One security issue that received a lot of attention in 2015 was ransomware. The term ‘ransomware’ which used to only be known to security experts became quite well known to all of us. Today, let’s have a look at what ransomware is and how we should be prepared to deal with it.
The origin of the term ‘ransomware’ will help you understand its definition. ‘Ransomware’ is a compound word which combines ‘ransom’ and ‘-ware’. Just like other malignant codes with specific names such as ‘malware’, ‘ad-ware’, and ‘spyware’, the term ‘ransomware’ was created in order to refer to this new type of code.
Malware basically means a malignant code. Ad-ware is a type of malignant code which makes computers show advertisements regardless of the users’ will. Spyware monitors what users do with their computers and transmits records to hackers just like a spy.
Ransomware literally means software that demands a ransom. Although there isn’t any official definition for the term, according to Wikipedia it basically refers to “types of malware that restrict access to an infected computer system in some way, and demand the user pay a ransom to malware operators to remove the restriction.”
Now that we have covered the definition, let’s see how ransomware emerged and what threats it has posed.
Ransomware was created by crackers (or black hat hackers) to make money. The most common form of ransomware encrypts a user’s documents, photos, and video files saved on a PC and asks for a ransom in exchange for the code to decrypt them. As you see from the Google trends in [Image 1], ransomware was first created in 2006, and search results for ransomware have been continuously increasing since 2010.
Ransomware started being searched for in Korea last year, and [Image 1] suggests that the search for ransomware in Korean dramatically increased in 2015.
How does ransomware work, and how should we be prepared against it, then? We can get an idea by learning about the stages of a ransomware attack.
Ransomware causes damage to users through three stages as follows. Let’s take a look at what they are more specifically.
“Drive by downloads”, unintended downloads through spam mail or malignant websites are the most well-known paths for a ransomware infection to enter a computer. You cannot get infected with ransomware automatically, and it’s usually triggered by reading spam mail, opening an infected attached file, or downloading illegal videos, photos, or software.
Sometimes users find their computers infected even though they only accessed websites they are familiar with. This is usually through a type of drive by download, which takes advantage of vulnerable software, so that a computer is infected as soon as a user accesses a website.
Quite often, ransomware is downloaded without a user’s knowledge and launches in the PC to encrypt important files. Although it’s most common for ransomware to encrypt user files these days, not all ransomware works in this way. Some lock the screen so a computer cannot be used at all, and some even show endless adult content. The purpose of ransomware is to create restrictions when using the PC and there can be many different ways to achieve this purpose.
There aren’t a lot of different ways to fight it once a computer’s been infected and files are encrypted. What is important, therefore, is to be aware of possible infections and to back up important files in case your computer gets infected.
A ransom is then demanded once a PC has been restricted. This ransom is paid usually by wiring money to a certain account or through a specific system like Paypal. Making the user use a caller-paid service to be charged through a phone bill was another way commonly used in the past,
There are cases where the users got their files back or restrictions were lifted after paying the ransom, but it usually isn’t that simple. It is natural for the user experience temptation to just pay what they want to get their files back, yet this decision has to be made more carefully.
In short, the best way to deal with ransomware is to prevent infection, and to prepare for possible infections by backing up important files at a separate location.
Lately many corporate PCs have been getting infected. Why are large corporations with enough resources for vaccines and security solutions falling victim to ransomware?
Many companies actually use outdated versions of windows explorer as their standard browser. These browsers can be vulnerable to infection as they’re not updated to the latest version, which was the first thing mentioned as a way to prevent infection.
Microsoft announced that they were going to support only the latest versions of their browsers starting 2016. Companies need to manage their IT systems thoroughly so that all staff PC security versions are up to date.
There are always new ways to hack, but nothing should be too much trouble as long as we follow the right measures to prevent it. I hope this article helped you get prepared against threats of ransomware.
Written by Kyu-Bok Kwak, LG CNS Security Consulting Team