CRYPTOGRAPHY RANSOMWARE

Crypto-ransomware is a type of harmful program that encrypts files stored on a computer or mobile device in order to extort money. Encryption 'scrambles' the contents of a file, so that it is unreadable. To restore it for normal use, a decryption key is needed to 'unscramble' the file. Crypto-ransomware essentially takes the files hostage, demanding a ransom in exchange for the decryption key needed to restore the files.

The first crypto ransomware was probably the infamous AIDS Trojan³ in 1990. It was distributed on a floppy disk handed out to attendees at an international conference about the AIDS disease, and the software encrypted file names (not the files themselves), and then displayed a demand for payment to a location in Panama. The perpetrator's motivation might have been rooted more in a desire for revenge on the conference organizers than in financial gain, but in any case, the attack was ineffective. The exact reason for this wasn't published, but a program for restoring the file names was quickly distributed.

Cryptography isn't an absolute necessity for ransomware, but it's the only way to get close to an unbreakable denial-of-service extortion attack.

Nonetheless, social engineering and a well-chosen price point can make even non-cryptographic ransomware (“locker ransomware” or “lockerware”] an effective tool. Lockerware will divert the computer from its normal operation by getting control of a critical resource, perhaps by encrypting and replacing that resource, and then displaying a seemingly unremovable view of a demand for payment. The demand might appear to come from a law enforcement agency. Some lock-erware uses a simple Javascript technique to take control of a browser, again with a ransom demand. If the ransom is paid, the user should receive instructions on how to regain control of his computer or browser.

A particularly insidious way of installing lockerware is to offer a fake antivirus scanning program via a website. The website will pop up a window claiming to have discovered a virus on the visitor's computer screen and will offer a free detection program. The installed software is really malware that will lock up the computer and display an extortion demand. There are many other clever ways of getting users to install software from untrusted sources, but the fake AV trick is the one I think is truest to the ancient story of the Trojan Horse.

Using shock and fear tactics

Unlike other threats, crypto-ransomware is neither subtle or hidden. Instead, it prominently displays lurid messages to call attention to itself, and explicitly uses shock and fear to pressure you into paying the ransom. 

A few so-called crypto-ransomware do not perform the encryption at all, and just use the threat of doing so to extor money. In most cases however, the threat is actually carried out.

Encountering crypto-ransomware

There are two common ways you can encounter crypto-ransomware:

Via files or links delivered through emails, instant messages or other networks

Downloaded onto your device by other threats, such as trojan-downloaders or exploit kits

Delivered as files

Users most commonly come into contact with crypto-ransomware via files or links that are distributed in email messages:

The email message contain links to 'documents' saved online. In fact, the documents are executable programs (the crypto-ransomware itself)

The emails have attached files that download crypto-ransomware onto the device. Common files formats used to deliver crypto-ransomware include:

Microsoft Word document (file name ends with .doc or .docx)

Microsoft XSL document (.xsl or .xslx)

XML document (.xml or .xslx)

Zipped folder containing a JavaScript file (.zip file containing a .js file)

Multiple file extensions (e.g., <INVOICE#132435>.PDF.js)

Tricking the recipients

Receiving the email itself does not trigger an infection; the attached or linked file would still need to be downloaded or opened.

Attackers often craft the email messages using social engineering tricks to lure the recipients into opening the links or attached files. For example, they use the name and branding of legitimate companies, or intriguing or legal-sounding texts.

Opening the attachments

If the opened file is JavaScript, it will try to download and install the crypto-ransomware itself from a remote website or server.

If the attached file is a Microsoft Word or Excel document, harmful code is embedded in the file as a macro. Even if the user does open this file, the macro can only run if one of the following conditions is present:

Macros are already enabled in Word or Excel

The user is tricked into enabling macros

Macros are disabled by default in Microsoft Office. If they happen to be enabled when the file opened, the macro code run immediately.

If macros are not enabled, the file will display a notification prompt asking the user to enable them. If the user clicks 'Enable Content', macros are enabled and the embedded code will run immediately.

Delivered by exploit kits

Crypto-ransomware can also be delivered by exploit kits, which are toolkits that are planted by attackers on websites. There are numerous exploit kits currently delivering ransomware in the wild, such as Angler, Neutrino and Nuclear.

These kits probe each website visitor's device for flaws or vulnerabilities that it can exploit. If a vulnerability is found and exploited, the exploit kit can immediately download and run crypto-ransomware on the device.

Encrypting files and demanding ransom

When the crypto-ransomware is downloaded and run on a device, it hunts for and encrypts targeted files.

Some crypto-ransomware, such as older variants of TeslaCrypt, will only encrypt specific types of files. Others are less discriminating and will encrypt many types of files (for example, Cryptolocker). There is also one known family, Petya, that encrypts the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.

After the encryption is complete, the crypto-ransomware will display a message containing the ransom demand. The amount will vary depending on the specific ransomware, and the payment is often only in Bitcoins, or a similar digital cryptocurrency. Specific instructions are also provided.

In some cases, the attackers put extra pressure on victims to pay the ransom by allowing only has a limited time period to meet the demand. After the stipulated time, the decryption key may be deleted, or the ransom demand may be increased.

Respond & recover

If the worst happens and crypto-ransomware does infect your device, there are a couple of steps you can take to contain the damage:

IMMEDIATELY disconnect the affected device or devices from the local network and/or the Internet. Doing so prevents the infection from spreading to other connected devices.

Scan all connected devices and /or cloud storage for similar flaws and additional threats. Not only should other connected devices and storage media be checked for infection by the same threat, but also for any other threats that may have been installed on the side.

If possible, identify the specific ransomware responsible. Knowing the specific family involved makes it easier to search online for information about remedial options. The ID-Ransomware project site may be able to help you identify the ransomware involved.

Once you are certain the infection is contained, you can then try to remove the infection, recover the device and the data saved on it.

Recovering files that have been encrypted by crypto-ransomware is technically extremely difficult; in most cases, it is simpler to wipe the device clean and reinstall the operating system, then recover the affected data from a clean backup.

You can take the following steps for recovery:

If possible, format and reinstall the device. Usually, this is the most expedient way to remove a ransomware infection. In a small handful of cases, there are removal tools available for specific ransomware families (see Family-specific removal tools below) which you may consider as an alternative.

Restore data from clean backups. If available and clean, the encrypted data can be recovered by restoring from backup files. In cases where no decryption is possible, this is the method recommended by law enforcement authorities and security experts to avoid paying the operators responsible for crypto-ransomware.  

Reevaluate the security of any software installed. To prevent a recurrence, ensure any software installed (including the operating system) is up-to-date with the latest security patches.

Report the incident to the appropriate local law enforcement authority. Each country handles incidents of electronic crime differently, but in general most national law enforcement agencies urge affected individuals or companies to report incidents and avoid paying any ransom demanded.