Malware 101: Ransomware

If there's one type of malware most people have at least heard of, it's ransomware. It tends to pick up a lot of media coverage due to its ability to completely shut down the operations of its victims as well as having a very easily quantifiable monetary impact — the ransom. It's also much harder for some of the commonly targeted organizations to hide that an incident occurred, such as the public sector and healthcare, because they don't typically have the money on hand and must ask for it from a governing body or at least answer for spending such a large sum of money. Even larger private businesses would still likely have investors to answer to for paying a ransom. Despite this, it is believed that the majority of ransomware attacks are not disclosed, although this would include attacks that were able to be remediated without paying the ransom.

The first known ransomware attack happened in 1989, and ironically it targeted the healthcare industry, which remains a top target of ransomware even today. This first example, known as the AIDS Trojan (it was also a Trojan horse that posed as legitimate AIDS information software), encrypted filenames and demanded $189 be mailed to a P.O. box in Panama to remediate, claiming this was a license renewal fee for the software containing the malware.

Today's ransomware still uses encryption, although it typically encrypts entire files rather than just the names, which blocks access to the content of these files completely. Ransomware also still demands a (much larger) ransom, which is generally demanded in Bitcoin to avoid the authorities being able to easily trace the funds. If the group behind the ransomware stays true to their word (which isn't always the case) and their infrastructure hasn't been shut down, a decryption key is sent to the victim once the ransom is paid so the files can be recovered.

How ransomware encrypts data

The typical encryption process is not dissimilar to how TLS works, with a public encryption key pair being used to transmit a symmetrical key that is used for the actual encryption. Specifically, the attacker embeds the public key in the malware and uses it to encrypt the symmetric key that is generated by the ransomware and used to encrypt the files in place (which prevents any of the files' original data from residing on the disk and thus potentially being recoverable). The symmetric key is transmitted to the attacker and erased, usually by zeroing the key file to prevent recovery.

Each piece of malware distributed may utilize a different key pair to prevent the discovery of one private key from allowing other victims to discover their own symmetric key and decrypt that data. Of course, even for legitimate usage implementing encryption can be daunting, and there have been cases where security researchers were able to put out programs to decrypt files for certain ransomware variants due to mistakes made by attackers.

The victim needs to be able to pay the ransom in order for the attacker to get paid, thus at least one message (often multiple) will be included stating that the victim has been attacked by ransomware and including the ransom amount and often even detailed instructions on how to pay it since acquiring and transferring cryptocurrency can be difficult. Typical ransom notes will include a file placed on the desktop or in the folders where the files were encrypted and/or an image file set as the desktop background.

The files themselves are often appended with a suffix to mark that they have been encrypted, and this suffix is often used to name the ransomware variant. For example, Ryuk appends .ryk or .ryk-encrypted to the files it encrypts. With the rise in ransomware-as-a-service (RaaS) — where ransomware authors rent their malware and infrastructure to other attackers that carry out the actual distribution of it — the names of the ransomware variants are actually provided by the authors themselves.

Impact and evolving tactics

While the ransom itself is the most easily quantifiable cost of ransomware, it is not the only cost, and most of the other costs are shared by other malware types. Downtime can have both financial costs and, especially in the case of healthcare, non-financial costs. When a hospital's computer systems are down it can even cost lives, which is part of what motivates attackers to target healthcare organizations with ransomware because this cost can drastically impact the willingness to pay the ransom. Time and labor to remediate any malware infection also has costs involved, as does implementing additional security measures to prevent or reduce the impact of ransomware and other types of malware.

Much of cybersecurity is a back-and-forth between attackers and defenders adapting tactics to respond to each other, and ransomware is no exception. As backing up data became more common to reduce the impact of ransomware, many malware authors started going after backups as well, especially simpler methods such as network file shares. When the number of ransoms being paid declined, some attackers started exfiltrating the data before encryption and threatening to leak it if the ransom was not paid. It's not uncommon for attackers to gain a foothold in a network and later implant ransomware at an opportune time when the damage and effectiveness are highest. The primary goal of ransomware is money, so when fewer ransoms are paid tactics change in an attempt to combat this.

You can read the rest of the Malware 101 series here.