Ransomware is a strain of computer contaminants which serves cybercriminals as a digital means for committing extortion via the Internet. This invasive breed of malware is programmed to limit or entirely block affected user’s access to their files, particular programs, or the entire computer system. In the second stage of the blackmail scheme, victims are unequivocally explained the only way to ever retrieve their encoded data or regain control over their locked software or electronic device is to pay a (usually) monetary ransom. Typically, in order to strengthen the effect of the threat and raise the intimidation level, a strict deadline is also appointed. The first known instance of a ransomware infection, The AIDS Trojan, has been recorded as early as in December, 1989. Evolving over a few pivotal phases such as the first appearance of modern Crypto Ransomware in 2005 (PGPCoder, also known as GPCode and Trojan.Gpcoder), the pioneering launch of the first Locker Ransomware that made using the entire PC impossible in 2008 (Trojan.Randsom.C), and the massive shift to Crypto Ransomware in 2013, Ransomware is nowadays so vastly popular and its skyrocketing growth is so persistent, that the number of Ransomware applications has risen whopping 58% only in the Second Quarter of this year.
Main Types of Ransomware
Depending on whether it is targeted on blocking the access to the computer device, or to specific data files, Ransomware is presently divided into two main categories:
Locker Ransomware (Computer locker, Also Known As “Police Ransomware”)
Crypto Ransomware (Data Locker)
So called Crypto Ransomware is designed to track and render important data inaccessible for the user by encrypting it. Since presently most people store their most valuable information on their computers, cybercriminals use malware to search for files such as personal pictures, work presentations, banking related documents, cryptocurrency wallets, etc., and encipher them using complex algorithms in order to pressure victims into paying a ransom fee. As most users do not tend to regularly create back-up copies of their systems, and contemporary encryption methods are as good as unbreakable, in many cases paying the ransom turns out to be the only way to restore “kidnapped” data. What is especially disquieting about crypto ransomware is that it works absolutely stealthily, meaning it first manifests its presence via a ransom notification after its work encrypting files, deleting traces and sending decryption keys to its C&C servers is done. To additionally increase tension and effectively call victims to the desired action (i.e. to succumb to the ransom demand), cybercriminals wage payment deadlines. Although after their expiration users are told their files will be irreversibly lost (by alleged auto-deletion of the decryption key held on hackers’ remote servers for example), crypto ransomware actors usually only increase the ransom fee, giving the victims “a last chance” to retrieve their data. Among crypto ransomware most prominent representatives count notorious computer contaminants such as CryptoLocker, CryptoWall and CTB Locker.
In a direct and brazen reply to Internet’s becoming a crucially important part of contemporary commerce, hackers have targeted higher-scale victims such as Website operators and Web service providers, thus stirring a new wave of Ransomware. Unlike traditional Locker and Crypto Ransomware which attack the end-user in order to extort a money amount ranging from $100 to $1000 in average, so called RansomWeb encrypts vital Website data directly on the hosting server, thus being virtually able to permanently destroy the affected Web application. Since many online companies can’t afford being offline even for a day, the ransom fees, which RansomWeb operators can demand, have no strictly set upper limit.
The blatancy of Ransomware actors evidently knows no boundaries. Reportedly, cybercriminals do not only launch extortion attacks on home-users and business entities, but seem to not shy away from blackmailing Law Enforcement Institutions and School Districts.
Ransomware Promotion and Propagation
Spam E-Mail Campaigns
Traffic Delivery Systems
A Traffic Delivery System (TDS) vendor is a company which buys clicks (on outgoing links) from website operators and sells them to third parties for a profit. Since TDSs mean a guaranteed influx of traffic, Ransomware actors often pay for their services in order to redirect geo-targeted users onto malicious websites which are used to conduct drive-by-download attacks.
Malvertising, the practice of promoting maliciously designed advertising items within trusted Advertising Networks, is broadly used by Ransomware creators as a means to reach a wide scope of potential victims. Resorting to different methods, from directly buying ad space to exploiting software vulnerabilities, cybercriminals successfully compromise reputable affiliate networks, thus sending countless unsuspecting users onto malicious websites equipped with Exploit Kits.
Downloader, or Trojan.Downloader, is a computer contaminant whose purpose is to download additional malware onto an already compromised computer. Since Downloader actors offer paid distribution service (i.e. they help other cybercriminals smuggle their malicious programs onto target systems in exchange for money), hackers sometimes use them as an alternative way of commencing Ransomware attacks.
Botnets also count among Ransomware’s documented propagation vectors. For an instance, the infamous Gameover ZeuS botnet has been used for the distribution of the notoriously malevolent CryptoLocker. Considering the huge financial success of this fraud, it is quite expected that future hackers will adopt it as an example and also use botnets in order to instal extortion malware absolutely undisturbed.
Worryingly, although it is not a typical Ransomware feature, there is a CryptoLocker version which can self-propagate by copying itself onto removable drives. This can only mean that hackers are strongly motivated and determined to fully exploit old malware distribution methods, while inventing and exploring new ones.
Additionally to conventional propagation methods, and to security experts’ greatest apprehension, Ransomware developers have discovered a new way in which to simultaneously monetize and spread their malware more quickly and more widely – RaaS (Ransomware-as-a-Service). This means, rookie Internet crooks can nowadays venture into the online extortion business without any technical background or money to invest thanks to Dark Net platforms such as Tox and ORX-Lockers, which offer customizable, ransomware-construction kits with which everyone ill-intended enough can easily create their own data-locking malware.
Pricing and Payment
Based on media publications, it could be drawn that the average height of ransom demands in 2015 lies at around $500. Interestingly, some Ransomware actors have shown the economic acumen to adopt a dynamic, geographically-based price-building approach, thus suiting the different purchasing powers of victims from unequally developed World regions. Regarding payment methods, Crypto Ransomware and Locker Ransomware operators seem to have strict preferences. Since for the former anonymity is of greatest importance, they usually demand payments in Bitcoin, using the virtual undetectability which TOR browser provides. The latter, however, taking into consideration their victims’ ability to interact with the locked devices is greatly limited, resort to prepaid online voucher services such as PaysafeCard (since they online require the user to input a scratch-code).
Dangers of Ransomware
Apart for the two most obvious dangers which Ransomware opposes, data loss and financial damage, this quickly-evolving type of malware can expose users to an unpredictable variety of additional security threats. For example, VaultCrypt downloads another malicious program which is used for stealing the login credentials to the websites which victims infected with the ransomware are signed up for. Furthermore, most crypto ransomware host their C&C servers and their ransom pages on the Dark Net. Accessing them to gain information or pay the ransom inevitably means one is potentially subjected to the countless hazards of the Deep Web (such as malware, phishing fraud, etc.), where even computer savvy users may find themselves with helplessly tied hands.
There isn’t a universal strategy which can protect users from Ransomware attacks regardless of the technical specifications and propagation methods of different threats. Nevertheless, modeling one’s computer interaction in accordance to a set of generally beneficial rules may greatly reduce the risk of become a victim of Internet extortion. For one, keeping up to date with current ransomware trends by means of self-education can help users adjust their online behavior correspondingly. Another extremely vital safety measure is to always download and set up the newest patches and free upgrades to all installed software, because malware usually exploits unfixed vulnerabilities in the programming code of popular applications such as MS Office, Adobe Flash, Oracle Java. It is also greatly recommendable to regularly make back-up copies of the whole system (using removable drives), so that even if a successful ransomware attack takes place, data can still be retrieved without paying up to cybercriminals. Last but by far not least, acquiring and constantly running a trustworthy antivirus program can immensely increase your chances against digital blackmailing and other computer-based security threats.