Cybersecurity
Updated 20 days ago | GitHub

Ransomware

Ransomware is malware which restricts access to a computer and demands money to remove the restriction. It can be distributed via email, phishing links, or drive-by download.

Early examples of ransomware would lock up an operating system and display a message demanding money to regain use of the computer. They were a nuisance but not particularly effective.

“Your computer contains illegal software and pornography. Authorities will be contacted unless you pay a fine.”

Recent versions of ransomware are more potent. They use strong encryption algorithms to encrypt certain file types. The files may include local, shared, and networked drives, including files on cloud servers like Dropbox. Then the malware demands that the user pay to receive the password necessary to decrypt them.

“All files on your computer have been encrypted. You must pay a ransom within 72 hours to regain access to your data.”

Payments are frequently around $200-400, payable in bitcoin, cash vouchers, or gift cards which are difficult to trace. Paying the ransom money may or may not decrypt the files, and even if the password is delivered, the malware and backdoors into the computer may remain.

Ransomware grew rapidly in the mid-2010s. From 2013-2015 the share of new malware that consisted of new ransomware variants grew significantly each year (2013: 20%, 2014: 40%, 2015: 60%), and 2016 was dubbed “the year of ransomware”. According to one analysis, in early 2016 93% of phishing emails were pushing ransomware, while at the same time phishing had increased 789%. Ransomware has remained one of the most disruptive categories of cybercrime in the years since, with high-impact incidents like WannaCry (2017), NotPetya (2017), the Colonial Pipeline attack (2021), Kaseya/REvil (2021), and ongoing campaigns by LockBit, BlackCat/ALPHV, and Cl0p.

A single ransomware strain can hit 5,000 computers/day and generates estimated payments of $5 million/year. Attackers have shifted toward targeting businesses who are more willing and able to pay than individuals, because the file loss and inconvenience is worth more to the company than a few hundred dollars.

Biggest Names in Ransomware

  • CryptoWall
  • CryptoLocker
  • TorrentLocker
  • Chimera
  • CTB Locker
  • TeslaCrypt
  • Ransom32
  • Locky
  • MSIL/Samas

Ransomware Preventions

The best prevention is to backup computer files regularly and to back them up to offline media. (The MSIL/Samas Ransomware deletes any backup files it finds.) This will not prevent a ransomware infection, but it will greatly minimize the damage.

Ransomware is primarily delivered via drive-by downloads and phishing emails, so standard precautions against those is a good prevention against ransomware. Email spam filtering can prevent phishing emails from arriving and users should ignore or block email attachments from suspicious sources. Disable macros for email attachments. Some are documents which, when opened, will ask the user to “Enable Editing”.

Application whitelisting is a good way to block malware which is becoming increasingly popular. The only software which can run is software which has been granted explicit permission to run.

Another prevention is to block TOR traffic if possible. Ransomware frequently uses TOR to communicate between the infected computer and a command and control server.