Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the user’s files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
Ransom Prices and Payment
Ransomware prices vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoins. Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system or files.
Ransomware Infection and Behavior
In order to infect the PC by ransomware, the attackers need to infiltrate and execute the malicious ransomware file on the computer. This is typically done through a phishing email that contains a malicious download link or an attached fake credit report, delivery notification, fake billing document, debt collection invoice or other catchy information. Ransomware virus can also infect the computer through an exploit kit that is often spread via compromised websites, freeware and adware applications, or using spam Facebook messages with attached images or videos. It can also arrive as a payload downloaded by other malware.
Once executed in the system, ransomware can either lock the computer screen, or, in the case of crypto-ransomware, encrypt predetermined files. In the first scenario, a full screen image or notification is displayed on the infected system’s screen, which prevent victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware prevents access to files to potentially critical or valuable files like documents and spreadsheets.
The History and Evolution of Ransomware
Early Years
Cases of ransomware infection were first seen in Russia between 2005-2006 (detected as TROJ_CRYZIP.A), that zipped certain file types (DOC, XLS, JPG, ZIP, PDF and other commonly used file extensions) before overwriting the original files. It created a text file that acted as the ransom note informing users that the files can be retrieved in exchange for 300 dollars.
Ransomware Spreads Outside Russia
Ransomware infections were initially limited to Russia, but its popularity and profitable business model soon found its way to other countries across Europe. By march 2012, specialists observed a continuous spread of ransomware infections across Europe and North America.
Reveton and Police Ransomware
Reveton is a ransomware type that impersonates law enforcement agencies. Known as Police Ransomware or Police Trojans, these malware are notable for showing a notification page purportedly from the victim’s local law enforcement agency, informing them that they were caught doing an illegal or malicious activity online.
The Evolution to CryptoLocker and Crypto-ransomware
In late 2013, a new type of ransomware emerged that encrypted files, aside from locking the system. The encrypted files ensured that victims are forced to still pay the ransom even if the malware itself was deleted. Due to its new behavior, it was dubbed as CryptoLocker. Like previous ransomware types, crypto-ransomware demands payment from affected users, this time for a decrypt key to unlock the encrypted files.
Although the ransom note in CryptoLocker only specifies RSA-2048 as the encryption method used, analysis shows that the malware uses AES + RSA encryption.
RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data (one kay, called the public key, is made available to any outside party; the other is kept by user and is called the private key). AES uses symmetric keys, which uses the same key to encrypt and decrypt information.
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.
Another file-encrypting ransomware type soon came into picture. The crypto-ransomware known as CryptoDefense or Cryptorbit encrypts database, web, Office, video, images, scripts, text, and other non-binary files, deletes backup files to prevent restoration of encrypted files, and demands payment for a decrypt key for the locked files.
Cryptocurrency Theft
Ransomware soon began to incorporate yet another element: cryptocurrency theft. This variant can steal information from various cryptocurrency wallets (Bitcoin, Electrum, MultiBit). These files contain important information such as transaction records, user preferences, and accounts.
The Angler Exploit Kit
The Angler exploit kit was one of the more popular exploit kits used to spread ransomware, and was notably used in a series of attacks through popular media such as news websites.
POSHCODER: PowerShell Abuse
A new variant of ransomware threats surfaced that leverages the Windows PowerShell feature to encrypt files. Cybercriminals use this feature to make threats undetectable on the system and network.
Ransomware infects critical files
The new ransomwares ride on patched malware to infect systems. Patched malware is any legitimate file that has been modified via addition or injection with malicious code.
These ransomware are also notable for infecting user32.DLL, a known critical file. Infecting a critical file can be considered an evasion technique as it can help prevent detection by behavioral monitoring tools due to whitelisting.
Files to encrypt
Earlier crypto-ransomware types targeted . DOC, .XML, .JPG, .ZIP, .PDF, and other commonly used files to encrypt. Cybercriminals have since included a number of other files types critical to businesses, like database files, website files, SQL files, tax related files, CAD files, and Virtual desktop files.
Modern Ransomware
After the shift to crypto-ransomware, the extortion malware has continued to evolve, adding features such as countdown timers, ransom amounts that increase over time, and infection routines that enable them to spread across networks and servers.
The Biggest Attack to Date
Though ransomware routines are not altogether new, they still work and so are still used by operators. Ransomware variant WannaCry/WCRY, which originally spread via malicious Dropbox URLs embedded in spam, took an unexpected turn. It began exploiting a recently patched vulnerability in the SMB Sever, thus resulting in the biggest ransomware attack to date.
The future of ransomware
It will not be surprising if ransomware change in a few years. In terms of potential, they can evolve into malware that disable entire infrastructure (critical not only to a business’s operation but also a city’s or even a nation’s) until the ransom is paid. Cybercriminals may soon look into approaches like hitting industrial control systems (ICS) and other critical infrastructure to paralyze not just networks but ecosystems. A key area that could become a bigger target for cybercriminals are payment systems, as seen with the Bay Area Transit attack in 2016 where the service provider’s payment kiosks were targeted with ransomware.
We have seen ransomware operators hit hospitals and transportation service providers. What would stop attackers from hitting even bigger targets like the industrial robots that are widely used in the manufacturing sector or the infrastructure that connect and run today’s smart cities? Online extortion is bound to make its way from taking computers and servers hostage to any type of insufficiently protected connected device, including smart devices, or critical infrastructure. The return on investment (ROI) and ease with which cybercriminals can create, launch, and profit from this threat will ensure it continues in the future.
Ransomware Defense, Prevention, and Removal
There is no silver bullet when it comes to stopping ransomware, but a multi-layered approach that prevents it from reaching networks and systems is the best way to minimize the risk.
- Back up important files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location.
- Regularly update software, programs, and applications to protect against the latest vulnerabilities.
- Have an anti-virus, anti-spam, web-security installed on systems.
- Monitor user activity, monitor system an d network activity.
- Avoid opening unverified emails or clicking links embedded in them.
Anti-ransomware Tools and Solutions
Trend Micro:
https://success.trendmicro.com/solution/1114221
No more ransom project:
https://www.nomoreransom.org/en/index.html
List of Known ransomware families
| Family Name | Aliases | Description |
| ACCDFISA | Anti Cyber Crime Department of Federal Internet Security Agency Ransom | First spotted early 2012; Encrypts files into a password-protected; Cybercriminals behind this ransomware asks payment thru Moneypak, Paysafe, or Ukash to restore the files and unlock the screen; Known as a multi-component malware packaged as a self-extracting (SFX) archive; May come bundled with third party applications such as Sdelete and WinRAR |
| ANDROIDOS_LOCKER | First mobile ransomware spotted; Uses Tor, a legitimate service that allows anonymous server connections; Users with mobile devices affected by this malware may find the files stored in their mobile device rendered useless and held for ransom | |
| CRIBIT | BitCrypt | Similar to CRILOCK with its use of RSA-AES encryption for target files; Version 1 uses RSA-426; Version 2 uses RSA-1024; Appends the string bitcryp1 (for version 1) and bitcrypt2 (for version 2) to the extension name of the files it encrypts |
| CRILOCK | CryptoLocker | Employs Domain Generation Algorithm (DGA) for its C&C server connection; October 2013 – UPATRE was found to be the part of the spam mail that downloads ZBOT, which further downloads CRILOCK |
| CRITOLOCK | Cryptographic locker | Uses advanced encryption standard (AES-128) cryptosystem; The word Cryptolocker is written in the wallpaper it uses to change an affected computer’s wallpaper |
| CRYPAURA | PayCrypt | Encrypts files and appends the corresponding email address contact for file decryption; PayCrypt version appends .id-{victim ID}-paycrypt@aol.com to files it encrypts |
| CRYPCTB | Critroni, CTB Locker, Curve-Tor-Bitcoin Locker | Encrypts data files; Ensures there is no recovery of encrypted files by deleting its shadow copies; Arrives via spam mail that contains an attachment, actually a downloader of this ransomware; Uses social engineering to lure users to open the attachment; Uses Tor to mask its C&C communications |
| CRYPDEF | CryptoDefense | To decrypt files, it asks users to pay ransom money in bitcoin currency |
| CRYPTCOIN | CoinVault | Encrypts files and demands users to pay in bitcoin to decrypt files; Offers a one-time free test to decrypt one file |
| CRYPTFILE | Uses unique public key generated RSA-2048 for file encryption and also asks users to pay 1 bitcoin to obtain private key for decrypting the files | |
| CRYPWALL | CryptoWall, CryptWall, CryptoWall 3.0, Cryptowall 4.0 | Reported to be the updated version of CRYPTODEFENSE; Uses bitcoin currency as mode of payment; Uses Tor network for anonymity purposes; Arrives via spam mail, following UPATRE-ZBOT-RANSOM infection chain; CryptoWall 3.0 comes bundled with FAREIT spyware; Cryptowall 4.0 encrypts file name of files it encrypts and follows an updated ransom note, it also comes from spam as a JavaScript attachment, and may be downloaded by TROJ_KASIDET variants |
| CRYPTROLF | Shows troll face image after file encryption | |
| CRYPTTOR | Changes the wallpaper to picture of walls and asks users to pay the ransom | |
| CRYPTOR | batch file ransomware | Arrives thru DOWNCRYPT; A batch file ransomware capable of encrypting user files using GNU Privacy Guard application |
| DOWNCRYPT | batch file ransomware | Arrives via spam email; Downloads BAT_CRYPTOR and its components such as a decoy document |
| VIRLOCK | VirLock, VirRansom | Infects document files, archives, and media files such as images |
| PGPCODER | Discovered in 2005; first ransomware seen | |
| KOLLAH | One of the first ransomware that encrypts files using certain extension names; Target files include Microsoft Office documents, PDF files, and other files deemed information-rich and relevant to most users; Adds the string GLAMOUR to files it encrypts | |
| KOVTER | Payload of the attack related to YouTube ads that lead to the Sweet Orange exploit kit | |
| MATSNU | Backdoor that has screen locking capabilities; Asks for ransom | |
| RANSOM | Generic detection for applications that restrict the users from fully accessing the system or encrypts some files and demands a ransom in order to decrypt or unlock the infected machine | |
| REVETON | Police Ransom | Locks screen using a bogus display that warns the user that they have violated federal law; Message further declares the user’s IP address has been identified by the Federal Bureau of Investigation (FBI) as visiting websites that feature illegal content |
| VBUZKY | 64-bit ransomware; Attempts to use Shell_TrayWnd injection; Enables TESTSIGNING option of Windows 7 | |
| CRYPTOP | Ransomware archiver | Downloads GULCRYPT and its components |
| GULCRYPT | Ransomware archiver | Archives files with specific extensions; Leaves a ransom text file containing the instructions on who to contact and how to unpack the archives containing user’s files |
| CRYPWEB | PHP ransomware | Encrypts the databases in the web server making the website unavailable; Uses HTTPS to communicate with the C&C server; Decrypt key is only available in the C&C server |
| CRYPDIRT | Dirty Decrypt | First seen in 2013 before the emergence of Cryptolocker |
| CRYPTORBIT | Detection for images, text, and HTML files which contain ransom notes that are indicators of compromised (IOC) | |
| CRYPTLOCK | TorrentLocker | Poses as CryptoLocker; newer variants display crypt0l0cker on the affected computer; uses a list of file extensions that it avoids encrypting, compared to usual ransomware that uses a list of file extensions to encrypt – this allows CRYPTLOCK to encrypt more files while making sure the affected computer still runs, ensuring users know that their files are encrypted and access to the Internet to pay the ransom is still present |
| CRYPFORT | CryptoFortress | Mimics TorrentLocker/CRYPTLOCK user interface; Uses wildcards to search for file extensions; encrypts files in shared folders |
| CRYPTESLA | TeslaCrypt | User interface is similar to CryptoLocker; encrypts game-related files; Versions 2.1 and 2.2 appends encrypted files with .vvv and .ccc; Version 3.0 has an improved encryption algorithm and appends .xxx, .ttt, and .mp3 to files it encrypts |
| CRYPVAULT | VaultCrypt | Uses GnuPG encryption tool; downloads hacking tool to steal credentials stored in web browsers; uses sDelete 16 times to prevent/hinder recovery of files; has a customer support portal; is a batch script crypto-ransomware |
| CRYPSHED | Troldesh | First seen in Russia; added English translation to its ransom note to target other countries; aside from appending .xtbl to the file name of the encrypted files, it also encodes the file name, causing affected users to lose track of what files are lost |
| SYNOLOCK | SynoLocker | Exploits Synology NAS devices’ operating system (DSM 4.3-3810 or earlier) to encrypt files stored in that device; has a customer support portal |
| KRYPTOVOR | Kriptovor | Part of a multi-component infection; aside from its crypto-ransomware component, it has an information stealing component that steals certain files, processes list, and captures desktop screenshot; uses an open source Delphi library called LockBox 3 to encrypt files |
| CRYPFINI | CryptInfinite, DecryptorMax | Arrives via spam with macro attachment, the spam mail usually pretends to be a job application linked to a Craigslist post; Appends .crinf files |
| CRYPFIRAGO | Uses Bitmessage for communication with its creators; Appends .1999 or .bleep to files it encrypts | |
| CRYPRADAM | Radamant | May arrive via exploit kits; Appends .rdm to files it encrypts |
| CRYPTRITU | Ransom32 | Known as the JavaScript ransomware |
| CRYPBOSS | CrypBoss | Appends .crypt to files it encrypts |
| CRYPZUQUIT | Zuquitache, Fakben | Known as the ransomware-as-a-service (RaaS) malware |
| CRYPDAP | PadCrypt | Has live chat support for affected users; Arrives via spam |
| CRYPHYDRA | HydraCrypt | Based on leaked source code of CrypBoss; Arrives via spam |
| LOCKY | Locky | Renames encrypted files to hex values; Appends .locky to files it encrypts; Arrives via spam with macro-embedded .DOC attachment, similar to the arrival of DRIDEX malware |
| CERBER | Cerber | Encrypts the file name and appends it with .cerber; Drops a .VBS file that makes the computer speak to the victim |
| CRYPSAM | SAMSAM | Uses exploits on JexBoss open source server application and other Java-based application platforms to install itself in targeted Web application servers |
| PETYA | Petya | Causes blue screen and displays its ransom note at system startup |
| WALTRIX | CRYPTXXX, WALTRIX, Exxroute | Arrives as a .DLL file; Distributed by the Angler Exploit Kit; Locks screens and encrypts all files; Appends the extension .crypt |
| CRYPSALAM | Salam | Encrypts files and drops a ransom note formatted as {month}-{day}-{year}-INFECTION.TXT; Asks the users to contact the ransomware creator via email to decrypt the files |
| JIGSAW | Jigsaw | Deletes files and increases ransom amount each hour; Some variants have live chat support for its victims; Some use porn-related ransom messages |
| MIRCOP | Mircop | Arrives as spam with an attached macro-enabled document abusing Windows PowerShell to execute; Ransom note diplays hooded figure wearing a Guy Fawkes mask |
| JSRAA | RAA | Written in JScript, which is designed for Windows Scripting Host engine in Internet Explorer; does not run in Microsoft Edge browser |
| GOOPIC | Goopic | Arrives via Rig Exploit Kit; Uses a professionally-designed interface |
| APOCALYPSE | Apocalypse | Appends the .encrypted extension to encrypted files; Requires the victim to email the hacker for ransom instructions |
| JOKOZY | KozyJozy | Appends to encrypted files a random extension name selected from an array using the pattern .31392E30362E32303136_(0-20)_LSBJ1 |
| CRYPMIC | Has similar routines with WALTRIX | |
| STAMPADO | Stampado | Has similarities to JIGSAW ransom notes, reportedly sold in underground markets with a lifetime license |
Be the first to comment on "RANSOMWARE"