What is Ransomware

Ransomware can be a difficult word to understand because it combines so many different elements of malware. Simply put, ransomware is a type of malware which blocks access to your computer, in turn demanding a payment of money to regain access. However, the complexity lies with how ransomware infects your system - i.e. hidden in a Trojan horse, spam mail, adware, virus, or a worm. To learn more about these types of malware, check out this article What is Malware

Ransomware explained

The basics, basically.

When ransomware infects your computer, usually through a downloaded attachment from a spam email, malvertising, or a spammy link with a download request, the program takes over your computer and gets to work doing what ransomware does: populate a ransom notice and demand a payment in exchange for you being able to access your system again. Ransom amounts vary from each type of ransomware, but can be in between USD 20$ and over USD 1,000$ or the Bitcoin equivalent. In addition, the ransom notice also expresses a specific time frame, usually about 72 hours, in which the payment must occur or the victim risks an increased ransom fee or permanent disablement of their system/files affected. But before getting too deep into the topic, let’s briefly touch on the history of ransomware.

The first ever ransomware was labelled the AIDS Trojan, first reported in the US. This ransomware worked similar to most of the early ransom wares, encrypting the victim’s files and displaying a fake (although real-looking for the tie) expired software license notice asking for a payment of USD 189$ to "PC Cyborg Corporation". After 2005, the creation and distribution of ransomware over the Internet took off, specifically prominent in Russia. In 2013, the emergence of the famous ransomware "CryptoLocker" reinvigorated cyber criminals to be creative and innovative with ransomware and payment methods, as CryptoLocker required payment in the difficult-to-trace Bitcoin digital currency platform. This method proved to be successful, as an estimated USD 27$ million was accrued by the criminals behind CryptoLocker. With CryptoLocker’s success, the opportunity of modern ransomware to become a common criminal activity skyrocketed.

How does ransomware work?

When ransomware infects your system using the common methods of malware distribution, there are usually two main methods used to disable your system. Firstly, the ransomware can simply lock your computer screen by populating a large ransom image, making your desktop or laptop inaccessible unless the ransom demand is fulfilled. Once the sum of money is paid, the criminals are supposed to uphold their agreement and destroy the image locking your screen, giving you access to your system and deleting the ransomware from your hard drive or downloads.

Secondly, the ransomware can employ a full-blown encryption of your files, processes, hard-drive, or even applications on your computer like your iCloud. Once again, your computer becomes inaccessible without payment of the ransom. Furthermore, because the affected files are encrypted by the ransomware, it is usually almost impossible to tell what the original file names are, making it extremely difficult to understand what is lost, locked, or altered. This is because the files name are different than the original, non-encrypted file name. It is important to note that paying the ransom does not give a 100% guarantee to full restoration of your files and system.

Connecting the dots with encryption and ransomware

A closer look.

The second method of ransomware is more common these days due to increases in technology and cyber-criminal abilities, tools, and knowledge. If a ransomware uses the encryption method of disabling your system instead of the locking screen approach, either a RSA or AES encryption standard will be employed, or more commonly, both. Once encryption begins, all of your files will be altered in name and not accessible. The difference between RSA and AES encryption is crucial to fully understand the workings of ransomware. RSA encryption standards are asymmetric, meaning that the encryption key (what locks the files) is different than the decryption key (what unlocks the file). So, if RSA is employed, paying the ransom will supposedly give you the decryption (private) key, which will then decrypt your computer and affected files, granting you access once again to your system.

However, with AES encryption standards, the key is one of the same, ie. the same key is used to encrypt and decrypt your files, information, and data. Usually, AES encryption is used by the ransomware to affect all of the files. However, the AES decryption key is also encrypted by one of the two RSA keys called the "public key". This means that the other RSA key (private key) is still needed to decrypt the AES encryption, which will then grant access to your files once again. This extra layer of encryption makes the ransomware even more difficult to crack without paying the ransom, and can sometimes be deemed computational impossible. Once again, we cannot with a good conscious recommend to pay the ransom as that is admitting defeat the the cyber criminals of this world, so please be careful and seek professional help if you are a victim to ransomware attacks.

What files are affected by ransomware?

Curious to whether ransomware encrypts literally every single file on your computer? The answer is… it depends. Ransomware has a built-in predetermined list of file extensions which it will attack and encrypt. For example, a ransomware could have such a list which explicitly tells it to encrypt any file ending in ".docx", ".doc", ".txt.", or ."exe". To find the files with said extensions, the ransomware also is programmed to follow different paths within your computer to search all relevant folders where the field could be possibly stored or saved (i.e. \Windows\, \Program Files\, \Temp).

One of the biggest issues comes down to whether the encryption of files takes place on personal documents or critical files (programs or applications which are essential to the PC or computer functioning properly). Either way, the end result is the same in terms of having to pay the ransom or understand how to remove the ransomware. However, if only your personal files are encrypted, once the timeframe is up for the ransom, only your personal files will be lost. If, the ransomware attacks your critical files and encrypts them so your computer cannot access them itself, once the deadline for payment has passed, your system will become inoperable and obsolete. End result for that? All files are lost and you need to buy a new computer most likely.

Famous Ransomware Examples

Some of the "biggest" names.

Now that we have given you a brief overview of ransomware, we figured it would be a good idea to "put a name to a face", or in other words, provide some famous examples. The following is a list of the technical names of ransomware followed by its "common" name among the Internet.

  • REVETON | Police Ransom | a.k.a. "FBI Virus"
  • CRILOCK | CryptoLocker | a.k.a "Crypto Virus"
  • CRYPTLOCK | TorrentLocker
  • CRYPWALL | CryptoWall | a.k.a. "CryptoWall Virus"
  • KERANGER
  • CRYPTCOIN | CoinVault

For me detail regarding each ransomware, its known fixes, and specific help for certain ransom wares, take a look at Trend Micro’s extremely in-depth article regarding each ransomware here.

Vigilant advice to protect against ransomware.

One last friendly reminder, we recommend to try to never pay the ransom if you can. The best prevention comes in the form of constant backing up of your system, scanning your computer for viruses and malware regularly, and being fully aware of all attachments you open, downloads, and websites visited. By ensuring you only open emails, download attachments, and use a USB stick with trusted files and sources, then the first step is taken towards legitimate prevention. However, we cannot say with 100% guarantee that there is one single-way to never be a victim of ransomware attacks. If you do happen to become a victim, be sure to act quickly due to the typical 72 hour ransom deadline. The usual outcome in today’s ransomware world is the ransom increases with certain time intervals until the time limit is reached and your system or files are permenatly locked or encrypted.

As always, ZenMate can provide a level of security from malicious adverts with our Web FireWall, or you can ensure that your privacy is protected online via our VPN Related Products. However, for ransomware specific threats and protection, please heed the above tips and stay vivant while surfing the Internet. Remember, knowledge is power, power is prevention, prevention is security.

Share this