Codepath

Ransomware

Ransomware is malware which restricts access to a computer and demands money to remove the restriction. It can be distributed via email, phishing links, or drive-by download.

Early examples of ransomware would lock up an operating system and display a message demanding money to regain use of the computer. They were a nuisance but not particularly effective.

"Your computer contains illegal software and pornography. Authorities will be contacted unless you pay a fine."

Recent version of ransomware are more potent. They use strong encryption algorithms to encrypt certain file types. The files may include local, shared, and networked drives, including files on cloud servers like Drop Box. Then the malware demands that the user pay to receive the password necessary to decrypt them.

"All files on your computer have been encrypted. You must pay a ransom within 72 hours to regain access to your data."

Payments are frequently around $200-400, payable in bitcoin, cash vouchers, or gift cards which are difficult to trace. Paying the ransom money may or may not decrypt the files, and even if the password is delivered, the malware and backdoors into the computer may remain.

Ransomware is increasing rapidly. From 2013-2015 the amount of new malware which is new ransomware variant grew significantly each year (2013: 20%, 2014: 40%, 2015: 60%). 2016 has been dubbed "the year of ransomware". According to one analysis, 93% of phishing emails are pushing ransomware, while at the same time phishing has increased 789%.

A single ransomware strain can hit 5,000 computers/day and generates estimated payments of $5 million/year. Attackers have shifted toward targeting businesses who are more more willing and able to pay than individuals, because the file loss and inconvenience is worth more to the company than a few hundred dollars.


Biggest Names in Ransomware

  • CryptoWall
  • CryptoLocker
  • TorrentLocker
  • Chimera
  • CTB Locker
  • TeslaCrypt
  • Ransom32
  • Locky
  • MSIL/Samas

Ransomware Preventions

The best prevention is to backup computer files regularly and to back them up to offline media. (The MSIL/Samas Ransomware deletes any backup files it finds.) This will not prevent a ransomware infection, but it will greatly minimize the damage.

Ransomware is primarily delivered via drive-by downloads and phishing emails, so standard precautions against those is a good prevention against ransomware. Email spam filtering can prevent phishing emails from arriving and users should ignore or block email attachments from suspicious sources. Disable macros for email attachments, some are documents which, when opened, will ask the user to "Enable Editing".

Application whitelisting is a good way to block malware which is becoming increasingly popular. The only software which can run is software which has been granted explicit permission to run.

Another prevention is to block TOR traffic if possible. Ransomware frequently uses TOR to communicate between the infected computer and a command and control server.

Fork me on GitHub