Ransomware: What is it, and how do you defend yourself against it? (Part 2)


This entry is part 2 of 6 in the series Computer Security Made Simple

In yesterday’s post, I discussed the terms used to explain ransomware and also a simple explanation of what it is. Today I’m going to dig a little deeper into the actual tech behind the attack.

First, a short history about Ransomware.

In the 1980’s there was a computer virus known as the AIDS Virus. It was the earliest form of ransomware. And the thing you need to know is that it spread by infected floppy disks (the Internet wasn’t around in the form we know of then). You had to print out an invoice and send it, along with your money to get your data unlocked. Up until the Internet made it more convenient, the printed invoice was the main form of payment for ransomware.

Now, who can be impacted by ransomware?

Ransomware can be targetted at specific businesses, countries, or individuals. But typically it impacts both major corporations, small businesses, and home users alike. And depending on the variation of the ransomware, it can affect virtually any device–although some like an iPhone or Linux-based devices are harder to infect. But, in the case of Linux-based devices, they can serve the infected files to Windows-based (or other) devices that can be infected. This is why it’s recommended that you have antivirus protection on all of your devices–regardless of how “secure” they claim to be.

What are the impacts?

The most obvious impact is that your data is encrypted and you’re presented with the ransom note. But there are more subtle impacts that aren’t really thought about. For example, hospitals have to stop treating patients (or have to resort to treating them without computerized data). That means that the other hospitals in the area have to take on their additional caseload. Or, if there aren’t other hospitals in the area, the patients have to be transported a greater distance for care (thus creating a situation where they may die in transit or another patient may die waiting for transportation).

Businesses processes that are impacted have to be shut down. This puts a strain on the company specifically, and to an extent the economy as a whole. The monetary damages are not only in the lost data and time, but your public image, and other factors. If you’re not able to restore from a backup (or you’re not able to pay the ransom), you risk major downtime which can effectively kill a business. Plus there can be legal ramifications–both civilly and criminally from being a victim.

Part of the reason that legal ramifications are a possibility is that your data could be copied and sold while it’s encrypting it. And other malware can be installed, thus turning your computer into a bot, or stealing more information after the ransomware is removed. Depending on the nature of your business, what data is stored on the infected machines, and whether it was encrypted or not (per legal requirements), you can be held liable for the losses.

How fast is ransomware spreading?

The scale of attacks is more than 4,000 infections per hour (or 100,000 per day). It affects all sorts of people and organizations. If you want to see a visual representation of the current state of malware (especially ransomware), you can check out https://intel.malwaretech.com/pewpew.html. This is a live map showing infections as they are spotted. To give you an idea, when WannaCrypt first appeared, this map was almost a solid mass of circles. Also, it should be noted that this map shows botnets, but doesn’t show things like the NotPetya worm, or other ransomware attacks that may be happening right now.

How does ransomware attack?

While the most common attack vector (method) for ransomware is via infected email and email attachments, it has a variety of ways to infect devices. It can be loaded as part of a “drive-by download” when a user visits a website that’s hosting it. It can be installed using Java, ActiveX, or even a Flash file that’s infected (this is typically how the drive-by downloads work). You can be offered an “update” to one of your plugins (such as a Flash update), that’s infected. In some cases, it acts like a worm–actively searching for vulnerabilities on devices and using them to infect the device. The NotPetya attack this past week used a combination of vectors. Once it infected a computer, it used certain administrative procedures to infect other computers on the local network. I’ll break down the main attack vectors a little more below.

Main attack vectors:

  1. Drive-by downloads: You visit a site, and an embedded script downloads the malware and executes it without your knowledge. Typically it uses a vulnerable plugin like flash, Active-X, Silverlight, and Java.
    –The script can be embedded on the site itself, or even in ads that the site uses to generate revenue.
    –Ad blockers help mitigate this, but because it hurts sites revenue, some sites are forcing people to disable the ad-blockers to view the material. Which brings us back to the original problem. In most cases, the site owner doesn’t even know that by forcing people to disable the ad blocker, they are infecting them with malware (because the malware is hosted and “served up” from a different site (the advertiser network).
  2. Email: either through an embedded code in the email itself or through malicious files that are attached to the email.
    –Some email clients are good about blocking the code and files, but in some cases, people blindly open them.
  3. Worms: These are programs that actively search out computers with vulnerabilities and infect them. You don’t have to do anything–visit sites, open emails. You simply have to turn your computer on and go online (which in the days of high-speed Internet, is automatic).
    –The main mitigator is keeping your computer updated. But at the same time, you are relying on someone else (Microsoft, Apple, Sun, etc) to push out the updates as soon as they are aware of the problems.
    –In some cases, unless there is malware that’s actively using the vulnerability, the companies don’t rush to patch the problem.
    –In other cases, even if there is malware using it if the potential targets are low enough, the companies will still take their time.
    –And if the malware creators find the vulnerability and figure out how to exploit it before security researchers do, then they can use it without any problems. These are called “0-Day attacks” or “Zero-Day attacks” because the maker of the software isn’t even aware of the vulnerability. This is how WannaCry and NotPetya are spreading right now. The NSA had found vulnerabilities, and held them instead of telling Microsoft about them. They were hacked, and the vulnerabilities were sold off and released publicly.

In tomorrow’s post, I will discuss what actually happens when you’re infected, and what happens if you pay the ransom.

Series Navigation<< Ransomware: What is it, and how do you defend yourself against it? (Part 3)Computer Security Made Simple Series >>

Leave a comment

Your email address will not be published. Required fields are marked *