CHAPTER 1: ABOUT RANSOMWARE
In general, there are three types of ransomware:
1. Scareware
2. Screen lockers
3. Encrypting ransomware
Before we go further, I should note that this book is primarily interested in âencrypting ransomwareâ.
Scareware is typically little more than malicious advertising. The user might see a pop-up advising that malware has been detected and instructing them to visit a website or make a payment to have the malware removed. This can be served on a website (in which case itâs likely youâre not infected at all and itâs just an obnoxious pop-up) or from a malware infection on your device. In most cases, this is all that the malware will do, so it could be little more than an annoyance â but if you have this sort of infection, itâs likely thereâs more malware that you just donât know about.
Screen lockers, meanwhile, look an awful lot like encrypting ransomware. They freeze up your device and often present a message stating that the user must either pay a ransom or that they are under investigation by the FBI or some other authority. This is obviously a more significant threat than scareware, but in most cases your data is otherwise safe â the malware is simply preventing you from accessing the device and trying to scare you into making the payment.
Encrypting ransomware is a much greater issue, because itâs not possible to recover your files without either a great deal of luck (if the ransomware is old enough that there is a known solution) or by paying the ransom â and thereâs no guarantee that the criminals will hold up their side of the deal.
Thereâs a growing subset of this in which the criminals will also take copies of your data. This usually acts as an additional threat in the ransom: if you donât pay up, not only will you lose your data, weâll release it onto the Internet; if you do pay, weâll unlock your files and dispose of the copies. Again, however, you have no idea if the criminals will actually delete their copies. If you know much about criminals, youâll join me in being sceptical.
There is a strong argument to never pay the ransom. Regardless of any ethical considerations, thereâs a simple practicality: you have no way of knowing if the criminals will actually unlock your information, nor any guarantee that they then wonât mark you as an easy target (see the end of this chapter for more on the ransomware âbusiness modelâ). By far the best solution, as youâll see, is to be prepared so that you can prevent as many infections as possible, contain any ransomware that does make it through, and recover your systems and information quickly and with minimal interruption.
How it works
The core functionality of ransomware is two-fold: to encrypt data and deliver the ransom message.10 Depending on the complexity of the malware and its mechanism for gaining access, the encryption can be relatively basic or maddeningly complex, and it might affect only a single device or a whole network.
Encryption is a relatively common feature in modern computing, and most users encounter it without ever realising. Most of the time, encryption is a valuable tool: it protects data from being accessed or interfered with by unauthorised parties. Not all information needs to be encrypted, but most people would conclude that itâs valuable and often a âbetter safe than sorryâ solution, even for relatively mundane information.
An ideal system encrypts data to be sent (or stored) and the receiving device decrypts the information, all without the users necessarily being aware of the fact. This relies on cryptographic keys, which instruct how the information is encrypted and decrypted. In some cases, the same key can be used to encrypt and decrypt, while others use one key for each purpose. In any case, a key is necessary to access the information.
Ransomwareâs main problem is that the victim has no access to a key to decrypt the data. Depending on the strength of the encryption algorithm, this can mean that the data is essentially unrecoverable. While some older algorithms can be broken given enough time and are still occasionally used in business either because the infrastructure is outdated or thereâs a perceived benefit to having simpler encryption, thereâs no need for a ransomware attacker to use this â they donât want the data to be readily accessible. For all practical purposes: if youâre hit by ransomware, your data is lost unless you get the key or can recover it from somewhere that hasnât been affected.
Once the data has been locked up, the ransomware needs to notify the user, which is generally in the form of a pop-up or other notice on your screen, which will (possibly gloatingly) explain that your files have been encrypted and how to pay to get them unlocked. Depending on the scale of infection and the purpose of the ransomware, it might leave some systems accessible, even if in a limited capacity. For instance, the ransomware might lock down the device in its entirety, leaving only a message explaining how to pay the fee; alternatively, it might leave the user able to access the Internet so that the ransom can be paid.
One of these messages is usually the first sign anyone gets that theyâve been infected. So, how did it get there?
Mode of access
Ransomware, just like any other malware, needs a way in. This is generally called âinfiltrationâ, and there are two primary methods:
1. Social engineering, such as phishing.
2. Technical vulnerabilities in the network perimeter.
Social engineering often relies on human error â clicking links in phishing emails, allowing an unknown application to execute, and so on. The aim for any malware developer is to reduce the number of times they need humans to make errors: if they rely on someone to click a link, then accept a download and actively execute the file, thatâs three points at which the target might wake up and realise theyâre making a mistake. If the target only needs to click a link, the criminalâs doing much better. If they can find a way to get the malware directly onto the targetâs device without them realising, they have an absolute winner.
Among the most popular methods is phishing, which has long been proven an effective way of slipping past technical defences. In this scenario, the target opens an attached document (probably Word or a similar format, with the malware payload delivered by a macro) or clicks a link, and theyâre promptly infected.
Ransomware can be delivered a number of other ways â via a wider infection once it gets into a network, for instance, within an infected USB device, packaged with a more âbenignâ download (such as bundled with an app or other software from a disreputable source), and so on. As you can see, in many cases, the initial infection is due to human error.
It is also possible to deliver ransomware without human intervention, however, by directly attacking the network via vulnerabilities in the perimeter. Criminals are constantly probing network boundaries looking for the tell-tale signs of a vulnerability that they can exploit to gain access.
Undirected attacks against networks look for common flaws that can be automatically exploited. The WannaCry attack was able to propagate, for instance, by taking advantage of an NSA backdoor that had been recently revealed. There was a patch available, but too few machines had been updated.
More complicated attacks â clearly targeted â will combine data from a number of sources in order to gain access. For instance, responses from a login portal (such as making it clear if a specific username is correct even if the password is wrong) could be combined with information gleaned from LinkedIn (a list of employees) and previous data breaches (connecting a user with passwords theyâve previously used), which could give criminals a set of likely user credentials to attempt.
Other criminal groups sell known backdoors or details of previously compromised networks that ransomware attackers can target without needing to do too much of their own work to gain access. This access will generally have been gained the same way as those methods described above.
All of this is a way in, but ransomware also needs to establish itself without being detected. As malware is often single-purpose, ransomware can have some difficulty gaining a foothold anywhere, which is why it is often paired with one or two other malicious programs. As mentioned in the introduction, Emotet is a popular Trojan that does most of the legwork for ransomware, but there are others that do much the same.
The infection
The actual speed of movement once the malware is within the network can vary considerably, depending on the attackerâs ambitions, the attack method and any internal technical security measures.
An attacker who isnât concerned about the specific data theyâre locking up will simply attempt to lock up as much as possible as quickly as possible until itâs stopped. Indiscriminate, untargeted ransomware attacks are more likely to follow this approach. In this case, the ransomware will simply start grabbing files and encrypting them, often starting with files that arenât system-critical in order to minimise the risk of being spotted. It should be noted that this is a pretty primitive method, and most modern ransomware will take a more intelligent approach to maximise its impact.
A more complex ransomware attack will put measures in place to cripple defensive measures or hide from them, which can slow the rate of encryption â at least initially. This might include disabling antivirus and intrusion detection systems, system logs, and so on. The aim in these cases will be to maximise the amount that can be encrypted.
More advanced attacks will also attempt to spread through a network, not encrypting anything until as many systems as possible are carrying the infection. As with the initial entry into the network, this will be facilitated by other malware desig...