Over the past few years, ransomware has proved to be one of
the most profitable types of cyberattacks, easy to use and spread online , as
well as difficult to avoid or remove after accessing devices such as computers
and smartphones. The data collected between 2018 and 2021 speak for themselves:
immediately after the introduction of the first ransomware, they represented
23% of all malware, while in 2019 they made up 46% and in 2020 67%.
According to Unit42's Ransomware Threat Report 2021 , in the
first quarter of 2021, experts identified as many as 113 different families of
ransomware, of which 15 accounted for 52.3% of global attacks.
In other words, cybercriminals are increasingly relying on
this type of attack, spreading ransomware in a variety of ways and targeting
both ordinary citizens and large organizations, hospitals and even the public
administration. What exactly are they? How do they work? But above all, how can
they be avoided?
Definition and operation
We immediately answer the first question: ransomware is a
term that comes from the union of "ransom" and "malware",
where the first word means "ransom" and the second derives from the
terms "malicious" and "software", that is " malicious
software ".
Ransomware is a types of malicious software that prevents
users from accessing their system or personal files , the re-appropriation of
which usually takes place against payment of a ransom.
The history of ransomware is actually quite long and the
first attacks were recorded in the late 1990s. The first ransomware created and
spread is called PC Cyborg or AIDS and encrypted all files in the C: directory
of computers after 90 starts, finally asking the victim to pay a ransom by mail
to regain access to personal data.
Fortunately, PC Cyborg's encryption wasn't as social marketing complex as the
one used recently, so it could be easily solved by more experienced users.
Nonetheless, it was the first step towards the creation of
numerous variants that are increasingly boring and difficult to avoid such as
WinLock , a malicious software that in 2007 took care of blocking people off
the PC desktop and showed pornographic images in full screen asking for
payment. ransom by SMS to remove them and regain access to data.
The evolution that took place in the following 6 years then
led to the birth of the first modern ransomware, including the infamous
CryptoLocker, the first to use military-grade encryption, hiding the decryption
key on a remote server awaiting ransom, making it nearly impossible to regain
access to personal data on your computer. From 2013 onwards, this type of cyber
attack has become increasingly popular, until it reaches its current spread
with various types of attacks, which we will discuss later.
The functioning of a ransomware is very particular: to enter
the network of a single citizen or an organization, it uses social engineering
or social engineering .
By exploiting some social levers, the attacker manages to
gain the victim's trust by leading them to download programs or documents that
actually contain malicious software. All this takes place using rather simple
technical and psychological expedients , such as a trivial click on an
advertisement that immediately activates the ransomware, the so-called
malvertising or "malicious advertising" or even "harmful
advertising", or by downloading a file attached to a mail received from
apparently reliable addresses.
In short, the most experts will have understood by now that
the most widespread and used vector for over 75% of ransomware is phishing, but
there are cases of ransomware that exploit vulnerabilities of the system
itself, or that infiltrate the PC through software downloads. for a fee by
illegal means. Another method is to compromise sites that use Java or the now
abandoned Adobe Flash Player.
Regardless of the method, however, following the download of
such malicious content, the ransomware seizes the files through encryption ,
thus rendering them unusable.
Depending on the type of malicious software, it can make the
nature of the attack immediately clear or take the guise of an action taken by
cybersecurity organizations or competent authorities in an attempt to gain the
victim's trust and convince them to pay the ransom.
The payment in turn takes place mainly by exploiting the
cryptocurrency market, through Bitcoin, Ethereum or other currencies , and can
vary from a few thousand dollars to several million dollars, this depending on
the currency used, due to the increase in value of the cryptocurrencies, but
also on the basis of the type of target.
Together with the payment request, a screen is usually also
attached with detailed instructions for accessing the TOR network and therefore
the Dark Web to make the payment on an electronic wallet.
Some ransomware also make use of timers dedicated to
increasing the ransom and the permanent loss of files , just to rush the
victim. Other more advanced systems even contain a chat in real time to receive
support in the payment of the ransom, also allowing some negotiation space to
reduce the price of the password.
Popular types and variants of ransomware attacks
As explained initially, there are several families of
ransomware, which may differ in the attack but not in the ransom demand. The
four main categories are as follows:
• Crypto
Ransomware : the most popular of all, it allows hackers to
encrypt the data contained in the device by preventing their access to the user
after paying the ransom, which allows them to obtain the key in exchange. of
decryption.
• Screen
Locker : another rather popular variant which, instead of
encrypting all data, directly prevents access to the PC until the requests of
the attackers are carried out.
• Scareware:
it cannot be properly defined as ransomware, as it does not encrypt any data
and does not block access to the system, but induces target users to download
or purchase infected software which, following installation, will show
notifications indicating the presence of suspected viruses on your PC or
warnings that appear to come from law enforcement.
• Leakware
: another extortion method that cannot be properly defined as ransomware but
which still consists in obtaining sensitive data of a citizen or a company and
in threatening their diffusion on the Dark Web if the desired ransom is not
obtained.
CRYPTO RANSOMWARE EXAMPLE
SCAREWARE EXAMPLE
As for the variants spread online, with the COVID-19
pandemic between 2020 and 2021 and the transition to smart working, ransomware
attacks have even doubled on a global scale , with a greater spread, in order,
in the United Kingdom. , in France, Germany and Italy, with offensives also
aimed at giants such as Luxottica, Campari and recently also Gigabyte , but
also small and medium-sized enterprises, the Municipality of Brescia and a
university clinic in Dusseldorf, where unfortunately also the first death was
recorded from ransomware .
Palo Alto Networks experts have provided the public with an
in-depth list of major ransomware families. Currently, this is the ranking of the
top three:
1. Ryuk,
31.7% of the attacks : it is a ransomware able to penetrate the
system through multiphase attacks and, after weeks or months from the initial
infection, it shows its presence with a file called RyukReadMe where all the
details for the payment of the ransom are indicated
2. Sodinokibi,
20% of the attacks : although this name can say little to the
average user, its "synonym" is REvil, name used by one of the
operators most famous ransomware in the world. Born in Russia and recently disappeared
from the scene, in recent months has succeeded in attacking the US subsidiary
of the largest meat-packing company in the world, obtaining a payment of 11
million dollars, as well as hundreds of attacks on companies using Kaseya
3 IT
software . Maze, 15% of attacks : initially also called
"ChaCha", originated in 2019 and until 2021 was one of the most used
ransomware by hackers, given the simplicity of its spread via email with
infected Word or Excel attachments , but also via Flash Player vulnerability.
Its operation is instead more complex, as it manages to
obtain high privileges in the system and starts the encryption of all the files
contained, but only after having extrapolated any sensitive data that is
important to blackmail the victim again by threatening the public exposure of
the most sensitive information. .
The list therefore continues with names such as Mespinoza,
Babuk, Egregor, NetWalker and many others, but among the historical ransomware
the following should be mentioned :
• CryptoLocker
: ransomware widespread between September 2013 and May 2014, it is remembered
by cybersecurity experts as the probable first ransomware spread on the
Internet via email attachments, thus setting the new standard in the industry.
Following the attack, the malware displayed a pop-up message that has become
almost iconic, requiring payment through Bitcoin or prepaid card to get the
decryption key within a certain day.
In case of non-payment by the deadlineestablished, the
malware offered a new online payment method but with a much higher share. In
both cases, the receipt of the decryption key was not certain. The ransomware
was isolated in May 2014 with Operation Tovar, which led to the closure of the
CryptoLocker distribution network.
