Ransomware Attack : An Increasing Threat

On Friday, 12th May 2017, a ransomware attack of “WannaCry” spread like wild fire – infecting and spreading to computers in more than 70 countries. Over the weekend it started inflicting damage to data of National Health Service in the UK, transportation departments in Spain and Germany, immobilized government ministries in Russia, FedEx in the USA, as well as countless businesses in over 100 countries. It was an advanced cyber attack of historic proportions and is still escalating throughout the globe.

What is a ransomware?

The first ransomware emerged in 1989 and it was called the AIDS Trojan. The attack type of this malware was rough and it spread via floppy disks. The victim were shown a message to deposit US$ 189 in to a post office in Panama to pay the ransom. Over time, many variants were created and released.

In simple terms, a ransomware is a form of vindictive software which is designed to block access to a computer system until the affected user pays a sum of money. There are basically two types of ransomware making the rounds in the cyber world:-

→ The first one and the most common now-a-days is the Encrypting ransomware. It incorporates advanced encryption algorithms. It is designed to block system files, encrypt the data files and demand payment for providing a decryption key that can decrypt the encrypted files.

→ The second one is the Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop,any applications or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.

→ Another version related to this is the Master Boot Record (MBR) ransomware. The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When the MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen.

The ransomware requires its victims to transfer money over BitCoins in order to get the control back or restore their data. However, there’s no assurance that paying money will get your data back.

WannaCry Ransomware

The ransomware “WannaCry” which has created havoc across the world is an advanced malware which supports 28 different languages and can encrypt more than 180 different file types. This ransomware uses the Server Message Blocks (SMB) exposure to infect and spread. Here are some key characteristics of WannaCry:

  • It has an unbreakable encryption that forbid the victim from reversing the damage done. This means that once the files have been encrypted, there is no way you can decrypt the files.
  • It can encrypt almost all types of files – documents, spreadsheets, pictures, videos, audios, etc. It muddle the file names and so identifying which files were affected is nearly impossible.
  • Once it has encrypted the files on a victim’s computer, it display’s a notice stating that the data has been encrypted and that the victim now has specific time limit to pay for the decryption. This payment needs to be done by purchasing BitCoins.
  • If the payment is not done in stipulated time frame the ransom increases. It is kind of a psychological game that is being played by the attackers.
  • The ransomware uses a complex set of evasion techniques to go undetected by your anti-virus.
  • The ransomware can also employ data export capabilities which means that it can extract data from the affected computer like usernames, passwords, email address, etc. and send it to a predefined network device like a server of the attacker.

WannaCry Ransomware

Ransomware can spread using many dissimulate techniques on the Internet. Spam email campaigns, security exploits in unpatched systems, traffic redirection from websites, malicious code injections in web pages, etc. The most common vehicle used to spread is Spam Emails.

The victim receives an email which looks like a genuine email from a bank, client or a website. This email has a malware as an attachment. Once the victim clicks on the link or downloads and opens the attachment, a payload (small software) is placed on the affected computer. This payload then further downloads the ransomware from the attacker’s list of servers. The ransomware starts encryption of the files on the entire hard disk and then can even spread to the cloud drives which have been added to the computer as network drives. It can also spread to other network computers if the affected computer is connected to the local network. The file “tasksche.exe” checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:’, ‘D:’ etc.

Once the encryption of data is done, the ransomware shows a message asking for the ransom similar to what you see here.

Everything happens so fast that even before you recognize that you are affected, the data is lost. This may bring up a question in the mind of the victim that even though there was an anti-virus installed on the PC, why did the ransomware go undetected? The answer is – advanced techniques employed to camouflage and deploy the ransomware. The communications between the payload and the server from where the ransomware is downloaded is encrypted – thus making it difficult to detect.

How can I be safe?

  • Always make sure that you have the latest backups. Make this a habit and ensure to take backups at least in two different locations.
  • Always ensure that the software that you use is genuine and legal. This will allow your operating system to download the patches which are released to block the vulnerability.
  • Always use a reliable, paid antivirus product.
  • Install a good firewall in your business network which can do deep packet analysis and filter network traffic.
  • Recheck your SPAM settings on the mail server or mail box so that it blocks or removes any suspicious attachments.
  • Educate yourself and others to be extra cautious and refrain from opening attachments that look suspicious. Many get emails these days which look like they have been sent from a social site or an eCommerce store from where you make your purchases, a law enforcement agency or a banking institution. Be careful before you open them.
  • In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
  • Do not use the administrator account for your daily use. Instead create a normal user account which has limited privileges.