Explain the concept of ransomware, and demonstrate how it works.
- [Voiceover] One of the early uses of ransomware was in the AIDS information introductory diskette, circulated with conference attendees, in 1989 by Dr. Joseph Popp. After the diskette had been used a specified number of times, the malware would start executing and hide the directories, encrypt the files, and then demand payment of $189 to be sent to a P.O. Box in Panama. Popp was caught, but declared mentally unfit and agreed to donate the proceeds of his crime to AIDS research.
There was little further development of ransomware until around 2005, but since then it has become a significant source of revenue for cybercriminals and is now the most prevalent form of exploitation vector in financial crime. It's easy to create a ransomware payload, and it's a popular way of monetizing a network of compromised computers. The basic concept used in ransomware is cryptography, the science of making an intelligible message into something that isn't understandable but can, with special knowledge, be turned back into the original intelligible form.
The criminal uses a cyberattack to get access to a victim's files and encrypts them. The files are then useless unless the victim pays the attacker for the key to recover them, with figures of about $250 being common. This price point is one which is affordable, provides a reliable outcome, and is much more convenient than trying to get any results by calling in law enforcement. Crilock is an example of a malware payload, usually delivered by the cookwell spambot using the UPATRE or ZeuS botnet.
This typically entered the system by means of a phishing attack. The original emergence of ransomware used symmetric cryptography to encrypt files and store the key somewhere hidden on the target disk. When the ransom was paid, the criminal could then provide software or service to recover the key and decrypt the files. This approach made it relatively easy for the anti-virus companies to recover the key offline. This then led to cybercriminals to evolve their methods. Advanced ransomware uses asymmetric cryptography, the payload activates and selects whatever files it can find on the local disk and any shared drive accessible from the target computer and encrypts them.
While the file encryption still takes place using a symmetric algorithm and key, the malware calls to to its command and control service for a public encryption key and will use this to encrypt the symmetric key before it's stored on disk. A ransom message is then sent to the victim. On paying the ransom, the victim is given a payment code which can be entered into the malware and verified before releasing the private asymmetric key to unlock the keys to the files. Ransomware continues to evolve.
Some ransomware takes particular measures to protect the criminals by using the Tor system to hide itself when communicating with the victim. Tor is a network of computers used to carry messages which don't allow traceback and enable its users to maintain anonymity in whatever they do. Some new ransomware uses elliptic curve cryptography, showing that attackers are keeping up with advances in the security field as much as the defenders are, if not better. There are many different ransomware programs active currently, including Cryptolocker, Torrentlocker, Cryptowall, Pekia, and Server.
Ransomware is getting increasingly sophisticated and some can be downright creepy. Ransomware has proved to be lucrative to the cybercriminals and as a threat, it's here to stay.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks