Ransomware, the “gift” that keeps on giving. The more I research about this phenomenon, the more I realize how little I actually know about it. I have barely scratched the surface. Unfortunately, there is not enough awareness in nowadays society on this topic. We have fire-drills on regular bases to mitigate the risk of a fire outbreak in a company, but what about the cyber-threats?
We now know that this phenomenon is posing a great danger to companies and individuals alike. Ransomware does so much more than just encrypt the data on one endpoint or another. Most ransomware types need to be activated. They add themselves to the Startup menu under a random name and try to communicate with a command and control server. If successful, the server sends a public key and a corresponding Bitcoin address. Using asymmetric encryption Ransomware begins encrypting more than 70 types of files that might be present on the infected endpoint.
Fileless malware is unique and difficult to detect by regular antivirus software. Their malicious code is embedded into a native scripting language or written straight into the computer’s RAM. It hides in the RAM, in isolated spots within the computer’s memory. It’s not written to disk nor does the malicious code rely on the hard drive to run these commands, thus making all the software that prevents hard drive encryption mostly ineffective. Non-malware also known as fileless ransomware (unlike traditional ransomware) does not use files to encrypt your data. Instead it writes scripts or macros which derive from PowerShell to encrypt the files.
Fileless ransomware leaves little trace behind nor can it be detected with any antivirus software. This ransomware type allows cyber criminals to have access to all systems, meaning that they can infiltrate computers, steal your information and encrypt files without the IT staff even knowing.
This action can lead to more attacks. As the cyber criminals are writing scripts they are also gathering as much data from the victim’s computer as possible. The moment a company discovers the breach, is usually when the damage was done, when the cyber criminals decide they have enough leverage to ask for a ransom and that ransom to be paid in full. Do not be deceived, they have backup plans if their plan A – getting the ransom, will not succeed.
Let’s take this case happening in the US, San Francisco, last year in November. This institution has millions of dollars invested in IT security yet hundreds of desktops were hit.
Government is not spared either, this county in Ohio lost their servers to ransomware.
https://techcrunch.com/2017/02/02/ransomware-completely-shuts-down-ohio-town-government/
Another government institution was hit in Indiana last year. Dave Bursten of the Indiana State Police stated it's been like working in the 80s: "we're doing everything with pencil and paper."
Due to low investments in IT security, police departments are prime targets for ransomware:
http://www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html
There is help out there. FBI published a lot of information to the general public about the dangers of ransomware. "There isn't one method or tool that will completely protect you or your organization from a ransomware attack” said FBI Cyber Division Assistant Director James Trainor.
https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise
Many times the information encrypted is rerouted to the attackers in order to have leverage in case payment of ransom is denied.
As long as companies, institutions and even individuals will not take the cybersecurity seriously, ransomware will flourish, because there will be little to stop them from reaching their purpose, which is to get money for data they have encrypted.
About the author:
Ioan Hipp is not a mathematical genius, he is not a world renowned expert or a prominent figure in the cybersecurity industry. He is just a passionate person on the new cyber world that our IoT is developing into, a storyteller and a contributor to a better society.