What is Ransomware?
Ransomware is a type of malware that encrypts the victim’s files and holds them hostage, demanding a ransom for their decryption.
The Increasing Threat of Ransomware
Ransomware attacks have been increasing in scope and frequency over the past few years; one recent estimate suggests there were more than 150,000 new ransomware samples in the beginning of 2017 alone. Because of this rising threat, many security companies are releasing tools to help the user decrypt their files without paying these ransoms, but it has seen limited success because users typically only care about recovering their own data. Many files that are encrypted with the same key can be reversed. It is common for the encryption to be cracked in a few days or weeks
Types of Ransomware
These shorter-lived ransomware samples account for only a small fraction of all ransomware attacks, however; most ransomware encrypts victims’ files using asymmetric (public-key) cryptography. This type of cryptography requires that the attacker demonstrate knowledge of the decryption key without revealing it to anyone who does not possess the corresponding private key. This type of encryption is much more secure than other types because it protects against things like antivirus software and file recovery utilities.
Ransomware authors often release “cracked” versions of their malware after a few months so they can cash in on users whose files were lost at an earlier time before their decryption key was known. This delayed decryption process is often done as an alternative revenue stream, but it can also encourage victims to pay the ransom because they will only need to do so once (instead of for every file that needs decrypting).
Ransomware as a Problem
The most common form of ransomware uses bitcoin as its “currency” and operates through a command-and-control server; these servers make it easy for anyone with a computer and internet connection to generate new ransomware samples and inject them into incoming network traffic. They can even create variants by changing existing binary files slightly or uploading entirely different executables that have been compiled from the same source code base. It’s difficult for security researchers to purchase all the necessary tools on the black market, so many anti-ransomware tools have been developed in a way that can be easily cloned and customized to target new variants.
Ransomware authors often combine their malware with information-stealing trojans, so users must defend against both threats at the same time when it is active on their computer. The risk from these two types of malware together is enormous because they can steal login credentials for online banking accounts, social network profiles, and other sensitive data that could lead to significant financial loss or even identity theft. To add insult to injury, ransomware will continue encrypting files until its “job” has been completed (e.g., if a user’s administrator account is encrypted by CryptoLocker, any non-administrator file shares will be inaccessible after reboot).
Current Trends in Solving Ransomware Problems
Many security companies have developed new approaches to help protect users from ransomware, but these tools are often not worth the cost because they only work on a single version of one threat family. Most new protection tools also rely on behavior blocking techniques that have proven unreliable in the past. Some tools offer dynamic analysis features that can detect unknown malware by placing it into a virtual machine and carefully monitoring its behavior, but this technique cannot reliably stop ransomware because it takes several minutes for most samples to encrypt files (and many will exit before then). Behavior blocking methods like whitelisting (approving known good executables) and blacklisting (blocking known bad executables) can be effective for stopping ransomware; unfortunately, neither method is reliable enough to be used without expert oversight in mission critical environments.
Ransomware authors often evade traditional antivirus software, but many security companies have developed powerful tools that can reverse the unpacking of the contents of malicious files. These tools are not effective for all ransomware variants because some pack their executables using more advanced techniques (e.g., polymorphic code, self-modifying code). Some researchers have proposed novel defense strategies like creating “vaccine” files that contain harmless dummy data instead of personal documents so they will not be encrypted during an attack, but key generation algorithms used by newer ransomware variants render this method ineffective after a few days or weeks.
One recent entry into the ransomware arena is a new family of ransomware that leverages on-the-fly encryption to avoid detection and sandboxing techniques used by security companies. It also uses a different distribution channel than traditional ransomware because it can be directly downloaded from some websites as a Windows executable file instead of being installed by other malware first. Many computer users have been tricked into infecting themselves because they were told they needed to update Adobe Flash (which is not true in this case).
What You Should Do Next!
The good news is that most ransomware authors are lazy and will reuse existing source code when creating new ransomware families. That means security companies can focus their efforts on analyzing only the few hundred known ransomware families and adapt generic detection techniques developed for each one of them to new variants. Protect yourself from ransomware attacks and call Bayshore Interactive today for a free network assessment at 321.710.0920.