Malware, classified today as ransomware (combination of words ransom and software) became a widely discussed topic already a few years ago. In 2013, the most famous virus belonging to this category – CryptoLocker – allowed its creators to “earn” as much as 27 million dollars during its first attack. According to the estimations of McAfee Labs, during one campaign of sending CyptoLocker criminals are able to get even 325 million dollars. Even FBI did not avoid the attack and ransom demand.
So what is ransomware? Its name already contains a very good explanation. It is a type of malware which aims at extorting money from its victim. Virus attack consists in blocking the access to files, documents or even entire computer or company server. All data the access to which is blocked by this type of malware is usually encrypted and on the screen, the owner of precious files can see the instructions what they should do in order to have them recovered. Cybercriminals usually demand money to be transferred into their bank account and in exchange they promise to provide the victim with the key as well as instructions how to decrypt the data. More and more frequently, Bitcoin digital currency platform is used to get the ransom. It makes it possible for cybercriminals to avoid official circulation of money. It is safer for them and often makes it impossible for the police to discover who has actually been responsible for the attack.
Different types of ransomware are currently known. The first one is the so called screen-locker. Malware makes it impossible for the user to access the device by blocking its screen. It is quite irritating but it is possible to get rid of this malware on our own if the victim has sufficient technical knowledge or antivirus package.
As this type of ransomware turned out not to be effective enough for the purposes of money extortion, cybercriminals began to use crypto-ransomware malware type. It encrypts chosen file types, e.g. photos and Word documents on victim’s local disc. More and more frequently it also encrypts files in different locations which it can access – including files on servers and in cloud. Then the key for data decryption is offered, which is transmitted by cybercriminals to the victim after making appropriate payment. Usually the ransom oscillates between 150 and 900 dollars.
Unfortunately, crypto-ransomware uses the same encryption type as software used for the protection of bank transactions or military communications. Files are encrypted with the use of AES 256 algorithms, so in reality they are impossible to be restored (unless you are prepared for the attack, but this is what comes next). It is estimated that crypto-ransomware is responsible for extortions of over a billion dollars per year. The third ransomware type is so called disk-encryptor. Unlike crypto-ransomware, disk-encryptor software encrypts the entire disc of a victim and in this way blocks the access to the entire computer, making it impossible to launch operational system.
Here the Spora virus should be mentioned. It appeared at the end of the year 2016. It functions in an atypical way. Ransomware almost always uses CnC (Command-and-Control) servers. Such server is responsible for generating private and public key. Ransomware installed on the computer downloads public key and uses it to encrypt data. Private key, used for decrypting information, is all the time stored by the CnC server and the victim gains the access to it after paying the ransom.
Spora attacks its victims without contacting from CnC servers and the files are encrypted offline. It uses public RSA key, embedded in the software, but it does not use it to encrypt files stored on the victim’s computer, but to encrypt the unique AEX key, which is generated locally on the victim’s computer. In order to pay the ransom, the victim has to send the encrypted AES key to the website specified by cybercriminals. Then they use private RSA key to decrypt AES key and send it back to the victim, who can now decrypt their files.
Danger lurks everywhere
In the majority of cases our computer gets infected with ransomware after opening the attachment to e-mail or clicking the link redirecting to a specially prepared website. Cheaters know different psychological methods how to make us open the attachment or click the link. It can be e.g. the information about courier delivery or tax arrears, or a funny video with a cat or a link to naked photos of a celebrity. In this way, we are encouraged to open the attachment containing dangerous software or click the link directing us to virus installer. According to the Trend Micro company, 60% of ransomware is hidden in regular multimedia files. What is worse, antivirus software is not always able to discover such attack.
Ransomware is also transmitted by malicious pop-up advertisements in web browsers, through websites, usually those containing pornographic content or illegal software, or external data carriers can be used, such as USB keys. In the last example, the attack is very often aimed at a particular victim – person or company. Creators of ransomware also attach their malicious software to pirate content which computer users are eager to download from torrents or websites with warez or films, music and TV shows.
However, one may not feel secure even if they do not visit any suspected websites at all and it is confirmed by the fact that ransomware was also found on very popular news websites. Among websites which have already experienced a ransomware attack there are among others msn.com, nytimes.com, bbc.com, theweathernetwork.com or newsweek.com.