Ransomware: The Digital Captor

Introduction

The word Ransomware is made up of two individual words: Ransom and Ware. Literally, ransom means money demanded to release of a captive and ware means of a specific type. Here, the captive is not a real person but digital files and media. Conclusively, Ransomware is a malware that infects the system to encrypt its files and restricts the access to the system. In order to decrypt the system and regain the access, money is demanded by the ransomware attackers. There used to be a time, when ransomware would be aimed at individual system, but now businesses are not too far from its reach.

History

The very first known ransomware in the digital history was the PC Cyborg. This ransomware attack was initiated in 1989 by Joseph Popp, an AIDS researcher. Some thousands of floppy disks were circulated around the world by him, claiming to contain research information and outcome on AIDS. The malware program would not initiate immediately, but would sit dormant till the time the system was turned on 90 times. After reaching this threshold, the malware was activated on the individual systems and displayed a message demanding payment. Thus, this malware also became famous as the AIDS Trojan. The ransomware attacks became somewhat blacked out after the first attack, only to return back in the mid 2000 with a much powerful effect. Earlier, encryption code was usually written by malware developers for ransomware. Eventually, attackers started using some specialized libraries as they offer a significant levels of complexities and are much hard to crack. With these features, the world witnessed the birth of a new types of ransomwares: CryptoLocker and CryptoWall. They became favourite tools for the cyber attackers for extorting money. In 2013, CrpytoLocker alone infected more than 2 lakhs systems worldwide and harvested around $3 million for its creators, Gameover ZueS. But soon its encryption algorithm was studied and private keys that the ransomware used were discovered, ultimately stabbing the devil to death. This was accomplished under a white-hat campaign, Operation Tovar. But by this time, CryptoLocker had already became the basis for other ransomwares and soon many variants arose. One of them being the TeslaCrypt, which in a very short period contributed to 48% of the ransomware attacks.

The Recent Scare: WannaCry

In May 2017, one of the most unprecedented ransomware attack rocked the globe. It literally had shut down the hospitals and other institutions in Europe and within 4 days, spread across 116 countries. It was the WannaCry ransomware.

How did it infect PCs?

WannaCry exploited the Server Message Block (SMB) protocol (CVE-2017-0144) in the Windows operating system. SMB protocol is used for communication amongst various nodes in a network. This vulnerability allowed a remote code execution when the attacker sends the specially crafted script to the SBM server.

The ransomware started to propagate to the unpatched systems through malicious files sent through attachments over LAN.

Once on the system, the WannaCry would not immediately start to encrypt files. Instead, it would wait to connect to a hard coded gibberish URL. If it could, it would shut itself down. Many researchers believe that the main reason behind this kind of a behaviour of WannaCry was to make it non analytical.

The WannaCry ransomware attack was followed by Petya, the second most threatening ransomware attack after WannaCry.

Why we may never catch the perpetrators?

 Earlier encryption malwares known, would ask the victims to make a payment to a middleman or a third party (banks etc) for the decryption of files, which also resulted the hackers to be caught. But with the growing popularity of cryptocurrency, due the anonymity it offers to its user along with other advantages, possibility of finding the perpetrator has become very bleak. The cryptocurrency, Bitcoin has become the new favourite of ransomware attackers to ask for ransom. Cryptocurrency is a decentralized digital currency, that means it a purely a phenomenon of protocols (block-chains) and procedures where in values are exchanged without a third party like banks. Transactions take place from one user to another, directly. However, there is no guarantee that even after making the payment, victim will get the key to decrypt the files.

In January 2016, 1 Bitcoin was values at USD$431. Since then, its value has been risen dramatically to USD$7401 as in January 2018.