Ransomware Attack

Ransomware Attack

Subject – Security

Context – Tamil Nadu Public Department comes under malware attack

Concept –

• Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker.
• In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever or the ransom increases.
• Ransomware attacks are all too common these days.
• Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.

History of Ransomware Attacks

• Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from recipients of the ransomware. Payments for that attack were made by mail to Panama, at which point a decryption key was also mailed back to the user.
• In 1996, ransomware was known as “crypto viral extortion,” introduced by Moti Yung and Adam Young from Columbia University.
• Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. For example, notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of normal currencies, like dollars.
• Ransomware attacks began to soar in popularity with the growth of crypto currencies, such as Bitcoin.

Examples of Ransomware

• WannaCry – A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread.
• CryptoLocker – This was one of the first of the current generation of ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. Cryptolocker was spread via an email with an attachment that claimed to be FedEx and UPS tracking notifications.
• NotPetya – Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes.
• Bad Rabbit – Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid.
• REvil – REvil is authored by a group of financially motivated attackers. It exfiltrates data before it encrypts it so that targeted victims can be blackmailed into paying if they choose not to send the ransom.
• Ryuk – Ryuk is a manually distributed ransomware application mainly used in spear-phishing.

How ransomware works

• There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access.
• Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.
• There are several things the malware might do once it’s taken over the victim’s computer, but by far the most common action is to encrypt some or all of the user’s files. If you want the technical details, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files. But the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker.
• In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it, and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. But most attacks don’t bother with this pretense.
• There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.

How to prevent ransomware

There are a number of defensive steps you can take to prevent ransomware infection. These steps are a of course good security practices in general, so following them improves your defenses from all sorts of attacks:

• Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
• Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
• Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
• And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.