Three years ago, I got a call from a friend who was working as an IT administrator abroad. He told me about something very interesting he came across and I was curious. Out of nowhere, the files in his organization's systems got encrypted leaving a message in their place asking for a ransom for the decryption keys, he explained.
Because he has employed an efficient local backup system, they were able to restore the data and completely ignore the demand by the attackers. Before finishing our conversation, he told me: this is how extortion looks like in the digital world, we will only see more of this.
Unfortunately, his warnings have become a reality as we are witnessing more and more ransomware attacks across the globe. On Saturday, September 2, Indian Computer Emergency Response Team (CERT-In) issued a warning reporting a new wave of spam emails, circulating with common subject lines to spread variants of the Locky ransomware.
According to CERT-In, "over 23 million messages have been sent in this campaign". This is not the first ransomware attack we have seen this year, in fact, this comes after the devastating WannaCry and Petya ransomware attacks that occurred earlier.
The concept of modern ransomware was invented by Adam L. Young and Moti Yung at Columbia University way back in 1995. According to Young and Yung, the idea of cryptoviral extortion or ransomware as it’s more commonly known was "a natural by-product of an unnatural union: a former hacker placed in a room with a cryptographer, both given ample time with which to contemplate the dystopia of tomorrow".
When analyzing where the future malicious software attacks might evolve to, their thoughts were defined by the early 90s AIDS Trojan and the 'facehugger' creature from the movie Alien. They concluded that the most effective malware attacks of the future will be like the facehugger, which is almost impossible to remove and any attempt made in that direction will cause more damage.
In their quest for a "digital analogue of the facehugger, a forced symbiotic relationship between a computer virus and its host were removing the virus is more damaging than leaving it in place, they discovered the first secure data kidnapping attack". "We called it cryptoviral extortion", writes Adam L. Young and Moti Yung.
However, encrypting ransomware only came to prominence in late 2013 with the propagation of CryptoLocker, the first ransomware that used Bitcoin to collect ransom money. In December 2013, according to ZDNet's estimates based on Bitcoin transaction information, the operators of CryptoLocker had procured about US$27 million from infected users.
In India, the term ransomware gained attention early this year, after the WannaCry and Petya ransomware attacks affected many government and private organizations globally, nearly bringing certain regions in the world to a stand still. Both WannaCry and Petya were built upon an exploit named EternalBlue, which was leaked from the notorious NSA.
Coming to Locky, it scrambles the contents of a computer or server and demands payment to unlock it, usually by bitcoins, says CERT-In website.
Locky spreads through innocent looking spam emails with common subjects like "please print", "documents", "photo", "Images", "scans" and "pictures". But, what the messages actually contain are "zip" attachments with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky ransomware.
According to CERT-In, if the system is infected by Locky, then all files will be encrypted, and users are advised to exercise caution while opening emails and organizations are advised to deploy anti spam solutions and update spam block lists.
The biggest vulnerability, despite many precautions the IT admins take, is human error. All you need is one idiot to open a suspicious email and download the attachment to put the whole organization at risk, and this is why ransomware is turning into a popular money making tool for cyber criminals.
According to Tom Simonite, MIT Technology Review’s San Francisco bureau chief, in recent years a shift took place in the world of online crime, with the establishment of sophisticated malicious software known as ransomware as a popular and reliable business model for criminals. "The money that can be made with ransomware has encouraged technical innovations. The latest ransomware requests payment via the hard-to-trace cryptocurrency Bitcoin and uses the anonymizing Tor network," writes Simonite.
"If well designed, it provides easier profits than stealing credit card details or banking information and then selling that data on the black market. The crooks “get anonymity, faster profit, and don’t have to spend time and money finding middlemen,” Uttang Dawda, a malware researcher, told MIT Technology Review.
Cyber criminals are now exploring new shores with ransomware, as two years ago the first ransomware that can encrypt files on an Android smartphone, called Simplocker, was discovered by researchers at the company ESET. Sadly, we will soon witness criminals holding us for ransom by taking control of our automobiles and IOT devices, to even pacemakers.