Decades ago, criminal coders invented a profitable new type of malware: ransomware. Since then its popularity among malware distributors has grown steadily since the tactic of encrypting files and charging for their decryption proved successful.

RANSOMWARE 101

How does it work? Simply put, ransomware is a program that gets into your computer, either by clicking on the wrong link or downloading the wrong file or program, and then it will lock down the files on your computer. The criminals often ask for a nominal payment, figuring you’ll be more likely to pay to avoid the hassle and heartache of dealing with the virus. They may ask for as little as $10 to be wired through Western Union, paid through a premium text message or sent through a form of online cash. But don’t be tempted to give in and pay the ransom. Paying them would be a mistake because they will further extort you and most likely not release your information.

How is it different from other malware? Unlike malware that hides and steals valuable information, ransomware doesn’t hide. As soon as ransomware has locked a user’s machine and/or encrypted files, it notifies the user of its presence to make the ransom demand.

THERE ARE TWO TYPES OF RANSOMWARE

  • Encryptors, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLockerLocky and CrytpoWall.
  • Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware and Winlocker.

How can it start? Very innocently. For example, a user receives an email that appears to be from their colleague. It contains a URL to a SaaS application such as Salesforce, Workday or ZenDesk. The link opens a browser window and directs the user to a website that seems legitimate. It’s actually a landing page for an exploit kit hosted in a .co.cc top level domain.

What happens next? Upon loading the page, the Web server hosting the exploit kit begins communicating with the victim machine. The server sends requests about versions of software such as Java to find a vulnerable version for which the kit has an exploit. When a vulnerable version is confirmed, the kit attempts to exploit the vulnerability. Once successful, the exploit kit pushes down a malicious .EXE file. The malicious binary on the victim machine then attempts to execute.

When ransomware first hit the scene, computers predominantly got infected when users opened email attachments containing malware, or were lured to a compromised website by a deceptive e-mail or pop-up window. Newer variants of ransomware have been seen to spread through removable USB drives or Yahoo Messenger, with the payload disguised as an image.

SO, WHAT MAKES RANSOMWARE SO EFFECTIVE?

Fear. Just like any traditional extortion op, ransomware operations succeed because they capitalize on fear, which ultimately forces victims to do something irrational such as paying cybercriminals. Fear of losing your job because you lost important documents to ransomware can be crippling. Getting locked out of your system or never being able to open your files again is a scary thought. Possibly being indicted for potentially embarrassing browsing habits (such as watching adult or inappropriate videos) or unwanted public exposure can compel you to pay.

Want to know more? Check out our webinar featuring Chief Product Officer Adam Mashinchi on how to beat ransomware and better prepare yourself and/or organization.