In the last few years, there has been an increased prevalence of ransomware attacks across the globe. Be it the CryptoLocker attack of 2013 or the more recent WannaCry incident of 2017, ransomwares have become a staple of the discussion around cybersecurity and their prevention has become the priority. Government bodies and organisations around the globe are urging people to be more careful about using the internet. Employees are asked not to access files that could harm their system and use antivirus software to protect their computer from common threats.
Ransomware threats affect users by encrypting their files and bringing their computer system to a lockdown until a ransom is paid. Aside from coercing users to pay a large ransom, such malware makes the user vulnerable to other threats like phishing tools, worms and bots.
Two Types of Ransomware in circulation:
Encrypting ransomware: This type of ransomware uses advanced encryption algorithms to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Some common examples are CryptoLocker, Locky, etc.
Locker ransomware: This type of ransomware locks the victim out of their operating system making it impossible to access the desktop and any files. When a locker ransomware attacks, the files are not encrypted but the attackers ask for a ransom to unlock the infected system.
5 Types of Ransomware in Cyber World
While there are several types of ransomware out in the cyber world, let’s take a look at the five most commonly known and encountered ransomwares.
While the ransomware has been around for a while, it’s prominence in cyber world came in 2013 with CryptoLocker. This ransomware, which was also known as ‘Police Virus’, used a trojan virus to target and spread in Windows systems. Using email attachments as the primary method to spread, the trojan would enter the system when the attachment was accessed. Once the malware had spread, it would encrypt files and lock the system. The malware then displayed a message offering to decrypt the data if payment was made by a deadline. If the deadline wasn’t met, the malware would delete all files in the system.
While the ransomware was stopped in 2014 with the help of a joint task-force operation called Operation Tovar, it inspired lots of future ransomwares.
Fact Check: WannaCry is believed to have used algorithmic elements of CryptoLocker.
A recently developed ransomware, WannaCry made first contact in May 2017 when 200,000 computers across 150 countries were locked and users were asked to pay a massive amount to unlock it. Failure to pay the amount came with the threat of loss of data. The ransomware affected older Windows machines through a Microsoft exploit known as EternalBlue.
Total damage done by the WannaCry ransomware ranged from hundreds of millions to billions of dollars, along with approximately 130 thousand dollars that was paid by certain organisations to have their data released.
Notable Organisations Affected: UK's National Health Service, FedEx, Nissan, Hitachi and Renault were a few of the companies that were affected by WannaCry. In India, the webpage of Andhra Pradesh Police and websites of West Bengal, Maharashtra, Gujarat and Kerala’s state governments were affected along with some of their subsidiaries.
However, the ransomware attack was stopped within a few days of its release due to emergency patches released by Microsoft and the discovery of a kill switch that prevented infected computers from spreading WannaCry any further.
The Petya malware was first discovered in 2016 and was dubbed as “the next step in ransomware evolution". Just like WannaCry, Petya targets Windows-based systems and uses the EternalBlue exploit as one of the means to propagate itself. Petya spreads through phishing emails and websites and it affects a system’s master boot record (MBR) by overriding it with malicious code. This code starts the encryption process that locks the files and the whole system.
Petya entered public knowledge in June 2017 when the malware started attacking Ukrainian companies. Several Ukrainian companies, including the National Bank of Ukraine, complained of their system getting affected, encrypted and locked. It also affected several international companies operating within and outside of Ukraine. While the ransomware’s spread was controlled with a few days of first contact, it did a lot of damage to both Ukrainian businesses and government.
Notable Organisations Affected: National Bank of Ukraine, Saint Gobain, A.P. Moller-Maersk, WPP and Deutsche Post.
Notable Organisations Affected: NASA
Not to be confused with the 2018 movie, Jigsaw is a form of encrypting ransomware malware created in 2016. Initially called "BitcoinBlackmailer", the name was changed to Jigsaw because the malware features an image of Billy the Puppet from the Saw film franchise.
Jigsaw malware encrypts computer files, locks it and deletes them gradually until a ransom is paid. Usually the ransom is demanded in bitcoins, to decrypt the files. The malware spreads much in the same way as CryptoLocker: Through the use of attachments in spam email. When the malware affects a system and locks it, a popup appears on the website featuring Billy the Puppet. The puppet appears with a ransom demand much in the style of Saw's Jigsaw.
One version of the malware also included the popular line "I want to play a game" from the franchise. In exchange for bitcoins, the malware would decrypt the files. The malware operated on a ‘per hour’ basis i.e. if the ransom isn’t paid within an hour, a system file gets deleted. For each hour without a ransom payment, the number of files deleted is exponentially increased each time from a few hundred to thousands of files until the computer is wiped after 72 hours. During this, any attempt to reboot or terminate the process would result in 1,000 files getting deleted.
Locky is a ransomware that is delivered by email with an attached Microsoft Word document that contains malicious macros. When a user opens the document, he/she sees gibberish text and the phrase "Enable macro if data encoding is incorrect,". If the user enables said macros, the macros will end up encrypting all files in the system and the user will be coerced into paying a ransom to decrypt and release the files. Launched in 2016, this ransomware affected corporations and individual users for a few months before its prevalence reduced.
Notable Organisations Affected: Hollywood Presbyterian Medical Center, Dartford Science & Technology College and a few undisclosed Indian companies, most of whom were SMEs.
TorrentLocker is a cryptographic ransomware that emerged in early 2014. A trojan by description, TorrentLocker’s development was inspired by CryptoLocker, a fact that the makers of TorrentLocker tried to piggyback on by calling their ransomware CryptoLocker too. TorrentLocker works in the same way as CryptoLocker. When a user downloads email attachment, it releases the TorrentLocker into the system. This results in file encryption and system lock until a ransom is paid and the files are decrypted.
Because TorrentLocker uses elements from known ransomwares, it doesn’t present challenges that haven’t been dealt with in the past. However, for a novice user, this ransomware can be malicious and cause harm that can’t be undone.
How to Prevent Ransomware Attacks
Ransomware attacks caused by WannaCry and Petya can be prevented by ensuring the use of a current and updated Windows system. These ransomware attacks exploit vulnerabilities in older Windows operating systems like Windows 8, XP and Server 2003. Move to a more secure Windows operating system like Windows 10, 8.1 or 7 and ensure that your system is auto-updated. Windows has sent patches to all of its registered systems but if you haven’t received it, you can download them here.
You can secure yourself from most ransomware attacks by adopting these tricks:
- Pay attention to emails from senders you don’t know, especially those with attached files. They could contain encryption codes and malwares that cause serious damage.
- Enable strong spam filters on emails to prevent phishing e-mails from reaching end users.
- Scan all incoming and outgoing e-mails to detect threats.
- Regularly update and scan your system with a good antivirus software.
- Configure access controls including file, directory, and network share permissions, to prevent unwanted access by malware.
- Disable macro scripts from Microsoft Office files transmitted via e-mail.
- Disable hidden file extensions in Windows. This will help recognize possible malwares attached to emails and keep you protected.
- Have a backup system in place for your critical files. Use a cloud-based service or a hard disk to save your backup. This will help reduce the damage caused not just by malware infections, but hardware problems or any other incidents as well.
To prevent any kind of ransomware, constant vigilance is suggested. Be careful while browsing through your emails and never underestimate the value of having a good antivirus software to protect your system. As the saying goes, ‘precaution is better than cure’.