This is the first in a series of posts about ransomware. In this post and over the next several weeks I’ll discuss what ransomware is, […]
You’ve probably heard the headlines about company X or Y being infected with ransomware. For those infected, it’s a real problem. Work comes to a halt. Computers become basically useless. Productivity ceases. Few organizations today could still function without their computers and internet connections. There isn’t a room somewhere with a horde of filing cabinets housing paper with information the organization needs in order to do its daily tasks. That room has been converted to the server room, and really only the IT folks can get anything useful out of that room. Binders, letters, memos, and faxes have been replaced by emails and cloud-based file transfer services.
Imagine all of the documents on your computer are suddenly inaccessible to you. Maybe even gone forever. The PowerPoint presentation you just spent hours on, contracts, specifications, customer records, images, music, video, everything – gone! Time to panic?
For some, this scenario doesn’t require any imagination at all. It happened to them. And yes, it can happen to you. The good news is, you will live through it. The bad news is that it’s going to be a while before life gets back to normal.
You probably know what ransomware is already. Or at least you probably think you know. Let’s use the Wikipedia definition, it’s surprisingly un-commercial and it’s technically accurate:
Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.
A few notes about the specific word choices, because the distinctions are important:
- “malware” does not mean “virus”
- “restricts access” does not mean “encrypts files”
- “computer system” here can mean any single microprocessor-based device
Malware, Not Virus
I’ll explain. Ransomware is malware in that it is bad software if you are the recipient of it. [It’s actually not bad if you’re the distributor of it – perhaps it’s bonware from that perspective?] It’s usually not a virus though, in that it doesn’t replicate itself across multiple computers on a network. There are of course exceptions to the rule. For the most part though ransomware is a 1:1 affair between you and the file-napper. There’s plenty of work for the software to do on the infected computer without trying to find other computers and replicate the software on them.
Restricts Access, Not Encrypts
Not all malware encrypts the files on your PC and holds them hostage. Encryption is complex to code. Amateurs can’t just whip out their own encryption modules in an afternoon. And as I’ll discuss in a future post, at least a couple of ransomware authors have made some classic rookie mistakes in trying to do so. The other problem with encrypting all of your files is that it is labor intensive on the CPU and storage devices like hard drives. It’s hard to encrypt all those files and go unnoticed by the user. If your PC suddenly becomes very sluggish, you’re going to start poking around to see what’s up. And it takes a long time. Try using commercial software to encrypt your hard drive someday. It won’t be done until the next day. What if the PC goes to sleep, gets turned off, or rebooted? Accommodating those scenarios is more work in the coding, and more room for error.
So not all ransomware encrypts your files. It only needs to prevent you from using your device, or otherwise “restrict access” to the device or a useful majority of your files. Some versions of ransomware use the now-old-fashioned technique of continually opening new browser windows faster than you can possibly close them. Some act more like screensavers which won’t turn off. Others simply give you a desktop which is empty except for the ransom instructions, while disabling other desktops and tools which would allow you to get to your files.
Many variants simply intimidate you into not using your computer. This group, called scareware or copware, purports to be a federal law enforcement agency in your country (auto-detecting location by IP, of course). It claims you have been involved in illegal activity online, typically involving copyright infringement or something which rhymes with ‘mild corn’. The threat continues that unless you pay a “fine,” you will be prosecuted. A newer variant looks through your browser history to see if there are any sites it can cite in the UI for you which will serve as proof, since you know you visited them. It then says all your activities are now being recorded and evidence on your machine is being preserved. Sometimes there’s even a webcam snap of you as the cherry on top of this intimidation-sundae. This type of “scareware” ransomware has gained popularity and is probably the most prominent type in use today. And it’s not all bad either. Jay Riley, a 21-year-old Virginia resident who was the target of this type of attack, felt such guilt he turned himself into authorities and was subsequently charged with, well, mild corn.
Your Phone is a Computer System
The computer at your desk isn’t the only device subject to ransomware. Really, all you need to create a ransomware-friendly environment is a CPU, storage space, a method to install software, ideally some RAM, and a vulnerability to exploit. By this definition your thermostat, microwave, television, and car are potential targets for ransomware. Or hadn’t you thought of that? You do like using those things, don’t you? Enough to pay? The IoT brings tons of fun possibilities with it.
Ransomware has already shown up on Android on iOS devices. In the case of Android, the vulnerability to exploit isn’t in the operating system. It’s the you, the user, who are the vulnerability. You have to configure your device to allow installation of software from outside the Google Play store. Then you have to manually approve the installation of the ransomware. And you might be surprised that it works.
Ransomware is simply a specialized type of malware. Each piece of malware is designed with a specific goal in mind. All of them are intended to gain something valuable from you or your computer, or a computer connected to yours. All of them have to exploit some vulnerability to gain entry. Sometimes the goal is to gain some IP you have, sometimes it’s just to make you part of a botnet for future tasks to executed silently. In the case of ransomware the goal is overt and blatant: Money. Now.
All of them have to consider user experience. That experience could range from making sure you don’t notice it to taking over your screen with a message from the author.
The number of ransomware variants is on the rise. And it’s getting easier to launch ransomware attacks. It’s a topic you’ll want to brush up on, before the panic. In future posts I’ll talk about some of the victims of ransomware, how various types of ransomware work, and what to do to defend against it.
Are your systems optimized for maximum speed and performance? (I can tell you, 99% of the computer networks we review are NOT.
Call Group 4 Networks your IT Support provider from Toronto to help you with all your IT needs.