What is Ransomware?
Ransomware is malicious code that is used by cyber_criminals to launch data kidnapping and lockscreen attacks. The motive for Ransomware attacks is monetary and unlike other types of attacks, the victim is usually notified that an exploit has occured and is given instructions for how to recover from the attack. Payment is often demanded in virtual currency to protect the criminals identity.
Ransomware malware can be spread through malicious Email attachments, infected software applications, infected external storage devices and compromised websites. In a lockscreen attack, the malware may change the victim's login credentials for a computing device. Ina data kidnapping attack, the malware may encrypt files on the infected device as well as other connected networks devices.
Ransomware kits on the deep web have allowed cybercriminals with little or no technical background to purchase inexpensive Ransomware as a service programs and launch attacks with approaches to extort digital currency from their victims.
example:
- The victim may receive a pop-up message or Email warning that if the Ransom is not paid by a certain date, the private key required to unlock the device or decrypt files will be destroyed.
- The victim may be duped into believing he is the subject of an official inquiry. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
- The attacker encrypts files on infected computed devices and makes money by selling a product that promises to help the victim unlock files and prevent future malware attacks.
Types of Ransomware in circulation:
- Encryptors, which incorporates advanced encryption algorithms. It's designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content.
- Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.
Characteristics of Ransomware:
- It feature sunbreakable encryption, which means that you cannot decrypt the files on your own.
- It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC.
- It can scramble your file names, so you can't know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into payment the Ransom.
- It will add a different extension to your files, to sometimes signal a specific type of Ransomware strain.
- It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back.
- It requests payments in Bitcoins because this crypto-currency cannot be attacked by cyber security researches or law enforcements agencies.
- Usually, the Ransom payments have a time limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the Ransom will increase, but it can also mean that the data will be destroyed and lost forever.
- It uses a complex set of evasion techniques to go undetected by traditional antivirus.
- It can spread to other PCs connected to a local network, creating further damage.
- It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer and send it to a server controlled by cyber criminals, encrypting files isn't always the endgame.
- It sometimes includes geographical targeting, meaning the Ransom note is translated into the victims language, to increase the chances for the Ransom to be paid.
Top Targets for Ransomware creators and Distributors
Cybercriminals soon realized that Companies and Organizations were far more profitable tan users, so they went after the bigger targets like Schools, Hospitals, City councils, Police departments etc.
Ransomware creators target Home users:
Because Home users don't have data backups.
Because They have little or no cyber security education, which means they will click on almost anything.
Because they lack baseline cyber protection.
Because they don't keep their Software up to date.
Because most Home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping Ransomware.
Ransomware creators target Business:
Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid.
Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means.
Because Ransomware can affect not only computers but also servers and cloudbased file sharing systems, going deep into a business core.
Because cyber criminals know that business would rather not report an infection for fear or legal consequences and brand damage.
Because small businesses are often unprepared to deal with advanced cyber attacks and have a relaxed BYOD(Bring Your Own Device) policy.
Ransomware creators target public institutions:
Because budget cuts and mismanagement frequently impact the cyber security depatments.
Because a successful infection has a big impact on conducting usual activities, causing huge disruptions.
Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited.
What kind of files are being Targeted?
commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi)
Less common office formats (.sxw, .odt, .hwp)
Archive and media files (.zip, .rar, .tar, bz2, .mp4, .mvk)
Emails and Email databases, Database files.
Developers source code and project files (.php, .java, .cpp, .pas, .asm)
Files used by graphic designers, artists, photographers and virtual machine files.
How to protect your system from Ransomware attack
Apply the patches to the windows systems recommended by Microsoft security Bulletin MS17-010.
Maintain updated antivirus software.
Keep and regularly update an offline database of important files. Ideally, backups of data should be maintained on separate devices.
Organizations connecting to the internet Edge or perimeter network devices should block their SMB ports or disable.
Users and administrators of older Windows systems such as windows XP, Vista, server 2008 and server 2003 should get an update to newer version.
No comments:
Post a Comment