Just imagine the scene.
You’re diligently fulfilling your duties at work, not paying attention to much else when the following email lands in your inbox:
To:(insert your own name here)
Subject: Mid-2016 salary increases
Attach: 2016-SI.doc
The body of the email reads:
“Look what I got ahold of! By the way, for your eyes, ONLY.”
You rub your eyes and stare for a second. Did someone really just send you a list of employees who will be getting mid-year increases??
You’re thinking “I gotta read this!” and your fingers are getting ready to click that link but as you move your mouse closer to the attachment, a tiny voice inside you screams “Wait!” (bah, humbug.)
Is this attachment what is seems or is it possibly something really, really dangerous?
It’s a good thing you paused, for this little attachment contains malicious code, that once executed, would start to encrypt all the precious files on your computer and even your network. No amount of IT know-how can undo the code as it can only be unlocked with the correlating key that only the bad guys have access to. But they are willing to part ways with the decrypt key if you pay them somewhere in the ballpark of 20-40 bitcoins. How much is that in normal people money, you ask? Well, one bitcoin is equal to $418.97… So you do the math. But if you want to see your files ever again, you or your company is going to have pay.
Welcome to Ransomware.
Ransomware is not only one of the nastiest forms of malware to arise in the last 10 years, it’s also one of the fastest growing malware-related phenomena. In fact, in just the second quarter of 2015, there were 4 million new cases of ransomware affecting devices. Contrast this with the numbers from 2013’s third quarter, where less than 1.5 million cases were recorded. And the experts only expect the uptick to continue.
A quick ransomware history lesson
Ransomware started out as little more than an obnoxious practical joke, created by the not-so-stable biology professor Dr. Joseph Popp in 1989, when he distributed diskettes that supposedly contained Aids education software but in fact contained a virus that locked the computers of anyone who tried to use the software. For just $189, Popp would unlock the victim’s computer but in truth, the locking method he used, called “symmetric cryptography” was pretty easy to reverse – but this new concept, software that could be used for blackmail, was shocking.
Ransomware as a threat laid low until about 2006 when it resurfaced as GPCoder, using stronger encryption methods than its earlier counterpart. After that it was off and running with new yet similar variants starting to appear with regular frequency. In 2012 Reveton ransomware, posing as an email from local police departments, locked computers and charged victim’s $200 to have them unlocked. People paid up, assuming that the notices were indeed legit. Then in 2013, a newer, fiercer kind of ransomware emerged in the form of Cryptolocker and its variant, Cryptowall. Using a super strong form of encryption, the 2046-bit RSA key pair to lock victim’s computers, a lock-screen message would let them know that if they failed to pay the ransom within 3 days, the crooks would start deleting files – and the unlock fee would rise in accordance. Yikes.
There are lots of strains popping up every month or two, sometimes even weekly, but they all generally follow the Cryptowall/locker methods nowadays, they just find new, more frustrating ways to tweak their recipe.
On to bigger and better pursuits
And ransomware is on the go. No longer satisfied with merely locking PC’s, it’s moving on to other targets. Smartphones, wearables, and even Macs aren’t immune to the scourge which was highlighted by last month’s KeRanger ransomware attack on a limited amount of Macs. And now ransomware has found a new favorite target – hospital networks. Hospitals are especially vulnerable to ransomware attacks as their information is generally of a more critical nature than most businesses (when it comes down to it, yes, your life truly is more important than your money) and most hospital employee training focuses on compliance to HIPAA regulations, never coming near the topic of cyber security.
The state of ransomware is so perilous that on March 31st, the US and Canada issued a joint cyber alert to warn citizens of the damage ransomware can cause. They urge people to use caution when opening links in emails and on websites because, as we saw above, malicious links are the number one tool used by ransomware creators in their quest to cause innocent people and their money to part ways.
Here are some other tips to keep ransomware from ruining your day (and your files, too)
Stick with us at ZoneAlarm to find out the latest ransomware-related news and remember this axiom – Backup, get set up, but never, never pay up!
