Overview of Ransomware

June 15, 2016

In a recent report written by the Institute for Critical Infrastructure Technology they describe ransomware as being used by criminals which attempt to prevent access to the victim’s data until a fee is paid, unlike hackers who attempt to infiltrate or manipulate data where it is stored, processed, or in transmission. Therefore, ransomware is less about technological sophistication and more about exploitation of the human element. An analogy would be thinking back to the old Wild West when there were miles and miles of dirt roads where a criminal could high-jack a coach and take what they wanted because no one was around to stop them. Ransomware is a digital spin on this centuries old criminal tactic. ICIT says 2016 is the year ransomware will wreak havoc on America’s critical infrastructure community.

Computer hacker silhouette of hooded man with binary data and network security terms

There are two basic types ransomware. Crypto ransomware encrypts personal data and files so that the victim cannot access those particular resources unless they pay the ransom.  Locker ransomware prevents the victim from using the system at all by locking components or all of the system.

Ransomware’s success depends on the majority of users reacting out of ignorance, fear, or frustration. Targeted are the most internet dependent nations, United States, Japan, United Kingdom, Italy, Germany, and Russia. In 2015, the average ransom for either type of ransomware was around $300 (including individuals and businesses). Keep in mind, $300 is less than half the price of a new laptop or mobile device which is critical to the nature of the attack. Adversaries keep the ransom proportional to the value of the infected host and the ability of the victim to pay. Cybercriminals choose which type of ransomware to deploy based on their skill set, the specifications of the target system, and their prediction of how each type might affect the target victim. According to Symantec, about 36% of binary-based ransomware detected in 2014-2015 was locker ransomware.

How ransomware is typically spread

  • Social engineering – the art of manipulating people so they give up confidential information
  • Phishing campaigns – e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data
  • Watering-hole sites – a computer attack strategy, in which the victim is a particular group (organization, industry, or region)

Computer lockers restrict user access to infected systems by either denying access to the user interface or by restricting certain capabilities, such as parts of the keyboard functionality, the entire keyboard and/or the mouse. This design is used to increase user frustration. More sophisticated schemes incorporate social engineering into the scam to pressure the user into paying the fee. Tactics exploit the victim’s trust in law enforcement, the need to obey the law, and the fear of the consequences, by invoking imagery and wording reminiscent of law enforcement. For example, a display page might claim that the FBI has locked the computer in suspicion of downloading child pornography or pirating movies. The page will offer to unlock the system if a fee is paid. Hopefully, the rational user would realize that they were not engaging in the alleged illegal activity and would question why the FBI would remotely lock down a computer instead of just showing up and arresting a suspect. Lastly, the FBI would not accept a “fee” to ignore due process.

Ransomware has proven a profitable attack vector, likely because of the victim demographics. Think of senior citizens who have flawlessly obeyed the law for their entire lives and would pay the ransom. Teenagers, even if they understand that the ransomware is malware, who would use their parent’s credit card to pay the fine so as not to have to explain how they infected their computer due to visiting an adult web site? Personal computers are the current primary target of ransomware campaigns because they are numerous and easily compromised. Users tend to have poor cyber-hygiene and many users can be coerced into infecting their own systems through social engineering.

Recent Ransomware Attacks

  • Locky Ransomware – infected Hollywood Presbyterian Hospital Medical Center in February 2016. After ten days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems.  Later that week, five computers belonging to the Los Angeles County health department were infected with a ransomware variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly, two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian Medical Center. Both are restoring their systems from backup systems.
  • TeslaCrypt Ransomware –also in February 2016, issued spam emails masquerading as Visa Total Rewards emails. A malicious attachment, claiming to be a white paper containing more information about rewards and benefits, was used to deploy a JavaScript downloader that delivered the TeslaCrypt malware onto victim hosts. Ransoms of 1.2 Bitcoins within 160 hours were demanded of victims. If victims do not pay within the time frame, and then the ransom doubles. The United Kingdom (40%) and the United States (36%) were the most targeted.

Need more information:

The Armstrong Company Insurance Consultants are here to help with all of your business and personal insurance needs, including Cyber Liability Insurance. Contact us today or Request a Quote!

The Armstrong Company Insurance Consultants  (License #0440075)