What is ransomware?
This specific kind of malicious software is used for extortion. When a device is successfully attacked, malware blocks the screen or encrypts data stored on the disk and a ransom demand with payment details is displayed to the victim.
How to recognize ransomware?
If you have been attacked, ransomware will in most cases inform you by displaying a ransom message on your screen, or by adding a text file (message) to the affected folders. Many ransomware families also change the file extension of the encrypted files.
How does ransomware work?
There are multiple techniques used by the ransomware operators:
- Diskcoder ransomware encrypts the whole disk and prevents the user from accessing the operating system.
- Screen locker blocks the access to the device’s screen.
- Crypto-ransomware encrypts data stored on victim’s disk.
- PIN locker targets Android devices and change their access codes to lock out their users.
All the above-mentioned kinds of ransomware demand payment, most often requesting it to be made in bitcoin or some other hard-to-trace cryptocurrency. In return, its operators promise to decrypt the data or restore access to the affected device.
We need to stress that there is no guarantee that cybercriminals will deliver on their side of the bargain (and sometimes are unable to do so, either intentionally or because of incompetent coding). Therefore ESET recommends not paying the sum demanded - at least not before contacting ESET technical support to see what possibilities exist for decryption.
How to stay protected?
Basic rules you should follow to avoid your data being lost:
- Back up your data on a regular basis – and keep at least one full backup off-line
- Keep all your software – including operating systems – patched and up to date
However to help users/organizations recognize, prevent and remove ransomware a reliable and multi-layered security solution is the most efficient option.
Advanced rules mainly for businesses:
- Reduce the attack surface by disabling or uninstalling any unnecessary services and software
- Scan networks for risky accounts using weak passwords
- Limit or ban use of Remote Desktop Protocol (RDP) from outside of the network, or enable Network Level Authentication
- Use a Virtual Private Network (VPN)
- Review firewall settings
- Review policies for traffic between internal and outside network (internet)
- Set up a password in the configuration of your security solution(s) to protect it/them from being turned off by the attacker
- Secure your backups with two- or multifactor authentication
- Regularly train your staff to recognize and deal with phishing attacks
The first documented case of ransomware was in 1989. Called the AIDS Trojan, it was physically distributed through the post via thousands of floppy disks that claimed to contain an interactive database on AIDS and risk factors associated with the disease. When triggered, the malware effectively disabled the user's access to much of the content on the disk.
AIDS Trojan demanded ransom (or as the ransom note named it, “license payment”) of US $189 to be sent to a post office box in Panama allowing the user to execute the program 365 times. Dr. Joseph Popp was identified as the author; authorities, however, declared him mentally unfit to stand trial.
In May 2017, a ransomware worm detected by ESET as WannaCryptor aka WannaCry spread rapidly, using the exploit EternalBlue leaked from NSA, which exploited a vulnerability in the most popular versions of Windows operating systems. Despite the fact that Microsoft had issued patches for many of the vulnerable OSes more than two months prior to the attack, files and systems of thousands of organizations around the globe fell victim to the malware. Damage it caused was estimated as being billions of dollars.
In June 2017, malware detected by ESET as Diskcoder.C aka Petya started making rounds in Ukraine, but soon burrowed its way out of the country. As it later turned out, it was a well-orchestrated supply-chain attack that misused popular accounting software so as to attack and harm Ukrainian organizations.
However, it got out of hand and by infecting many global companies including Maersk, Merck, Rosneft and FedEx; it caused hundreds of millions of dollars in damages.