By Satyendra Sharma and Prof. Triveni Singh
Ransomware is a very severe cyber security threat since its inception. Ransomware has grown to be one of the biggest problems in the era of information technology. It is a type of malware which blocks a computer or encrypts the data and demands money in the form of virtual currency like Bitcoin for the restoration of the functionality.
Basically, two types of ransomware are found. First is encrypting ransomware which encrypts files using an advanced encryption algorithm and another is locker ransomware which locks your computer system.
Normally, crypto ransomware uses a combination of both encryption techniques symmetric and asymmetric for encrypting the data. Ransomware threats are becoming more prevalent in enterprises. The purpose of these threats is quite simple. They are attempting to extort money from their victims with promises of restoring the functionality or restoring encrypted data whatever. But there is no guarantee that after paying the ransom you will give access to your computer system or restore files again.
At present, ransomware is the biggest concern in the digital world. Many countries have been affected by massive ransomware cyber attack. Ransomware is a type of malware which either blocks a computer system or encrypts the files and demands a ransom in the form of virtual currency such as Bitcoin for restoring the functionalities. In some cases, the name or logo of law enforcement agency is appeared so that user can believe that the police are involved.
According to US- CERT, ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access.
They are attempting to extort money from their victims with promises of restoring the functionality or restoring encrypted data whatever.
Ransomware can prevent you from accessing your computer system.
It holds your computer or files for money (ransom).
Encrypt files so user can not use them.
Prevent certain applications from running (Such as web browser).
Ransomware demands money (ransom) to get access to your system or files.
Older versions of ransom usually claim (false) that you have done something illegal with your computer system and that you have fined by enforcement agencies like police etc.
Newer versions of ransom encrypt the files on your computer system so that you can not access them, and then demand ransom to decrypt your files.
Types of Ransomware
There are different types of ransomware. However, all of them prevent you from using your computer system and/or ask you to pay ransom so that you can use your computer system or files. They can target any computer users (like personal computers, corporate network, servers etc.). Basically, two types of ransomware are found.
Encrypting ransomware (Data Locker): It incorporates advanced encryption algorithms. Encryption ransomware encrypts your computer files and demand money (ransom) for providing decryption key so that content can be decrypt in readable form.
Examples: CryptoLocker, Locky, CrytpoWall, Cerber, CTB Locker, Cryptodefense, Simplocker.
Locker ransomware (Computer Locker): It locks your computer system due to which you are unable to access desktop and other applications. In this case, data are not encrypted, but the attackers demand for money (ransom) to get access to your computer again.
It is also called Lockscreen Ransomware which shows a full-screen message that prevents you from accessing your computer.
Mode of Payment of Ransom
Generally, mode of payment is in the form of Bitcoin. Bitcoin is a virtual currency and known as cryptocurrency which is easily convertible into other currencies like dollar, euro etc.
Cryptocurrencies have become a global phenomenon, as Thomas Carper, US-Senator said: “Virtual currencies, perhaps notably Bitcoin, have captured the imagination of some, struck fear among others and confused the heck out of the rest of us.
Bitcoin is an innovative payment network and a new kind of money. Bitcoin uses peer-to-peer technology to operate the payment network. There is no central regulatory authority or banks are involved in payment process. Bitcoin payment network manages transactions including issuing of Bitcoin. Bitcoin is open source and its design is public. Nobody owns or controls Bitcoin payment network but everyone can take part.
Sources of Ransomware
RDP (Remote Desktop Protocol) is a protocol developed by Microsoft which is used to connect remote computers having windows operating systems. Lots of windows computers with RDP port have been exposed online which makes RDP a huge attack vector. RDP is the most common attack vector used by cyber criminals to gain access of Windows systems for installing ransomware.
Visiting unsafe or suspicious websites.
Opening email attachments from unknown sources.
Opening of spam email.
Clicking on malicious links at web like emails, social sites etc.
Using external drive.
Using outdated anti virus
Non updated security patches
File Encryption Techniques
Normally, crypto ransomware uses combination of both encryption techniques symmetric and asymmetric.
Symmetric Key Encryption (Private Key Encryption):
In symmetric encryption technique, a single key which is called private key (secret key) is used to encrypt and decrypt the data. Using symmetric key encryption technique, ransomware can generate a key on the infected computer system and send this key to the command and control server (attacker’s system). Ransomware also can request a private key from the command and control server (attacker’s system) before encrypting the files on victim’s computer. In this technique of encryption attacker needs to ensure that the private key is not available on the victim’s computer after encrypting the files, otherwise the victim might be able to decrypt the files himself without paying the money (ransom).
Symmetric encryption technique is faster than asymmetric encryption and typically uses 256-bit AES key.
The main problem with symmetric key encryption is how to securely get the secret key (private key) from the message sender in secured way and keep them securely. For this reason, an asymmetric key encryption is now often used which is popularly known as the public key infrastructure (PKI).
Asymmetric Key Encryption (Public Key Encryption):
In asymmetric key encryption technique, two keys are used. One is public key and another is private key which is used to encrypt and decrypt the data respectively. In this technique, anyone can encrypt the data using the public key (which is made public and distributed widely and freely) but only the holder of the paired private key can decrypt the data.
Using asymmetric encryption algorithm, Crypto ransomware may encrypt the files on victim’s computer system with the public key and attacker may keep the private key for himself. The attacker does not need to worry for the protection of public key because for decrypting the files related private key is required.
Asymmetric encryption is slower than symmetric key encryption.
More advanced crypto ransomware typically uses a combination of both symmetric and asymmetric encryption techniques. The variants that use asymmetric encryption may also generate specific public-private key pairs for each infected computer.
Different Approaches of Crypto Ransomware for Data Encryption
Downloaded Public Key Approach: Cryptodefense ransomware (Encrypts the file with extension .cryptodefense) uses combination of both encryption techniques symmetric and asymmetric. Cryptodefense ransomware uses AES (Advanced Encryption Standard) which is a symmetric encryption algorithm to encrypt the victim’s data. The 256-bit AES key is generated on the victim’s computer system which encrypts the file. After that the AES key is itself encrypted with a 2048 bit RSA asymmetric public key (Public key is downloaded from the command and control server of attacker). Subsequently, encrypted AES key (secret key) is stored in each encrypted files on the computer of victim. Whereas attacker controls the RSA private key on the command and control server. This private key is required to decrypt the file on victim’s computer.
Weakness of this approach is that if command and control server (attacker) is unable to reach for downloading the RSA public key, in this case the encryption processes will not success.
Advantage of this approach is that the attacker can use a different RSA asymmetric key pair for each infection. Exposure of a single RSA private key will not allow any other victims to unlock their files.
Embedded Public Key Approach:
CTBLocker ransomware (Encrypts the file with extension .CTBL or .CTB2 or other ransom extensions) also uses combination of both encryption techniques symmetric and asymmetric with different approach. An embedded public key is included in CTBLocker ransomware for RSA asymmetric encryption process. The command and control server (attacker) keeps the corresponding private key. CTBLocker ransomware uses AES (Advanced Encryption Standard) which is a symmetric encryption algorithm to encrypt the victim’s data. The 256-bit AES key is generated on the victim’s computer system which encrypts the file.. After that the AES key is itself encrypted with a 2048 bit RSA asymmetric public key (Public key is embedded in CTBLocker ransomware). Subsequently, encrypted AES key (secret key) is stored in each encrypted files on the computer of victim. Whereas attacker controls the RSA private key on the command and control server. This private key is required to decrypt the file on victim’s computer.
Weakness of this approach is that if attacker uses the same public key for encryption, then if the first user obtains the private RSA key, he could be share the private key with other victims for decrypting their files.
Advantage of this approach is that the ransomware can start its file encryption process without internet access.
Preventive Steps from ransomware
Do not click on a link on a webpage or in an email or in a chat message unless you absolutely trust the page or sender.
Do not open email attachments from unknown sources.
Delete any suspected spam immediately.
Keep your spam filter on.
Do not click on the link unsolicited advertising and offers.
Wireless network should be encrypted.
Do not visit unsafe or suspicious websites.
Check the URL in the browser address bar and look for any spelling mistakes or unexpected names.
Before giving any personal or financial details, check that you are on a secure link like https.
Firewall should be on.
Update Anti-virus regularly.
Update windows for security patches and bug fixes on regular basis.
Update your browser on regular interval.
Install Anti-spyware tools.
Block browser pop ups.
Keep your passwords strong and secret.
Keep backup of important files in a separate disk/DVD.
Create restore point in your computer system.
Disclaimer: “All contents presented in this article are personal views of authors. These contents can not be treated as official views of the authors.”
Writer- Satyendra Sharma is Senior Manager- IT, PNB & Prof. Triveni Singh IPS, SP Cyber Crime, Lucknow