not leak the stolen data or give the victim the decryption key.
Ransomware attacks are very popular because they offer large sums of money to criminals. If the victims stop paying the ransom, then only we can hope to reduce these attacks!