What is Ransomware?
May 07, 2023
The short definition of ransomware is hidden in its name, just like in many other viruses. “Ransom software” is a program that injects into your computer, encrypts your files, and then asks you to pay the ransom to get your files back. Some examples of ransomware can threaten their victims that they will delete your files or publish some sensitive data if you do not pay the ransom. While the first hazard is a 100% lie, the second thesis can be real since ransomware is often spread with spyware or stealers.
Various ransomware examples use different encryption methods. AES-256 and RSA-1024 encryption principles are used in most cases, but you can sometimes meet the standards using RSA-2048. The number in the end primarily means the degree you need to bring two to get the number of possible keys. Even in the case of AES-256, the number of keys is a 78-digit number. Can you brute force it? Maybe, if you have spare 2 million years. Or a quantum PC with much better performance than any currently existing ones. ~ Gridinsoft Team
For every victim, ransomware generates a unique online key. That key is stored on the server maintained by cybercriminals. If the virus cannot connect to that server, it encrypts the files with the offline key, which is stored locally on the encrypted machine. The amount of offline keys is limited. Hence, you have a decryption key in common with several other victims.
Unfortunately, there is no 100% guarantee of getting your files back. If you are lucky enough and ransomware uses the offline key, you can decrypt your data much faster. Nonetheless, obtaining keys is quite long, and you may have to wait several weeks. The decryption app, which is supposed to be used for file decryption, will receive the update with the key that fits you as soon as analysts find it.
Online keys are much harder to solve. Since every such key is unique, you may wait for months. Ransomware distributors will likely be caught and forced to uncover all keys they have on the servers. Another case when all keys are released to the public is when ransomware creators decide to shut down their malicious activity. Such a situation was only once - in 2018 when GandCrab developers claimed that they earned 2 billion dollars and suspended their activity.
Ransomware attack stages
Most analysts define the six main stages of a ransomware attack. They may happen during a single day or within a month. However, the order, as well as the sense of these steps, always remains the same.Compromise. It is also sometimes called an initial injection. At that point, attackers inject the malware into the network (or the device if it is an attack against the individual user). Compromising is usually done through RDP breaches, email spamming, or unlicensed software usage.
Infection. At this stage, crooks use the initial presence in the network to inject the malicious payload. They rarely use direct downloads - it is straightforward to detect and prevent with security solutions. That’s why malware downloading usually exploits Windows and application software bugs. However, it may even prefer the direct download when it strikes an unprotected network or a sole user.
Escalation. All malware relies on running with administrator privileges. This property makes it possible to decrease the malware hazard by using the account with user privileges. However, even in that case, cybercriminals can find a way through. Most of the escalation stages in corporate networks are done through vulnerability exploitation - particularly ones that escalate privileges.
Scan. That step supposes scanning the infected machine(s) to detect all the files ransomware can cipher. Usually, ransomware takes the most sensitive data formats – ones that belong to MS Office files, pictures, and music. However, some act differently and cipher whatever they reach, despite the files that may harm the programs functionality.
Encrypt. Encryption may take minutes or hours, depending on the number of files on the attacked machines, used algorithm and the quality of ciphering software. The fastest ransomware known at the moment – Rorschach – can cipher 220,000 files in just 4.5 minutes. More massively used ransomware may need hours to accomplish the same task.
Pay Day. When the encryption is over, malware notifies the victim about the attack. It usually generates a ransom note file on the desktop and in each folder with ciphered files. Optionally, it can also change the desktop wallpaper to the ransom note. In the most extreme cases (like Petya ransomware), malware will infect the bootloader and show you the ransom note banner when you press the power button instead of the OS loading.
Types of ransomware
There are several types of ransomware existing currently. All users in the cybersecurity community are used to the kind of ransomware called crypto. That is precisely the virus you can read about above. Another type of ransomware was active much earlier, before 2014. It was called locker ransomware. As you can understand from its name, this virus was locking your system, asking for a ransom for desktop unlocking. Let me show you the critical difference between locker and crypto-ransomware:
Locker ransomware:
- Blocks your desktop;
- Covers the desktop with a ransom note banner;
- Modifies the registry keys that are responsible for Windows Explorer work;
- Suspends the explorer.exe process;
- Blocks the majority of system combinations (Ctrl+Alt+Del, Ctrl+Shift+Esc);
- Some versions can infect the BIOS, making it impossible to load the system;
- Sometimes, it can be easily removed after tricky manipulations with system functions;
- Ask you to pay a ransom as a mobile number top-up, as well as through the online payment system (PayPal, WebMoney, Qiwi, etc.);
Crypto ransomware:
- Encrypts the files of the most popular extensions (.docx, .png, .jpeg, .gif, .xslx), and adds to it its specific extension;
- Changes registry keys that are responsible for networking and startup programs launch;
- Adds a .txt file that has the ransom payment instructions to each folder where encrypted files are located;
- Can block access to some of the websites;
- Prevents the launching of the installation files of anti-malware software;
- Can change your wallpapers on a ransom note;
- Ransom payment is about to be done only with the use of cryptocurrencies, primarily - Bitcoin;
Latest ransomware attacks
- Phobos Ransomware Mimics VX-Underground Researchers
- Conti Members Are Back in Action as Part of Akira Ransomware
- 8Base Ransomware Group On The Rise, Lists a Number of Victims
- WannaCry 3.0 Ransomware Aims At Enlisted Russian-speaking Players
- Microsoft Researchers Link Clop Gang to MOVEit Transfer Attack
- FIN7 Hack Group Resumed Activity, Linked to Clop Ransomware
- Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut
- Rorschach's New Ransomware Is Named the Fastest to Date
List of ransomware families, actual for April, 2024:
- Avaddon ransomware showed up a short but pretty active life: its developers decided to shut down their activity in May 2021.
- STOP Djvu ransomware is one of the most widespread ransomware families. The first activity of that virus type was detected in 2018, and still, its activity is very high. Being targeted mainly at simple users, this ransomware can be a perfect example of a "classic" ransomware.
- Conti ransomware. This criminal group attacks organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services, and law enforcement agencies. Group dissolved in mid-2022, after a conflict between its members.
- Matrix ransomware is an old-timer of the ransomware sector, appearing in December 2016.
- MedusaLocker ransomware appeared in September 2019 and took a very rapid start with attacks on companies from all over the world.
- Snatch ransomware uses the trick with Windows Safe Mode and privileged service.
- VoidCrypt ransomware uses several features that are more typical for corporate-oriented viruses.
- Xorist ransomware uses crypto-constructor and can change itself so much that it is hard to recognize it.
- Dharma ransomware appeared around 2016, this ransomware family aims at a small business. Almost 77% of all Dharma cases are related to the exploitation of RDP vulnerabilities.
- Egregor ransomware has attacked large companies from all over the world.
- HiddenTear - Being initially created for educational purposes.
- LockBit an extremely fast ransomware.
- Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.
- Makop doesn’t stay on a single encryption algorithm.
- Ryuk is an old-timer that is possibly related to North Korean hackers.
Is it a solution to pay the ransom?
The majority of income ransomware developers receive is used to fund various outlaw activities, such as terrorism, other malware distribution campaigns, drug dealership, and so on. Since all ransom payments are made in cryptocurrencies, there is no way to uncover the personality of crooks. However, email addresses can sometimes point out ransomware distributors in the Middle East.
As you can already conclude, paying the ransom equals participating in outlaw activities. Of course, no one will blame you for terrorism funding. But there is nothing pleasant to understand that money you get for fair work is spent on terrorism or drugs. Often even large corporations that are blackmailed with threats to publish some internal data are not paying a penny to those crooks.
How can I protect my computer from ransomware?
Usually, anti-malware programs update their detection databases every day. GridinSoft Anti-Malware can offer you hourly updates, which decreases the chance that a completely new ransomware sample will infiltrate your system. However, making use of anti-malware software is not a panacea. It would be best if you were careful in all risky places. Those are:
- Email messages. Most ransomware cases, regardless of the family, are related to malicious email messages. People used to trust all messages sent through email and don’t think something malicious may be inside the attached file. Meanwhile, cyber burglars use that weakness and bait people to enable macros in Microsoft Office files. Macros is a specific application that allows increasing the interaction with the document. You can construct anything on Visual Basic and add it to the document as macros. Crooks, without further thought, add ransomware code.
- Dubious utilities and untrustworthy programs. You may see various advice while browsing the Web. Online forums, social networks, and seeding networks - these places are known as sources for various specific tools. And there is nothing bad in such software - sometimes, people need the functions that are not demanded (or accepted) for corporate production. Such tools are so-called keygens for various apps, license key activators (KMS Activator is one of the most known), and utilities for system elements adjusting. Most anti-malware engines detect those applications as malicious, so you will likely disable the antivirus or add the app to the whitelist. Meanwhile, this utility may be clear or infected with trojans or ransomware.
A timeline of the biggest ransomware attacks:
- KAAA Ransomware (.kaaa File Extension)
- UAZQ Ransomware (.uazq File Extension)
- UAJS Ransomware (.uajs File Extension)
- LOOY Ransomware (.looy File Extension)
- VOOK Ransomware (.vook File Extension)
- KOOL Ransomware (.kool File Extension)
- NOOD Ransomware (.nood File Extension)