Extortion in the Virtual World: Ransomware
By Romit Raj, law student at Hidayatullah National Law University, Raipur, Chhattisgarh
Ransomware is a malware that encrypts a user’s files and keeps the private key for decryption until the individual pays the ransom amount in the form of bitcoins. This type of malware is responsible for tens of millions of dollars in extortion annually, and the number of attacks has increased rapidly in the past few years. With the advent IOT i.e. Internet of things, a ransomware attack could lead to massive loss to any organisation.
India is not immune to it and is the third highest Asian country to receive such attacks. India is on its path of digitalization with programs like digital India, make in India, startups, which would be offering a lot of information and services incorporating a large amount of data and hence, in a situation, the vulnerability to ransomware attacks pose a significant risk. This paper seeks to investigate about ransomware, what kind of data it affects and how one can be immune to it. Further, this article aims to provide security steps which an individual or an organisation should take to keep itself secure from this menace.
Ransomware is a type of malware that confines access to the infected computer system by locking all the files and demands that the user pays a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key. ransomware typically propagates as a trojan and disguises itself as a seemingly legitimate file.
The origin of ransomware date back to the late 1980s wherein Dr. Joseph Popp, a biologist with a PhD from Harvard, created the first ever ransomware- info disk Trojan also dubbed as pc cyborg Trojan in the year 1989. This ransomware was manually distributed through a 5.25-inch floppy disk. Following the installation, the Trojan tracked the number of times the system was booted, and as soon as the count reached 90, it hid all the files on the victim’s c drive and thus rendered the system useless. A ransom of usd189 was demanded to restore functionality.
There are two types of ransomware which are used to target the systems:
- Crypto ransomware, which encrypts all the data and files stored
- Locker ransomware locks the targeted computer and hence renders it unusable.
Class a ransomware overwrites the contents of the original file by opening the file, reading its contents, writing the encrypted contents in place, then closing the file. It may optionally rename the file. Class b ransomware extends class a, with the addition that the malware moves the file out of the user’s documents directory (e.g., into a temporary directory). It then reads the contents, writes the encrypted contents, then moves the file back to the user’s directory. The file name when moving back to the documents directory may be different from the original file name. Since the destination file name may not match the original during any step, the state of the archive must be carefully tracked each time a file is moved. Class c ransomware reads the original file, then creates a new, independent file containing the encrypted contents and deletes or overwrites (via a move) the original file.
Mode of injection of a ransomware:
In a ransomware attack, the attacker breaks into the victim’s computer through the exposed system vulnerabilities. Any attack done by a worm or trojan earlier makes it easier for the attacker to get through as the system gets weakly configured by then. After gaining access, the attacker searches for various types of important files with extensions as .doc,.txt., .db, .zip., .rar., .pdf, .jpg, .rtf, etc. And encrypts them thus rendering it inaccessible to the owner of the files. Later, the attacker sends the victim the ransom he should pay, through an email or a pop-up window to gain the encryption key to unlock the files.
Following are the processing strategies usually implemented after the location of the files by the attacker:
- The data after location are compressed into a password-protected zip package, and the original files are removed or,
- Each file is encrypted, and the original files are deleted, or
- A hidden folder is created, and all the data is moved to this folder and thus deceives the victim.
Next, when the attack is successful, the ransomware takes control of all the data, and the attacker encrypts it using a sophisticated algorithm. The attacker then notifies the victim through mail or a pop-up message which carries instructions to be followed by the victim to recover his files. The instruction consists of a payment portal where the victim has to pay the ransom amount in the form of bitcoins.
Evolution of ransomware:
a) In the disguise of applications:
In early 2005, a lot of ransomware faked as spyware removal tool or performance enhancement tool affected many computers. Some of the applications are spy sheriff, performance optimizer, and registry care. These tools exaggerated the issues found in the result after the scan of the computers, for example, unused registries and corrupt files, and further stated that the issues would resolve only when an amount between usd30 and usd90 is paid for the license although it did not fix anything. This ransomware did not just follow the mainstream aspect as it also targeted mac os x along with the windows computers.
b) In the form of fake anti-virus:
After the induction of ransomware in the form of fake applications, between 2008-09, the cyber criminals further switched to using fake anti-virus programmes. The ransomware tool was mimicked to resemble a legitimate security software with options to scan the computer. The scan would show a plethora of security issues and threats and then ask the user to pay an amount between 40-100 USD to fix the issue or ask them to pay for extended undefined year services.
However, many people turned a blind eye towards the report, and mode of the attack led to a lower return on investment by the cyber criminals.
c) Locker ransomware:
After the fake anti-virus fiasco, the attackers took a big leap and created a new form of extortion i.e. Locker ransomware which disables the access and control of the computer. The ransom amount demanded such attacks increased significantly, and it was payable through electronic cash vouchers. The first locker ransomware to hit was trojan.randsom.c which was the first computer-locking malware in the year 2008. It spoofed the windows security centre message and asked the victim to call on a premium number to re-activate the license. The computer was kept locked during this period so that the user cannot use it for any other purposes. Further, the ransomware after having complete access started inducing actual problems rather than just reporting it.
- d) Crypto-ransomware
The first crypto ransomware to hit the technological fraternity was the trojan.gpcoder family which had custom-encryption techniques. This first of its type, this ransomware used the same key for both encryption and decryption thus making it weak and easy to crack. However, in the process of time, the attackers kept upgrading the malware and in the year 2006, trojan.cryzip was rampant in the cyber world, but, it also had its drawback as the password to decrypt the files was embedded in the trojan itself thus making it easier for the experts to extract it.
After trojan.cryzip, trojan.archiveus made its way to the cyber world. Unlike other malware, after password protecting the files, it asked the victims to buy medicines from a certain pharmacy through the internet. After they had bought the medicines, they had to submit their order id to get the password to unlock their files. In such way, the attackers could have earned a degree of commission without the amount labelled as a ransom amount.
Crypto ransomware has now evolved a lot. Highly technical ransomware now generate new individual keys for each infection and wipes the session key from the memory after it is used. Most of the ransomware now use either industrial strength or public/private-key encryption to make it impossible to recover the data without paying the ransom through the means of bitcoins. The attackers ask the victims to make such transactions via tor services which enable privacy, and thus they cannot be traced.
Ransomware attacks till date:
- Hollywood Presbyterian medical center:
Hollywood Presbyterian is a large hospital in southern California with almost 500 beds.
Earlier this year it was hit by a massive ransomware attack. Specifically, the hospital’s computer systems were infected by a malware program called locky. Locky is typically sent to an unsuspecting user via email, and recipient opens an infected word document to infect their system.
In the case of Hollywood Presbyterian, it is not clear who downloaded the malware, but it does not matter. Soon after, staff members were soon locked out of their computers and cyber crooks were demanding an unusually large ransom for a ransomware attack: usd17,000 (40 bitcoin.)
- The Ottawa hospital:
The Ottawa hospital in Canada is a large teaching hospital with over 1,000 beds and almost 10,000 computers.
The virus was spread by the employees by clicking on infected email attachments, although the Ottawa hospital specialists came to the rescue as they wiped the hard drives of the infected systems, hence, stopping the infection to the remaining systems.
- Gigabit geek:
This it consultancy company in Illinois suffered a major attack after one of the users reported a missing file. In a blink of an eye, several users across various places reported the same. The company after a while realised that 90% of its files were locked down by cryptowall virus.
However, the company located the infected computer and wiped the hard drive but the damage was done and it took them more than a week to recover all the files manually.
Ransomware, in the present times, has become a global phenomenon. Every 1-2 months, a widespread ransomware attack takes place. One of the recent attacks is the wannacry ransomware attack which had over 2,00,000 victims, and more than 2,30,000 computers were infected. This ransomware attacked the systems not updated with the recent security updates especially the ones running Windows XP and windows server 2003.
Much of the attention and comment around the event was occasioned by the fact that the US National Security Agency (NSA), had discovered the vulnerability in the past, but instead of informing Microsoft had built the eternal blue exploit for their offensive work. It was only when the shadow brokers revealed the existence of this that Microsoft became aware of the issue, and came up with a security update.
The attack affected many national health service hospitals in England and Scotland, and up to 70,000 devices – including computers, MRI scanners, blood storage refrigerators and theatre equipment – may have been affected.on 12 may 2017, some national health service had to turn away non-critical emergencies and divert some ambulances. The impact of the ransomware was on a global level. Nissan motor manufacturing UK in tyne and wear, England had to halt their production due to the attack on their systems. The same situation happened with the company renault who stopped their production at several sites as a preventive step to stop the spread of the ransomware.
India also faced this major attack and is the third worst hit nation by this attack with almost 40,000 systems getting affected 60% of the ransomware attack attempts by the malicious wannacry virus were targeted at enterprises, while the rest were on individual customers. The top five cities impacted by the ransomware attack are Kolkata followed by Delhi, Bhubaneswar, Pune and Mumbai, while the top five states with maximum detections of wannacry virus are West Bengal, Maharashtra, Gujarat, Delhi NCR, and Odisha.
Prevention to be taken:
Some of the preventions are as follows:
- The system should be updated regularly with security updates and firewall should always be kept active.
- Removing unnecessary ports or services in a network.
Installing anti-spam programmes and the mail services should be filtered using security programmes to reduce the risk of exposing the system to such ransomware through any attachments. Example being symantec.
The individuals in an organisation should be given cyber awareness education once in a while so that they could understand and analyse what to do if any similar situation arises.
Ransomware attacks nowadays are rampant. There were 1,966,324 registered reports about malware infections that intended to steal money via online access to bank accounts. Ransomware programs were detected on 753,684 individual computers where in encryption ransomware targeted 179,209 computers. The us software security firm symantec corporation, in a report in 2016 said that India receives ransomware attacks with over 60,000 attacks per year or 170 malware attacks per day. In 2015, 179,209 unique users were attacked by encryptors. About 20% of those attacked were in the corporate sector. It is important to keep in mind that the real number of incidents is several times higher.
Considering IOT and the launch of digital India campaign, the threat of ransomware on several devices is quite high. There is a need to frame cyber policies for such programmes which should include backup of data, an end to end necessary protection, keeping system patches up to date, mandatory use of anti-spam, deletion of unwanted programmes. There is a need to detect such ransomware before it attacks and thus we need to monitor intelligence feeds tightly. In this way, the cyber network can be kept safe, and we can stop the flow of bitcoins into the pocket of cyber criminals.
 ARE YOU BEING HELD FOR RANSOM? – All Covered, https://www.allcovered.com/content/content/231/ransomware_infographic-6-2016.pdf (accessed May 18, 2017).
 CryptoLock (and Drop It): Stopping Ransomware Attacks on, https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf (accessed May 18, 2017).
 Three high-profile Ransomware cases that prove the power .., https://fightransomware.com/ransomware-articles/three-high-profile-ransomware-ca (accessed May 20, 2017).
 WannaCry Ransomware attack – Wikipedia, https://en.wikipedia.org/wiki/WannaCry_ransomware_attack (accessed May 22, 2017).
India worst hit nation.., http://economictimes.indiatimes.com/tech/internet/india-third-worst-hit-nation-by-ransomware-wannacry-over-40000-computers-affected/articleshow/58707260.cms (accessed on May 22, 2017).