Ransomware is malicious software, that an attacker has managed to trick their victim into intercepting on their system. It then holds files hostage on the victims system locked with strong, and often unbreakable encryption, until they reach the payment demanded by the perpetrator. It has become a problem that strikes not only individuals, but also companies.
The most rapidly growing category of malware is cryptographic ransomware, software that infects a computer through the same means as other malicious software, and then quietly scrambles users’ files, making them unreadable. By the time victims discover the problem, the malware explains to them they have to pay a fee for the encryption key that will make their files usable again.
Ransomware is no different from other infections that spread indiscriminately in hitting older operating systems, unpatched systems, and those running Flash and Java. It is most noticeable compared to other malware, as its purpose is to gain money by making demands to the victim. Most other malware's purpose is to be stealth, with intentions to steal information without the user knowing, or carry out business unrelated to the user whose machine has been compromised.
Recently, two research teams have been working to advance new ways on how to detect ransomware before it can do real damage to their targeted victims. Most Antivirus software makers are a bit behind on specific ransomware detection at present, however they are working to improve on this area.
While the perpetrators who design the malware have strong encryption readily available,the victims of ransomware most often do not get access to their files back unless they pay the fee demanded. Few victims are lucky if they frequently backup their files on another system or external drive which had not been infected.
Ransomware relies on “honor among thieves,” and most of the time paying the fee does release the necessary encryption key. Preventing an infection or stopping it in its tracks is the only other way out.
According to a recent Symantec report in 2015, they found that 38% of organizational infections in the business sector were ransomware, and that the average ransom demand has more than doubled and is now $679, up from $294 at the end of 2015 for each individual attack.
A now popular ransomware trojan, Trojan.Cryptolocker.AF, was discovered in February 2016 by Symantic. It is a Trojan horse that encrypts files on the compromised computer, and may also delete the system Volume Shadow Copies on the compromised computer. The Trojan then displays a ransom note as the computer's wallpaper until the demanded payment is met.
A case of ransomware made news back in February this year, where a Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom," stated the hospital's chief executive.Researchers are currently figuring out new ways to combat ransomware, and may have found solutions to help stop these attacks. However, there are new ways of getting around security systems being developed by malware developers everyday.
A team of researchers at Northeastern University created an offline scanning system, named Unveil. It launches suspected malware in a protected virtual environment, and monitors its behavior in a controlled way, and can see whether a ransom-style screen appears or not, then rapidly decides whether or not it was ransomware. Unveil researchers tested a large sampling of malware collected in the wild, and estimated a nearly 97 percent accuracy rate in identifying a subset of about 14,000 ransomware variants; they even discovered a new family that anti-malware firms didn't know about.
Another group of researchers from the University of Florida and Villanova University, created 'CryptoDrop' a real-time monitoring system which could rapidly detect and halt ransomware. CryptoDrop was used to test 492 known examples drawn from 14 major ransomware families, and recognized 100 percent in real time, with a median loss of only 10 files before the activity was recognized and halted.
Security software developers say new approaches to blocking ransomware will start to be increasingly incorporated across the security software industry. Putting in stricter checks before an application can launch, such as checking a central database as to whether the app has ever been run on any computer anywhere in the world, is among the strategies firms are willing to discuss.
Ways to protect your system:
- Keep Operating System updated to patch, and fix vulnerabilities
- Keep Anti-virus updated with latest virus definitions
- Active Firewall to block unknown connections
- Disable Autorun (CD/USB)
- Turn off remote access to system
- Enable file sharing protection
- Backup personal data
- Do not open unknown links/attachments in Emails & Websites
If you suspect any strange unusual activity, including a ransomware pop-up or screen change, disconnect the Wi-Fi, or unplug the network cable immediately in order to try preventing further damage. You can then attempt to remove the virus with an anti-virus removal tool, or use system restore.
A tip if you're victim to ransomware: Set the BIOS clock back.
Cryptolocker has a payment timer that is generally set to 72 hours, the price for the decryption key in order to unlock your files then increases significantly. You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72 hour window is up.
Sources:
Symantec: Cryptolocker
Symantec: ISTR2016 Ransomware and Businesses, Report 2016.
Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers
Two Ways to Stop Ransomware in Its Tracks
We live security
CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
