What is ransomware?
The idea behind ransomware is startlingly simple. Once a computer is infected by ransomware (usually after a user clicks on a malicious link in an email or opens a malicious file received as an email attachment), the ransomware silently encrypts the user’s data. Once the encryption is complete, the ransomware displays a message demanding a payment – usually in Bitcoins – for the key to decrypt the data. Often the ransom demand comes with a deadline, and if payment is not received by that deadline, the ransom demanded may increase. Some types of ransomware also search for other computers to infect on the same network, and others also infect their hosts with more malware, such as banking Trojans that steal users’ online banking login credentials.
Common types of ransomware
The first ransomware virus was thought to be PC Cyborg, which appeared in 1998. It used simple symmetric encryption, and it was relatively easy to produce tools to decrypt files that PC Cyborg had encrypted. But it wasn’t until 2012, with the arrival of the Reveton worm, that attempts to hold users’ computers for ransom payments became commonplace. Reveton locked users out of their computers unless they paid a “fine” through a payment service such as Ukash. Two years later, CryptoLocker was released, encrypting user files and demanding a ransom for the key to decrypt them. This became the template for most subsequent types of ransomware that have appeared since.
There are two main types of ransomware: Locker ransomware, which locks the computer or device, and Crypto ransomware, which prevents access to files or data, usually through encryption.
Locker Ransomware
- Reveton: Reveton ransomware started appearing at the end of 2012, locking users’ computers by preventing them from logging in and displaying an official-looking message purporting to come from the FBI or a national police force (depending on the location of the infected computer). The message said that the user had been involved in illegal activity such as child pornography or software piracy, and that they could avoid further action and regain access to their computers by paying a “fine.” Later versions also included password-stealing software that remained active even if the user paid the ransom.
Crypto Ransomware
- CryptoLocker: The appearance of Cryptolocker in 2013 marked a change in tactics by criminals. It was the first example of ransomware that followed the now-familiar path of encrypting users’ data with a different, randomly generated symmetric key for each file. The symmetric key is then encrypted with a public asymmetric key and added to the file. Once all the files of about 70 common types have been encrypted, the ransomware displays a ransom message demanding payment in return for the private asymmetric key, which is needed to decrypt the symmetric keys for each encrypted file. It warns that if payment is not made by a deadline, then the symmetric key will be deleted, making data recovery impossible. It also warns that any attempt to remove the ransomware would result in the assymetric key being deleted.
Cryptolocker was disabled in 2014 when the Gameover Zeus botnet upon which it relied for propagation was taken down by a U.S. Department of Justice operation.
- CryptoWall: CryptoWall first appeared in 2014, and since then it has appeared in slightly different versions, with names that include CryptoDefense, CryptorBit, CryptoWall 2.0, CryptoWall 3.0 and CryptoWall 4.0. One notable feature of this ransomware is that the authors offer a free single-use decryption service for one file only, apparently to prove to their victim that they do indeed hold the decryption key.
CrytpoWall 4.0, released in late 2015, introduced a new “feature”: It encrypts the filenames of the files it encrypts to make it harder for the victim to know what has been encrypted. The ransomware is spread by a variety of methods, including attachments in emails purporting to come from financial institutions, exploit kits that exploit vulnerabilities in users’ software when they visit malicious web pages, and web pages that display malicious advertisements.
Some variations of CryptoWall’s ransom note are also unusual, containing text such as: “Congratulations!!! You have become a part of large community CryptoWall. Together we make the Internet a better and safer place.” The ransom demanded is a hefty $700, doubling after about a week to $1,400.
- CTB-Locker: CTB-Locker dates from about mid-2014, and its authors use an affiliate program to ensure that the ransomware is propagated widely. The authors run and manage the ransomware and its command and control systems, while affiliates pay a monthly fee to access the ransomware, taking on the responsibility for finding victims through their own spam email campaigns or by running malicious web sites linked to exploit kits. The name CTB-Locker comes from Curve-Tor-Bitcoin-Locker, alluding to the Elliptic Curve encryption that the ransomware employs, the use of the anonymous Tor network for communications, and the payment demanded in Bitcoins. CTB-Locker’s ransom note displays several flag icons in the top right corner so the victim can read the note in different European languages.
- TorrentLocker: TorrentLocker began appearing in 2014 and is spread principally through spam emails. In addition to the standard procedure of encrypting files of multiple types and demanding a ransom in Bitcoin, this ransomware also harvests email addresses found on the machine and uses these to send further spam emails to the victim’s contacts in an attempt to propagate further.
TorrentLocker attempts to delete Windows volume shadow copies (which can be used to restore older, pre-encrypted versions of files) to make it less likely that users can recover their files without paying the ransom. This is normally set at about $500 if paid within three days, payable in Bitcoin to an address which differs for each victim.
- Bitcryptor and CoinVault: These two ransomware variants infected thousands of machines before two alleged authors were arrested in The Netherlands in 2015. During investigations, Russian security firm Kaspersky was able to get a hold of all 14,000 decryption keys that were needed to decrypt victims’ files. Kaspersky subsequently created a tool that can be downloaded free to undo the damage done by both Bitcryptor and CoinVault.
- TeslaCrypt: TeslaCrypt appeared in 2015, and initially targeted and encrypted saved data and other files generated by computer games such as Call of Duty and World of Warcraft, holding them for $500 ransom payable in Bitcoins. The first version used symmetric key encryption, and a decryption tool was made available by security researchers. Subsequent versions use more sophisticated encryption that cannot be decrypted by this tool.
In 2016, the criminals behind TeslaCrypt unexpectedly released the master decryption key for the ransomware and stopped propagating it. A free decryption tool using the master decryption key was developed and distributed by ESET, enabling victims of TeslaCrypt to recover encrypted data.
- Locky: Locky first appeared in 2016, and is a relatively sophisticated example of ransomware. It usually infects users via malicious Microsoft Office attachments to emails. When the Office file is clicked, the file may prompt the user to enable Office macros, ostensibly to ensure that the document displays correctly, but in fact it allows the malware to run. After encrypting users’ files, Locky displays a ransom note that is set as the user’s desktop wallpaper. This instructs users to download the Tor Browser and visit a link specified in the note to pay the ransom.
A later version of Locky infects users via a JavaScript attachment that is automatically run by the Windows Script Host on most Windows machines when clicked, without the need for Office macros to be enabled.
- WannaCry: WannaCry infected more than 100,000 computers in May 2017 by taking advantage of an unpatched Microsoft Windows vulnerability (MS17-010).
Mac Ransomware
- KeRanger: KeRanger appeared in 2016 and is believed to be the first piece of ransomware to successfully infect Mac computers running OS X. (In 2014, a type of ransomware called FileCoder was discovered, but it was incomplete and did not function correctly.) KeRanger was injected into the installer of an open source bittorrent client called Transmission, so users who downloaded the infected installer were infected with the ransomware when they ran it.
Once infected, the ransomware waits three days and then encrypts about 300 different file types, downloading a text file containing a ransom demand of one Bitcoin and instructions on how to pay. The ransomware authors offer to decrypt one file for free to prove that they can decrypt the user’s files, and boast that they have a help desk ticketing system to answer victim’s questions.
Mitigating the risk of a ransomware attack
Ransomware has been posing a major security threat to individuals and organizations of all sizes for the last four years, and the regular appearance of new and more sophisticated types shows no sign of abating. In fact, the reverse is true: Ransomware attacks are increasing at a rate of more than 10% per month, according to some security sources, although Microsoft recently noticed a hopeful trend.
Given the stakes, mitigating the risk of a ransomware attack is becoming increasingly important.
The most effective way to protect against infection is to deploy endpoint protection software, and the most effective way to protect against data loss in the event of an infection is to ensure that all data is backed up.
There are a number of other steps that can be taken to reduce the risk of a ransomware attack and to recover data if it becomes encrypted as a result of such an attack. For options, see How to Stop Ransomware.