Of all the types of malware wreaking havoc these days, one clearly stands out - Ransomware. This troublesome malware appears to be gaining a lot of fans in the cybercrime community and has, in turn, caused considerable stretches of downtime on a large number of organisations.
A rapidly growing threat
Although already in existence since the late 1980’s (in the form of the AIDS Trojan), ransomware only started becoming notorious in the last couple of years. Its swift rise to infamy is closely associated with highly publicised attacks on hospitals, public transportation systems, telecommunications companies, and several other critical service providers and government agencies.
Because of those high-profile attacks - carried out by different variants such as CryptoLocker, Locky, CryptXXX, WannaCry and many others - the term “ransomware” has become an almost permanent fixture in the news.
Ransomware attacks are getting bigger too. The latest ransomware attack by WannaCry, which already crippled 40 NHS trusts in England and Scotland, claimed several other institutions in more than a hundred different countries around the world.
But why are cyber criminals becoming so fascinated with this particular type of malware?
Understanding the ransomware business model
To understand why, we must first understand the business aspect of ransomware campaigns. It’s basically very similar to the kidnap-for-ransom business model. The kidnappers hold someone captive and then demand ransom payment to the family members. In most cases, the relatives, fearing for the life of the captive, are compelled to pay.
The same thing happens in a ransomware attack. Instead of individuals, ransomware attackers hold valuable files, systems, or even entire networks captive, and then demand ransom payment from the owners.
If the recovery of those files, systems, or networks happen to be urgently needed (as was the case in the NHS ransomware attack, which threatened patient safety), the business administrators are usually compelled to pay. From a cyber criminal’s business perspective, that means it promises a good ROI.
Due to advancements in technology, the kidnap-for-ransom business model is easily applied and even greatly enhanced in ransomware attacks.
Holding captives through encryption
To hold systems (let’s just use this term to refer to files, hard drives, operating systems, or networks, moving forward) captive, most ransomware variants use encryption. Encryption makes “kidnapping” of a system convenient because it doesn’t require the target system to be physically removed.
Once a system is encrypted, it becomes inaccessible even if it stays where it is and can only become accessible again after it’s decrypted. The decryption key, which is needed in the decryption process, is held by the bad guys. That means, barring any successful workarounds by cyber security specialists, the bad guys will be the only ones capable of liberating the encrypted system.
This form of encryption, wherein the encryption key can be downloaded unto the target system and used in the encryption process but the decryption key can be kept separate, is known as public key cryptography or asymmetric cryptography. Older forms of encryption-based ransomware relied on symmetric cryptography, a form of encryption wherein the same key is used in both encryption and decryption.
Because a ransomware based on symmetric encryption had to use the same key for encryption and decryption, it was impossible to keep the decryption key in a separate place (i.e. in the hands of the perpetrators). The key, which was needed in the encryption process, had to stay in the target system, where it was easily found by cyber security professionals. The arrival of public key cryptography has therefore been a boon to ransomware technology.
Payment methods that support anonymity
Another technological advancement that has driven the popularity of ransomware is the arrival of bitcoin. In a typical kidnap-for-ransom operation, kidnappers usually prefer ransom payment methods that enable them to keep their identities hidden. This is now easily achieved through the use of bitcoin and other electronic payment systems that offer some degree of anonymity. This explains why ransomware gangs usually require victims to course ransom payment through these same payment platforms.
More ways of infecting systems
Ransomware operators have different motivations for launching a ransomware attack. There are those who have a specific target in mind (e.g. a specific hospital) and there are those who want to infect as many systems as possible. Fortunately (for the attackers, but not for us), there are now several attack vectors available to meet the requirements of both targeted and untargeted attacks.
Operators who wish to launch targeted attacks can now use spear phishing techniques. These techniques involve specially formatted, designed, and worded emails crafted for specific recipients, e.g. employees of a particular hospital. Because these techniques use email, they’re able to evade traditional firewall protection systems. Accompanying these emails are attachments, which, if clicked, may initiate the ransomware download.
On the other hand, operators who prefer untargeted attacks can employ attack vectors like spam emails, drive-by-downloads, malvertising and other techniques more suited for high-volume, spray-and-pray attacks.
In the WannaCry attack, the ransomware operators employed a very potent method for infecting a large number of systems. That particular ransomware exploited vulnerabilities in Microsoft’s implementation of the Server Message Block (SMB) protocol, allowing the malware to rapidly spread across different networks.
Negligence to patch
Most malware infections can actually be avoided by performing updates and patching. These tasks should be incorporated in virus and malware protection strategies. Unfortunately, several businesses take these seemingly mundane tasks for granted. That massive attack by WannaCry? That attack actually exploited a known vulnerability whose patch was already available for download way before WannaCry struck.
Right conditions for the rise of ransomware
All these factors - i.e. the presence of asymmetric encryption, anonymous payment methods, and various attack vectors, coupled with business’ negligence to patch and compulsion to pay ransom - combine to make ransomware attacks a very feasible and lucrative business.
Unless businesses take updates and patching seriously, employees are vigilant when downloading email attachments, and organizations stop paying ransom, ransomware will continue to be a favorite attack dog of cyber criminals.