In this article we would like to explain what is a Ransomware and how they infect systems.
We hope you will enjoy reading the post. If you have any question or comments, feel free to write and we will try to reply as soon as possible!
Let's start by defining what is a Ransomware.
Introduction
A ransomware as defined by Wikipedia is "a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid."
A ransomware is technically made of a malware which encrypt the data; the malware can be delivered to the system in many different ways (for example through a Trojan).
If the malware is well written there is really low chance to be able to decrypt the data without having the encryption key.
The ransom is usally paid through digital currencies such as bitcoin. In this way it is almost impossible to trace who is going to receive the transaction.
Infamous Ransomwares
To start with a bit of story, you may have read about CryptoLocker and CryptoWall. The first was a Ransomware which happeared at the end of 2013 and made companies pay a total of about 3 Milion $ before it was stopped (May 2014).CryptoWall is a Trojan ransomware which infected systems during 2014. In the same year the owners of infected systems payd an estimated amount of about $18m to get the decryption keys.
How it works
Like the TCP handshake, the ransomware operate in 3 steps:- The attacker generate a key pair (asymmetric key) and place the public key in the malware. The malware is deployed using different "media" such as trojan, email spam, infected websites...
- On the victim system, the malware generate a random symmetric key and encrypts victim's data with it. The symmetric key is then encrypted using the public key. Only the private key which was generated in the key pair (step 1) is capable of decrypting the symmetric key!! At the end of process 2, the victim will have selected data encrypted with the random symmetric key and the same key encrypted with the asymmetric key (step 1): this is call hybrid encryption. The symmetric key and the original "not encrypted" data are deleted (with "proper" processes). The victim is informed of the attack with a message of some form, which provide the cyphertext (encrypted using the public key of the key pair) and information about how to pay the ransom.
- The criminal receive the ransom (normally through digital currencies) and the cyphertext. The cyphertext is decrypted using the attacker private key (of the original key pair). The decrypted cyphertext is the "symmetrical key" created at point 2. The attacker send the symmetric key to the victim which can decrypt the data.
It is interesting to know that in literature you will find "3 steps of a ransomware attack", "5 phases of a cyber attack", "6 Phases of a Ransomware Attack"... whatever the number, the above is a good short explanation of how the attack happens.
This is an example of a message which the malware will display to the victim (from the infamous Wanna Cry ransomware):
This is an example of a message which the malware will display to the victim (from the infamous Wanna Cry ransomware):
As you can see in the picture, the victim is intimidated to pay before the time runs out, otherwise the attacker will delete the his private key!
The malware can be design to target an OS or to be specific against a particular product or solution such as the NAS produced by Synology (August 2014) or a ransomware built to target Linux-based web server (January 2015).
Within Windows, most of modern ransomware are taking advantage of PowerShell for their attacks. Clearly this show that PowerShell is somehow not a secure environment compare to Bash (one point for Linux!).
Apart from the malware itself, there are 2 major factors that helps the ransomware threat to grow: the development of BitCoin and of the DarkNet. The first allow to deliver the ransom with an almost impossible to trace transaction. The DarkNet through Tor services allows ransomware to communicate with their command centre. With the two it is almost impossible to trace the origin of the attack.
Reverse Engineering Malware
While the best protection from a ransomware attack is maintaining a backup of your valuable information (data), researchers are fighting a war to develop defences against the attack and to analyse the malware to find way to stop it and to eventually decrypt the victim's files.We are not going to duplicate the effort of experts and write a tutorial about this difficult discipline which involves several competences. If you are interested in how researchers do reverse engineering against a malware I would suggest you to follow this link. It is from Lenny Zeltser's website. He is a guru in cyber security!
No comments:
Post a Comment