Ransomware: Developments and Impacts

3055 words (12 pages) Essay in Information Technology

18/05/20 Information Technology Reference this

Disclaimer: This work has been submitted by a student. This is not an example of the work produced by our Essay Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.

1. Introduction

Ransomwares are one of the most prominent and existing threat to our data, file or other digital information that is stored in drives. Ransomware a sub set of malware that work by simply locking the desktop or inhibit user from accessing their data by encrypting their important file by using public key and demand ransom/extortion to decrypt the file by using private key. Ransomware cause a lot of financial damage, CryptoWall3 cause 320 million damage in 2015 only (CTA, 2015), while WannaCry loss estimated to be $4 billion (Cyence, 2017). More than 70% of the business loss access to their data forever whereas more than 25% unable to access the data for 5 days (Intermedia, 2017). Only in 2016 about 2,673 complain related to ransomware are received by FBI totaling a loss of $2.4 million.

1.2 What is Ransomware

Ransomware is a malicious program that encrypt user, company or any organization data or files and forced them to pay money in form bitcoin or other medium to decrypt the files, data. Ransomware uses different encryption method to encrypt the file. Once the file is encrypted an alarming message appear on the screen for ransom.

1.3 Types of Ransomware

Encrypting Ransomware

These Ransomware encrypt victim’s files on their devices and demand ransom by displaying a message window. If the ransom is paid, they send key to decrypt the file. Common examples of these types of ransomware are CrytoLocker, Crypto Wall, WannaCry.

Non-Encrypting Ransomware

Non-Encrypting ransomware restrict the users into logging by locking their machine and demand ransom from them to unlock the victim’s machine. Examples of these ransomware are WinLocker and Reveton

Leakware

This type is different from other ransomware because they don’t block access or encrypt users file or data. Rather they collect victim’s sensitive file or data and blackmail them to publish the data online, If the ransom is not paid.

1.4 Ransomware Attack Vectors

Malvertisement and Drive by Download

      Malicious advertisements are posted into legitimate websites.

      Once user click the advertisement link immediate infection take place on user PC.

Spam Email

Spam mail are old tool to deliver ransomware to victim machine. It contains malicious attachment or link that contain exploit kit. Spam mail contain various psychological levers to trick victim into downloading ransomware.

  

Vulnerability

Ransomware exploit vulnerability to infect devices, EternalBlue is one of the famous vulnerabilities found in windows machine that ransomware exploit to connect to remote servers via port 445 which allow to compromise entire network and all the devices connected with it. Due to this vulnerability ransomware infect more than 200,000 machines.

1.5 Ransomware Encryption (Hybrid Approach)

Symmetric Encryption

Pros                                                                        Cons

Encryption process are fast due to simple mathematical operation. Ideal choice for encrypting large amount of data.

Same key which is used to encrypt data can also be used to decrypt the data. If the victim finds the encryption key on his computer disk, he will use the same encryption key for decryption.

 

Asymmetric Encryption

Pros                                                                        Cons

Two different keys public and private for encryption and decryption, public key encrypt the data while private key is used to decrypt the data. Ideal choice for encrypting small messages.

They are slower due to complex mathematical operation on large bits of data.

Ransomware main approach is to encrypt large amount of data as fast as possible (1)

Secure the key from the outside world by keeping it private (2)

Statement (1) and (2) can be satisfy by applying Pros to the Cons of Symmetric and Asymmetric Encryption.

Symmetric Pros Replaces Asymmetric Cons (3)

Asymmetric Pros Replaces Symmetric Cons (4)

By combining (3) and (4) we can achieve hybrid encryption approach.

Illustration of Hybrid Approach

      System Infected

      Generate AES 256 bit key and encrypt files via AES for fast encrypion.

      Ransomware contain RSA 2048 public and private key for client (Cpriv, Cpub) and RSA 2048 public key of Server (Spub)                

                encrypt

Cpub  AES public key

                encrypt

Spub  Cpriv

                encrypt

Spriv  Spub

Advantage of Hybrid Approach

      Due to faster encryption, huge amount of data is encrypted.

      Once the device is affected there is no need to communicated to Command and Control Server for key exchange process.

      Enforce multiple mechanism to protect the key from victim and outside world.

2.CRYPTOLOCKER

 Cryptolocker is a ransomware that surfaced on internet in Sept 2013 within 4 month it infected approximately 200,000 to 250,000 devices (Dell Secureworks), and earned $27 million in first 100 days (ZDNet). Almost 41% of the British people pay the ransom (University of Kent). Due to fast success its copy cat variants and advance ransomware released every year.

      Usually spread via malicious mail attachment.

      Target Windows OS.

      Searches for file via extension doc, docx, jpeg, pdf etc.

      Encrypt files using RSA 2048-bit algorithm.

      Decryption of file when ransom is paid.

2.1 CryptoLocker Attack Vector

      Cryptolocker can spread via mail that contain malicious attachment (Microsoft Products malicious script are embedded in Macro).

      Spread through file sharing severs P2P (Malicious files are kept in system once user download the file they immediately get affected).

      Spread through downloads (Fake AV software, trick user their system is compromised and ask them to download their fake AV to remove virus).

      

2.2 How CryptoLocker Work

 Step 1

      Install Ransomware on PC.

      Generate unique code that identify the particular PC.

      Deactivate shadow copies, window recovery

      Copy itself to %AppData% or %LocalAppData%

      Create autorun registry in (CurrentVersion\Run\CryptoLocker:<random>.exe).

      Create additional registry key to even run in safe mode by applying asterisk in beginning (CurrentVersion\Run\*CryptoLocker:<random.exe>).

      Get IP address of particular PC.

Step 2

      Send message to command and control that a particular device has been affected.

      Send private key to command and control server.

      Delete private key from the infected system

Step 3

      Search files with the help of extension such as .pdf, .mdf, .jpeg, .docx, etc.

      Search files on network mapped drives.

Step 4

      Copy the files, folder names, by appending its extension (.encrypted or .cryptolocker).

      Apply encryption algorithm on the file change by CryptoLocker.

      Delete original files.

            Step 4 illustration with respect to I/O

 

Step 6

      Notify victim by alert message on desktop screen and demand ransom to decrypt files.        

2.3 CryptoLocker Real World Incidents

Target

Computer system files such as .pdf, .doc, .docx, .mdf …

Distribution

Spread Via Email, P2P, Drive by Download

Effect

Files remain encrypted until ransom is paid

Timeframe

2013 – 2014

 

Case Study 1

Location

Police Department Tewksbury, Massachusetts

Security Measures

Out dated Antivirus Software

Backup

18-month-old backup

Attack Vector

Malicious Email

Measures Taken by Vendor/Company/Organization

  • Isolated encrypted file PCs.
  • run virus protection on remaining device.
  • Buy new domain server and firewall.
  • Pay ransom to decrypt the files.

Impact

  • Police System were down for 5 days.
  • A financial loss of $6,878 for new domain server and firewall and $19,604 for the professional services provided by Delphi.

Outcome

Recover all the encrypted files

Aim of Security Breach

Availability, Data integrity

 

Case Study 2

Location

Small Office, Honolulu

Security Measures

Personal firewall, up-to-date AV and Window OS.

Backup

Multiple backup is performed on dedicated file servers regularly.

Attack Vector

Malicious Email

Measures Taken by Vendor/Company/Organization

  • Pay Ransom.
  • Due to asymmetric encryption the decryption process was very slow only 5 GB/hour recover 30,000 files in 10 days.
  • Buy new Servers to speed up the process as it encrypted 400,000 files.

Impact

  • Spend huge amount of money in buying in high end Servers.
  • Lost lot of time in decryption of the files and data.

Outcome

some of the files were not decrypted

Aim of Security Breach

Availability, Data integrity

 

 

Case Study 3

Location

Small Office, Honolulu

Security Measures

Personal firewall, up-to-date AV and Window OS.

Backup

In USB drives, but didn’t do in past few months.

Attack Vector

Malicious Email.

Impact

  • Unable to recover encrypted files.
  • Lost more than $300 in PC cleanup.
  • Lost over month of data.

Measures Taken by Vendor/Company/Organization

  • Use email, home PC and coworker to recover files.
  • Clean PC via window restore and deleting CryptoLocker registries.

Outcome

Lost over month of data.

Aim of Security Breach

Availability, Data integrity

 

Conclusion

Ransomware are advancing and generating more revenue as the year is passing. Organizations such as Health, Insurance, Government and Business sectors are the main target as compared to home users. Antivirus and firewall are not enough to combat ransomware. It is necessary to take other preventive measures not only by updating AV and OS but also keep regular offline backup, cautious when opening email attachment or clicking on link, use safe practices while browsing on internet.

References

 

Cite This Work

To export a reference to this article please select a referencing style below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please:

Related Lectures

Study for free with our range of university lectures!