17 June 2020SafeAeon Inc.
Ransomware can be defined as a combination of two words ransom and malware, where payment is made using money demanded by kidnappers for the release of captives, and malware is malicious code used for damaging or disrupting the victim’s computer system. So, ransomware is a type of malware that is used for hijacking victim’s network, or data and ransom is demanded to return the access to the victim.
Historically, ransomware dates back to 1989, when the world’s first ransomware known as ‘AIDS Trojan’which was created by Joseph Popp, who handed out 20,000 infected floppy disks to attendees of the World Health Organization’s AIDS conference. The program working was straightforward as it counts how many times system boots and when the count reached 90, it merely hides all the directories and encrypts the names of all files on C drive and ransom $189 was asked from each victim to regain the access. ‘AIDS Trojan’ was simple to overcome as it was using a symmetric key to encrypt the data, and the key was stored in distribute malware.
The concept of first asymmetric key-based ransomware was demonstrated by Motiyung and Adam young of Columbia University at IEEE Security & Privacy conference held in 1996, and it was called ‘cryptoviral extortion’ at that time. In this attacker generates a pair of asymmetric keys and store the public key in malware, when malware infects any system, it creates a random symmetric key and encrypts all the data using it, then encrypt the symmetric key using the public key which generates a small cipher. At no point attacker’s private key gets exposed, and the victim needs to send that little cipher along with ransom to the attacker for the decryption key.
From 2005, Instead of writing own encryption algorithms, attackers started using modern advanced libraries like ‘RSA’ where encryption was done using randomly generated symmetric key, and ‘RSA’ encryption was used to encrypt that key.
For example, ‘ArchiveusTrojan’of 2006 was one of the first ransomware to use ‘RSA’.It encrypts all the data of My Document folder, and attackers have used a unique way of extorting ransom and asked victims to buy their products from different e-commerce websites.
In the late 2010s,‘Bitcoin’, a digital or virtual currency based on the concept of cryptocurrency and blockchain, was introduced to the world. Bitcoin has a unique feature that tracking bitcoin transactions is almost impossible to date. So, it provided hackers a new and safer way to extort ransom from victims and hence lead to a new breed of ransomware that uses bitcoin or other cryptocurrencies for payments.After this, several ransomware attacks shot up to crisis level, and the amount of cash extorted increased exponentially year after year.
2013 Onwards: Terror of Ransomware
In 2013 ‘CryptoLocker’ ransomware appeared in the market. It was spread using ‘spear phishing’ in which targeted email was sent. Emails generally included shipment notification from conventional courier services providers like FedEx. CryptoLocker took ransomware attacks to new heights as, according to various reports, hackers gained around 27 million US dollars.
In 2017 ‘Wanna Cry,’ a crypto worm that spread over the network and exploited the vulnerability in Microsoft’s implementation of ‘SMB’ protocol, attackers used the ‘Eternal Blue’ exploit kit developed by NSA which was leaked by another hacker’s group to exploit that vulnerability. Wanna Cry was able to infect 200,000 systems over 150 countries in a single day. Such a massive scale of the attack was never heard before and lead to a global response. The outbreak was controlled within a few days researchers found a kill switch hardcoded in malware to stop its propagation and emergency release of security patch by Microsoft for older windows. The variants of WannaCryand other ransomware likeNotPetyawere further used to exploit the same vulnerability on unpatched systems.
New Approach: Raas (Ransomware as a Service)
World’ elite hackers have started providing ransomware as a service, in which they design and create a ransomware toolkit that can be used even by a novice for an attack and this toolkitsare sold in Black Market and on Dark Web. Sellers provide technical know-how and step-by-step information on how to launch a ransomware attack using their services and platforms. In this franchise-like business model, Sellers take a fixed percentage from ransom extorted for each successful attack by the buyers.
Ransomware Trends and Statistics
The “State of Malware Report” of 2019from Malwarebytes shows that ransomware attacks against the consumer or home users decreased by 12%. In contrast, in the business environment, it increased by 9% from the previous year.
The Kaspersky Labs report shows that there were 174 ransomware attacks against cities and towns in 2019. It shows the 60% increase in ransomware attacks targeting municipal corporations in 2019 as compared to last year.
The Comparitech report shows that around 172 ransomware attacks were reported, which targeted health organizations. These attacks affected around 1446 clinics, hospitals. At least two healthcare providers have to shut down permanently.
Malwarebytes “State of Malware Report” of 2020 shows that overall new ransomware activity against organizations remains higher than the previous year. The families such as Ryuk, Phobos, and Sodinokibiare dominant strains targeting cities, schools, and hospitals. Ryuk detections increased by 543 percent over Q4 2018, and since its introduction in May 2019, exposures of Sodinokibi have increased by 820 percent.”
The Coveware report shows that ransomware payments doubled thanks to the spread of the Ryuk and Sodinokibi strains. The software also found that most companies that pay the ransom (98 percent) receive their decryption tool, and surprisingly high 97 percent of such victims report that decrypter works, which is increasing confidence in victims to pay the ransom.
Major Ransomware Attacks In the Past Few Years
A new type of WannaCry ransomware wreaked havoc against TSMC, a Taiwan based, one of the world’s largest semiconductor foundry.In August 2018, the manufacturer was forced to shut down most of its chip-fabrication factories temporarily after its 10,000 machines of TSMC’s most secure and advanced facilities were infected.
A South Korean web hosting services provider, made an unwanted record of paying the world the highest known ransom of 1 million US dollars. In 2017, according to reports data of around 3400 customer websites on more than 150 Linux servers of Nayana was encrypted by ‘Erebus’ ransomware
Riviera Beach City, Florida, USA,
The city paid one of the biggest ransom of the year 2019. As reported, attackers infiltrated the city’s administration network after one of the administration’s employees clicked on the attached link from a phishing mail and downloaded a malware. All the city’s online services went down, including phone and email services, which affected the city’s water utility, 911 dispatchers, and even gas stations. The City Council paid 65 bitcoins, the equivalent of nearly $600,000 as a ransom to attackers.
People also read about: Latest Ransomware Trends