It seems every week there’s a new ransomware strain holding headlines hostage across the world. This year, our researchers have analysed dozens of samples and, like some excruciating game of whack-a-mole, new variants keep popping up.
The concept behind ransomware is simple. Typically, a user opens a malicious file or clicks on a link which launches the ransomware. Once opened, the users’ files are encrypted (scrambled) and a ransom demand appears on the victim’s screen, outlining how and who to pay to have their files restored.
It’s clear 2017 is the year ransomware reigned supreme. So far, we’ve seen Locky return from the wilderness and hit 20 million mailboxes, Spora target Russian businesses, Nuclear deliver a fusion of bitcoin and ransomware, Cyron demand payment via PaySafeCard, Crysis mix politics with payment, Vortex set its sights on the Poles, Nemucod and GlobeImposter share the same creator, DCry impersonate software updates, and… Jaff, which, well, let’s just say it got no points for creativity.
The above list is just a taste of the strains discovered this year, and it doesn’t even include the two most devastating ransomware campaigns we’ve seen to date – WannaCry and NotPetya.
WannaCry caused worldwide panic in May when it brought down IT systems across National Health Service hospitals in the UK. This was just the tip of the iceberg as the particularly virulent strain quickly affected more than 100,000 organisations across 150 countries.
WannaCry was so effective because it exploited a leaked NSA exploit which enabled the strain to spread across networks without victims having to click on anything. The exploit, EternalBlue, allowed the strain to jump between machines on the same Local Area Network via a flaw in the SMB protocol.
A month after WannaCry, NotPetya wreaked havoc, shutting down banks, telcos, utilities, and other businesses across the world. Initially, it targeted Ukranian organisations, but it quickly spread across Europe, reaching Spain, France and Russia within hours. The same NSA exploit that made WannaCry so potent also propelled NotPetya.
So where did ransomware come from?
The idea of locking a victim’s computer and demanding a ransom goes back to 1989 with a piece of malware called ‘PC Cyborg’. Developed by Joseph Popp, this first iteration of ransomware wasn’t very effective. It only hid the files on the computer’s hard drive and encrypted the files’ names. In addition to these flaws, the decryption key could be derived from the malware’s code.
Six years after its lacklustre debut, two researchers named Adam Young and Moti Yung tweaked the primordial ransomware and fixed its fundamental flaws by removing the decryption key from the malware itself. This enhanced algorithm is known as public-key cryptography and it paved the way for the ransomware variants we deal with today.
Leaked NSA exploits aside, ransomware invariably spreads by tricking victims into infecting themselves. The most common ways this occurs is by hiding the malware in an email attachment or on the other end of a URL embedded into an email or instant message. The best things you can do to avoid having your files kidnapped is exercise caution when dealing with emails and messages from unknown senders, keep all your software updated and frequently back up your important files.
Although attackers say they will restore your files after receiving their ransom demands, there’s no honour amongst thieves, so the best thing to do is not pay. By having recent backups of your files, you can easily restore them to a recent version.
After all, with the hackers behind WannaCry reportedly netting more than £100,000 (AUD$168,000), ransomware won’t be going anywhere anytime soon.