Ransomware have become a worldwide phenomenon in the light of recent cyber attacks across the globe. Goldeneye (aka Petya aka NotPetya aka ExPetr) has been the latest such ransomware, which has been spreading across major corporate companies in India, US, UK, Germany, France, Italy, Spain and Poland, after it was first spotted in Ukraine just a few hours ago. The new malware has reportedly affected over 2,000 users until now.
What is Ransomware?
Unlike the common malware, ransomware doesn't just steal or delete your data without your knowledge. It acts like a hook to hijack your system security and take over your confidential data for a ransom. You will not have any access to the compromised data until you agree to pay the demanded money to the hackers.
In general, malware are generally targeted to corrupt sensitive data on a system without any motive of monetary benefit to the attacker. Ransomware, however, will make use of intelligent malware that perpetually demands money from you in exchange for your compromised data.
How did the ransomware evolve or originate?
Ransomware reportedly originated in Russia as it was initially found infecting several thousands of computers in the country.
Ransomware normally spreads through files of already infected systems or through email attachments or as hooks to existing malware on the compromised system. Once the ransomware has infected a computer, it locks up user access to files, folders, apps or system settings. The user will then see pop-up notifications or alerts that he needs to pay a fixed sum of money in order to access or open the blocked files and/or content.
Types of ransomware and how they work
There are basically two broad types of ransomware, encrypting and non-encrypting.
Encrypting ransomware uses a strong bashing algorithm to encrypt files or programs on the compromised system. When a user tries accessing the infected files, it will throw up a ransom message asking for money to disable the lock on affected data.
If you are thinking of decrypting the lock, it would take several thousands of years to accomplish the feat on a desktop computer.
So a more feasible way is to pay up ransom if you don't have a backup of those files. However, there is no guarantee that the hacker would not resort to extorting more money, once you have paid the ransom.
Like the old saying goes, "Prevention is always better than the cure." You will be better equipped to handle the situation if you know how to prevent the ransomware attack.
The second type of ransomware is the non-encrypting type, which simply blocks access to the infected files without actually encrypting them. Without an encryption in place, it is easier to backup the important files and then reinstall the operating system. As for the malware-induced pop-up messages, you can simply ignore them.
Different subsets of ransomware and how to identify them
Here is a lowdown on the different subsets or sub-types of ransomware that have been reported across the globe so far:
This type of ransomware normally affects cloud-based Office 365 users and usually adopts phishing attacks as the means of infecting systems. It has the potential of infecting millions of users in no time by disguising itself as a legitimate source. Beware of unsolicited emails and those that are often caught by the spam filter, and do not try to open any of them even if they sound too attractive to ignore (ones like giving you lucrative job offers or some lottery prize).
This is an encryption based ransomware that usually affects files stored on fixed, removable drives as well as network drives. It uses a strong encryption algorithm and hence it is very tedious to crack the code within a reasonable period of time.
CryptoLocker has been around for the past two decades. But it came into the spotlight only in 2013 and was then involved in a major cyber attack in May 2014 when the culprits behind it extorted nearly $3 million from victims.
As its name says, it is another popular encryption type ransomware that's difficult to get rid of from infected systems. It is advisable to avoid downloading content or files from illicit sources, while also exercising caution when surfing unknown websites.
CryptoWall entered the spotlight in early 2014 after the demise of CryptoLocker botnet in May 2014. Some of its key variants include Cryptobit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others. CryptoWall spreads through spam or exploit kits akin to CryptoLocker. You should avoid opening spam mails or suspicious email attachments to avoid such ransomware infection on your computer.
The perpetrators of CTB-Locker often outsource the infection process to a third-party hacker group in exchange for a cut of the profits. It is a very novel way of infecting large scale systems across countries and continents at a faster rate.
As its name goes, Jigsaw is a truly perplexing type of ransomware, which enables the attacker to encrypt the targeted data and then progressively delete its contents until the ransom is paid. There could be no better way to blackmail the victim or force him/her to pay up the ransom.
KeRanger was recently spotted on a popular BitTorrent client and it is mainly targeted at locking Mac OS X apps. It is usually known to spread through downloaded files or torrent files and hence it would be a good idea to avoid torrenting files from illicit sources.
It is named after the French noun "chiffrement" which means encryption. LeChiffre finds its reference to the main antagonist from James Bond's Casino Royale novel who kidnaps Bond's love interest to lure him into a trap and steal his money.
It can only be run manually on the compromised system and hence hackers will have to identify poorly secured remote desktops connected to the internet, before logging into them remotely and then manually running an instance of the virus.
It spreads through spam, usually in the form of a disguised invoice sent as an email. The victim is often lured into enabling macros or installing illicit extension files to read the document.
With macros enabled, Locky can encrypt a wide set of file types with AES encryption. Victims are pestered to pay up ransom in the form of Bitcoins in order to get their files decrypted.
TeslaCrypt also uses an AES encryption algorithm akin to the Locky to encrypt files. It usually spreads infection via the Angler exploit kit, which is exclusively targeted on Adobe vulnerabilities. After the vulnerability is exploited, the ransomware installs itself in the Windows temp folder.
It is typically disbursed through spam emails and phishing attacks. It usually targets specific geographic locations and regions. The ransomware encrypts compromised data using AES algorithm like the CryptoLocker malware. Besides encoding the files, it gathers and misuses the email addresses stored in victim's address book to propagate the infection to other connected systems on the victim's network.
It is the latest and the most widespread ransomware attack seen in the history of cyberattacks across the globe. With an estimated 125,000 corporate companies and organisations being affected in over 150 countries, WannaCry is one of the most dangerous malware known to mankind.
Other variants of WannaCry are known as WCry and WanaCrypt0r, which are currently affecting windows machines via a Microsoft exploit known as EternalBlue.
It is a self-transmitting malware strain, which shows worm-like behaviour. It can encrypt files and also infect flash drives and external drives, before affecting other computers where the infected device is connected.
How to protect your computer from ransomware or remove malware
The easiest way to protect your computer from ransomware and other malware is to ensure that your computer is running a fully-updated licensed version of antivirus and anti-malware software. Additionally, a network firewall is mandatory if you are often connected to an intranet or the internet to avoid unforeseen cyber attacks.
Encrypted ransomware can only be removed after you have successfully decrypted the files using specialised decryption tools or third-party decryption services. You can register with some security research companies who offer this type of service to decrypt the hard drive files without paying a ransom.
Users can upload the encrypted file or folder to their site and share their registered email address. The site will then email you the private key along with instructions to remove the offending ransomware from your computer.