Knowing the Enemy: A Closer Look at Ransomware Attacks
By Clinton Pownall
Ransomware can be traced clear back to 1989 and a misguided Harvard-educated biologist named Dr. Joseph Popp, who created what became known as the AIDS Trojan to extort funds from computer users to fund research into the AIDS virus. This type of malware gets its name from the fact that it inserts code into a computer to block its use until a ransom is paid. While Popp distributed his code on infected floppy discs, such malware code, acting as a Trojan horse, was soon being distributed by tricking e-mail users or internet visitors into clicking onto a link that downloads the code onto the user’s computer. (For more on the history, you can read ZDNet’s “30 Years of Ransomware.”
The invitations to open an infected attachment or to click on a link are often sent in e-mails (termed phishing) that are socially engineered to look interesting (“Wow! You won’t believe this photo!”). And then there is the more precisely targeted attacks (called spear phishing) in which some research is invested to specifically target a user’s interests — either socially or professionally. An aeronautics engineer might receive an invitation to speak at a meeting, or to apply for a relevant job elsewhere — with the link opening the door for the malware to download and then spread throughout an organization’s network. Unfortunately, some malware can be downloaded automatically just by unintentionally visiting an infected site, in a process referred to as a drive-by attack.
How Ransomware Works
While early versions of ransomware acted by blocking use of a computer using screen locking code that would sometimes include a huge message locked onto the screen declaring that the user had visited an illegal pornography site or had pirated software, and had to pay a fine to be unlocked.
The development of bitcoin, a cyber currency that is exceedingly hard to trace, led to bad actors inserting code that would encrypt the contents of a computer — or entire internal network — and demand ransom, paid in the form of bitcoin, for the key to unlock the encrypted files. The ability to move from one computer to others on the same network comes from the worm-like activity that was seen in WannaCry and similar versions of ransomware. Fortunately, WannaCry, which targeted computers running the Microsoft Windows operating system, was blocked after Microsoft released emergency software patches. However, the malware remained effective against computers that hadn’t been updated with the Microsoft patch. This underscores the need to keep all operating systems and other software products continually updated with security patches and other essential releases.
Another version of ransomware attack — sometimes called leakware — occurs when the bad actor uses malicious code to gain access to files and then threatens to publish them if a ransom isn’t paid. Healthcare organizations, financial services companies, law firms and just about any other company that has intellectual property or personally identifiable identity — could be targeted.
Beware of Drive-By Downloads
Computer users need to also be cautious of ‘drive-by’ downloads of malicious code that can occur when visiting an infected website. With drive-by downloads, a website can be set up intentionally — or hijacked without the site owner’s knowledge — to download ransomware and other code by taking advantage of outdated browser plug-ins, and other vulnerabilities that haven’t been patched or updated. In the worst cases, the download of malicious code can be accomplished just by landing on the site.
More commonly, social engineering is used: Often in the guise of a pop-up window. A window might pop up, for example, made to look like a Windows operating system message, or an alert from an anti-virus provider. Ironically, the window might warn that the computer has just been subject to a virus infection, and to click on the button to remove it — an action that actually downloads it. When such a window appears, even clicking on the ‘X’ to close the pop-up can be enough to start the download of malicious code — including ransomware. Rather than clicking anywhere near such a surprise pop-up window, the best response is to unplug from the internet, turn off your computer, and then run an anti-virus scan. (Later, if the computer offers to open the websites that were running at the time of the shut down, decline the offer.)
Be cautious whenever a website or an application offers to upgrade your drivers or perform any other updates. Some sites are set up to deliver actual drivers and such — but with an added payload of malicious code. So, if you see a message stating that a driver is out of date, and offering to update it, go to the actual vendor’s site to verify the need, and download from there.
While new versions of ransomware are regularly released, the entry points have largely remained the same: Using social engineering to trick users into clicking on links or opening attachments that act as Trojan horses that unleashes a malware payload that begins the infection process. As has been constantly noted by all involved in cyber security, a continual education/reminding process is required to keep computer users updated on the latest forms of attack and the need to be extremely cautious about clicking on e-mailed links or opening attachments.
Needed: Robust Backup Strategies
Because of the worm-like action of ransomware, and its ability to infect an entire network, it is essential to have a robust backup plan in place. Many organizations have learned the hard way that if backups are kept on the same network as an infected device, the backups might be encrypted as well.
Organizations should have a synchronized backup plan that includes multiple copies stored on multiple sites — including cloud-based and other offsite locations. A robust backup strategy includes backing up your applications as well as your data. If you need to begin anew to escape a ransom domain, your time offline will be greatly reduced if you are able to restore the complete — and up-to-date — operational environment, as well as the data.
