Ransomware is a type of malicious software (malware) which, when installed on a device or system, prevents access to that device, or that device’s content or applications. Once installed and operational, the malware prompts you to pay a ransom to restore full functionality to the device. Personal or sensitive data have been targeted with ransomware, or accessed when attackers were rifling through organizational computers or networks. In fact ransomware has affected a range of devices, including those running Windows, OS X, and Android, and has affected healthcare providers, police services, public schools, universities, and various types of businesses, in addition to individual consumer users. It’s an increasingly prevalent issue, with Symantec estimating that Canadians were affected by over 1,600 ransomware attacks a day in 2015.
Flavours of Ransomware
Many security experts believe that attackers are increasingly turning to ransomware as a profitable way to collect money from businesses and individuals alike. Ransomware is typically spread using one or more of the following methods:
- ‘bots’ (computers that aren’t controlled by their owners but rather by criminals) to install malware on your device(s);
- phishing campaigns to trick you into downloading and installing the malware;
- exploitation of security vulnerabilities in servers or desktops to install the malware; or
- infection of file sharing services or other websites, resulting in you downloading the malware when fetching what you think is legitimate software or content
After a computer or device is infected, you’ll typically be ordered to pay a ransom, which (currently) usually entails paying the criminal using a cryptocurrency, such as Bitcoin or Litecoin. Such currencies are preferred because attackers believe they are more challenging for law enforcement to track than money orders or wire transfers. After paying the ransom, the criminal will typically provide the decryption key or password to unlock the application, device, or data, although this is by no means guaranteed.
Ransomware can be subdivided into three main ‘types’: application ransomware, locker ransomware, and crypto ransomware.
Application Ransomware
Application ransomware is designed to prevent you from using particular applications on your device or computer after the malware has been installed. This mode of ransomware was more prevalent in the past and often focused on preventing you from accessing your web browser until you had paid a fee to the attacker. Sometimes you may be presented with phony warnings that the application lock was the result of a government agency detecting some use of the application (such as accessing pornographic websites) and that by paying the fee, the government agency would decline to pursue charges.
Locker Ransomware
Locker ransomware is meant to prevent you from accessing your system or device in its entirety. After this kind of malware is installed, you are required to pay a fee in order to remove the ‘lock’ on the system. However, this kind of ransomware can usually be removed because it often doesn’t prevent access to the underlying file system, data, or files that the computer itself operates on. Like application ransomware, locker ransomware may present screens that falsely assert a government agency must be paid before the device or system will be unlocked.
Crypto Ransomware
Crypto ransomware is the most common kind of ransomware that’s currently used by attackers. Such malware may block access to all or just some of your files, instead of directly affecting the usability of a computer system or device. It operates by encrypting the data on the computer unbeknownst to you. You might still be able to use your word processing application, spreadsheet program, or photo editing application, but you’ll be unable to access saved documents, photos, spreadsheets, or other files that the ransomware has blocked access to. In some cases, the malware will not only encrypt data on the device it’s installed upon but will also encrypt data that’s on any backup or network drives it’s able to reach. You may sometimes be informed that you have a specific and limited period of time to pay the attacker and that delays will either increase the amount of the payment or that the data will simply be deleted or rendered permanently inaccessible after the allotted time has passed.
The Underground Market of Ransomware
The core ‘innovation’ of ransomware over other kinds of attacker malware is that instead of removing data from a device or system and subsequently searching for a buyer for the data (e.g., stealing credit card numbers and the selling them to fraudsters), victims pay the attacker directly in order to (re)access their own devices or data. Given that payment is contingent on expecting the files or devices to be released, criminals engaging in this kind of activity may be motivated to maintain a ‘good reputation’ for honoring the ‘terms’ of the ransom.
Security researchers have ongoing questions about who receives the ransom payments: criminals, rogue state actors, or terrorists? In at least one case, attackers have asserted that their locking of specific files was done at the behest of a rival corporation – the rival wanted to stop their competitor from taking a product to market by locking them out of their own files.
As with other kinds of malware, security researchers investigate the spread of the software and attempt to automatically identify (and prevent from executing) files or links that are associated with ransomware. Because ransomware is seen as a competitive ‘market’, attackers themselves sometimes try to extract the decryption keys from other malware and publicly release the keys. The intent of such activities is to hinder competitive attackers from collecting on their ransoms. There have also been situations where a piece of ransomware was decommissioned and the attackers using it posted the decryption key online for free instead of permanently locking the devices or files.
Finally, as the Internet of Things becomes more entrenched, there’s the possibility that ransomware—and in particular, locker ransomware—will be used to prevent people from accessing Internet-connected devices or tokens that enable access to the devices. Such devices might include digital locks for homes, thermostats, watches, fridges, or other appliances regarded as central to a person’s ability to operate in the world. And the tokens might be smartphones or other personal electronics which, in addition to enabling access to the aforementioned devices, also contain massive troves of personal information.
Leave my personal information alone!
While ransomware is routinely regarded as a security issue, the targeting of personal or sensitive data means that malware also raises privacy issues. Specifically, it raises questions concerning whether appropriate safeguards for personal information have been put in place, and whether information collection and retention has been suitably limited. The ability of an attacker to gain control of personal devices, such as laptops or desktops, or business servers means that the same party may also have the capability and opportunity to access or even remove personal information stored on these devices. The relationship between malware and data breaches was recently made in a whitepaper released by the United States Department of Health and Human Services. Failing to adequately protect devices, systems and information, and failing to reduce unnecessary data collection or retention, could let attackers access a broader swathe of data than they might otherwise be able to access.
While attackers may attempt to remove the targeted data – such as documents, photos, audio, or other files on the device – they might also use the ransomware incident as a way to distract the affected parties from other unauthorized activities otherwise affecting the integrity or security of systems in an individual’s or business’ network. Even if the ransomware is not used to prevent access to files containing sensitive personal information on the affected computer or network, such information might have been accessed while attackers were riffling through organizational computers or networks. In such cases, a more comprehensive analysis of attacker activity in the affected systems should be undertaken as part of a fuller investigation into the extent of the unauthorized access to individuals’ personal information.
Christopher Parsons is a Research Associate at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto.
Suggested Reading
- Ransomware As A Service: Inside An Organized Russian Ransomware Campaign
- The Evolution Of Ransomware
- OK, Panic – Newly Evolved Ransomware Is Bad News For Everyone
- Ransomware Is So Hot Criminals Are Sabotaging Each Other’s Ransomware
- Ransomware Gang Claims Fortune 500 Company Hired Them To Hack The Competition
- Master Decryption Key Released For Teslacrypt Ransomware