While working on the next version of the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide (for the 401 exam), I dug into ransomware. Ransomware is a new topic added to the Security+ 401 exam.
Ransomware is a specific type of Trojan. Attackers take control of the user’s computer and then demand the user pay a ransom to get control back. A common way criminals deliver ransomware is via a drive-by download – a type of Trojan horse. Users visit a malicious website and the website downloads the malware to the user’s system. Some ransomware is embedded in other software similar to a typical Trojan horse. Two ransomware viruses that have attacked many people are the Police Virus and CryptoLocker, and they provide good examples of how ransomware works.
The Police Virus Ransomware
The Police Virus (also known as Trojan Reveton, Police Ukash, and Moneypak virus) accuses users of being involved in illegal activities and demands they pay a fine. It often displays a notification from a law enforcement agency such as the U.S. FBI, the Australian Federal Police, or the Metropolitan Police when the computer boots. In some cases, it takes control of the webcam and displays activity in the user’s room. The Police Virus typically demands victims pay $100 or €100, depending on their location. In some cases, the Police Virus demands as much as $300 or €300 as a fine or penalty, and if they pay, the virus promises to remove the messages and return full control of the computer to the user.
One piece of good news is that the Police Virus doesn’t actually encrypt or destroy any data. That isn’t the case with CryptoLocker, another Ransomware example.
CryptoLocker doesn’t try to trick the user but instead uses basic kidnapping and ransom tactics. Compare this to criminals that kidnapped famous singer Frank Sinatra’s son in 1963 and then demanded a $240,000 ransom. His son was released after the ransom was paid. These stories don’t always end so well though. Two criminals kidnapped Bobby Greenlease, the son of a millionaire car dealer and demanded $600,000 in ransom. After it was paid, the criminals killed the boy.
Similarly, CryptoLocker encrypts valuable user files, such as photos, videos, and text documents, and then demands the user pay a ransom of up to $300 or €300. It typically displays a message indicating that the criminals will destroy the decryption key in 72 hours if the user doesn’t pay, effectively locking the user’s data forever. In some cases, it shows a timer counting down to zero, adding a sense of urgency to the user.
Because CryptoLocker uses strong asymmetric encryption techniques to encrypt valuable user files, it is almost impossible to decrypt the data in any reasonable amount of time. In addition to encrypting data on the user’s computer, it also searches for any network drives and encrypts files on them too.
As another twist, the CryptoLocker criminals have recently been offering to restore data after the 72 hours expires, at a highly inflated price of as much as $2300. It indicates the criminals have saved the decryption key, but removed its association with the victim. If the victim gives them an encrypted file, they’ll use it to discover the original encryption key.
Just as many parents are willing to pay ransom to save their children, the success of these types of ransomware indicate many people are willing to pay ransom to restore their data. Pandalabs reported in their 2013 annual report that ransomware has been on the rise and is one of the most common types of malware. They predicted it will be one of the most pervasive threats in 2014.
Ransomware is a type of malware that takes control of user’s systems or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user’s system or data if the victim does not pay the ransom.
The best protection against this type of ransomware is to have good backups. If your system becomes infected and you can’t get it off, you can rebuild your operating system from scratch and restore your data. Admittedly, that will take some time and be a little painful, but not nearly as painful as losing all your data.
Of course, it’s also useful to practice safe computing practices to avoid infections from this type of malware or any other. This includes:
- Don’t click on links within emails from unknown sources (no matter how curious you might be)
- Don’t open attachments from unknown sources (malware can be embedded into many different files such as PDFs, Word documents, Zip files, and more)
- Be wary of free downloads from the Internet (many entice you with something free but include malware)
- Limit information you post on social media sites (criminals use this to answer password reset questions)
- Keep the computer up-to-date with current patches (but beware of zero-day exploits)
- Keep antivirus software up-to-date (but don’t depend on it to catch everything)