Encryption viruses appeared back in 2005, along with ransomware. Now crypto viruses have better code, more serious and complex modus operandi and, in general, are more dangerous than before. Once in the system, they encrypt all or part of user files, demanding a ransom for a decryption key or a special decryptor program. Many ransomware creators use Bitcoin and Monero to get paid to avoid tracking and detection. In 2016, a huge spike in the activity of such infections was seen. Security professionals from VPNBrains named ransomware the main topic in information security. The success of some hacker gangs has led to the adoption of ransomware by minor cybercriminal gangs. Various Ransomware-as-a-Service solutions are widely available for sale on dark websites. Advanced persistent threat (APT) groups added ransomware techniques and methods to their toolbox.
Classification of ransomware viruses
Because encryptors are classified as malicious software, they are subject to the same typical classification grounds as other malicious code samples. For example, they can be classified based on the distribution method: via phishing or spam mailings, downloading infected files, using file-sharing services, etc. After encrypting the user’s files, the ransomware virus usually leaves instructions. This can be in the form of a desktop background or as a text document on the desktop, or also a text document in each folder with encrypted files.
It is assumed that after paying the ransom, the user will receive detailed instructions for decrypting files or a special utility for reverse cryptographic transformation. Today, ransom payments range from $300 to several million dollars. Not all viruses actually recover files after the payment. For example, some samples have bugs in crypto-procedures that make decryption impossible or do not contain the corresponding functions at all. Most ransomware is written for Windows and Android operating systems, although there are varieties for macOS or Linux.
Targets of encryption viruses
Typically, ransomware viruses target small organizations, but large companies have also been attacked. Financial and healthcare organizations are the most hacked industries. Therefore, the creation of ransomware is a very profitable business. Thus, the creators of CryptoLocker earned about $27 million in just two months.
However, the personal computers of ordinary users can also be affected. In this regard, it is helpful to remember that ransomware infection is easier to prevent than cure. Here are several essential tips:
1. Back up important files. It is advisable to place them in the cloud storage or on an external drive, which is usually disconnected from the computer and the Internet.
2. Do not open suspicious file attachments or links in emails.
3. Download programs only from the developer’s site or from trusted resources.
4. Install a good antivirus on your computer. Some antivirus solutions offer proactive ransomware protection: for example, the ability to protect folders with important data from any changes at the file system level. This function also appeared in Windows Defender antivirus.
5. Update and patch all software. It is advised to use a reliable patch management system
6. Monitor remote services and file sharing.
7. Use strong passwords.
8. Customize browsers’ privacy and security settings.
9. Block executable files.
10. Introduce cyber awareness training
If you are still infected with ransomware, only one thing can help you – a decryptor, i.e., a special decryption tool. In some cases, it can be found (and downloaded for free) on the websites of antivirus manufacturers.
Threat source
Ransomware spreads just like any other virus. The methods and ways of delivering them to the victim are gradually becoming more complicated: attackers disguise them as the official banking applications, a new version of well-known software. There have been many cases when ransomware was installed under the guise of updates from Adobe Oracle. However, spam remains the most popular way to distribute ransomware.
Risk analysis
In 2016, there was a surge in ransomware activity, the echoes of which are still noticeable. The current level of technology development makes it possible to easily encrypt files using ultra-resistant algorithms, the estimated cracking time of which exceeds the lifetime of the Universe. In some cases, antivirus software manufacturers manage to find flaws that allow creating a decryptor, but sometimes data recovery turns out to be impossible at all. Therefore, the risk of losing important and valuable information during a ransomware attack is very high.
As already mentioned, the main targets of crypto viruses are enterprises and organizations. They are more solvent than home users. Therefore, in the event of a large-scale virus attack, business leaders should disseminate information to employees about it and tell them about the role they play in protecting the company’s digital assets. The security awareness of all employees is extremely important. First of all, inform employees that they should never open files or follow links unless they know the source. If in doubt, they should contact the IT or IS departments.
In turn, IT professionals can use software packages that allow creating a virtual email client program. This will protect against infection through links in messages or attachments. Using such programs company-wide, you can ensure that all the necessary security settings are in place. The use of antivirus, DLP (Data Loss Prevention), whitelisting and other security solutions in conjunction with a virtual email client will create strong barriers to infection. This will keep many hackers at bay.
Mobile devices are a prime target for malware too. The use of containerization technology helps prevent attacks on mobile devices by centralizing the management, protection, and control of applications and data without affecting the user’s personal information. Mobile virtualization systems can block employees’ gadgets that do not meet corporate requirements, check the absence of hacking (jailbreak), check the installation of pirated, unverified applications or hidden spy apps.
It is important and necessary to back up all valuable information using synchronization and file-sharing services. Even if you paid the attacker a ransom, you have no guarantees that the data will be restored. Such services store several versions of the same file, so client companies can regain access to the necessary information without agreeing to the terms of the attackers.