2016 was the year of blackmail ransomware. Data is encrypted by smuggling malicious programs into the infected system and making them useless. Only after payment of “ransom” money the data is usable again.
This kind of blackmail is not new. Back in 1989, the Trojan “AIDS.exe” was able to hide files and by this way making them unusable. However, the program changed only the file names while the contents remained unchanged. This fact changed in 2008, when the malicious programs began to encrypt the file contents. Without the correct key the data could not be rescued. The problem was then – as with “real” abductions – the surrender of the ransom. This in turn changed in 2013. With Bitcoin as a means of payment the flow of money was no longer traceable and the success of the malicious software could no longer be stopped.
The malware was spread with the help of contaminated advertising banners and websites. Email attachments were used in addition to the classic method of the “lost” USB stick left in the parking lot or restroom, which contained a malicious program and infected the computer when inserted.
In the meantime, the programs have greatly improved and the selection of victims has changed. In the past there was a tendency to increase the quantity of victims with low demands for ransom allowances, which contributed to a nice sum. Meanwhile, middle and upper management is targeted. With the help of spear phishing, CEOs are targeted and spied on. The emails are written in such a way that the addressee has to assume that they come from a well-known and high-ranking person, typically from the same company. When the attachment is opened, the victim is requested to click on a link that starts a larger action in the background. The malware then is loaded and started.
After the installation the program contacts one or more so-called Command and Control (C & C) servers. From there the most modern hacker tools are loaded onto the infected computer, which nests inside the system and ensures that even in the case of an immediate disconnection of the device from the network (which could still inhibit the encryption of the data in case of older malicious programs), the malicious program will work again after a restart of the computer.
A part of the malware quietly nests inside the auto start folder, while another part takes its “care” of the registry. Subprograms try to get into the company network, which promises more success since here the victims could have higher access rights than “normal” employees. What it means, if such a program is able to spread over the company network, is easily imaginable.
Modern blackmail software is particularly designed for the attack of backup media. These are the first targets because with the help of a timely backup, most problems caused by the taking data hostage can be bypassed. Therefore, the malware software ensures that even the files of a backup are no longer usable.
All this happens in the dark. Before the end of the infiltration process, no one should ever suspect that there is a danger coming. When all preparations are made, the data is encrypted and the ransom demand is displayed on the screen of the infected computer. The required sum is calculated as far as possible from accounting information on the company’s sales; it is often in the five- or six-digit range.
The success rate is alarmingly high. A survey conducted by Osterman Research in the U.S., Canada, U.K., and Germany shows that of the 540 companies interviewed, almost 40% had problems with ransomware. More than a third of these had lost sales, while 20% were ruined by data loss!
If you would like to see what an accurate and detailed picture of an attack from CryptoWall 3.0 (CW3), one of the latest and most dangerous blackmail programs looks like, SentinelOne has a very good article describing the process.
Picture copyright: Markus Spiske raumrot.com/www.pexels.com/ CC0 license