In ransomware, its role is to act as a “scareware” to force and threaten users to pay a ransom for their files that have been encrypted to be decrypted using a key which will be provided by the hacker. In 1989, a first ransomware attack has been carried out by an attacker named Joseph Popp who has a Ph.D. in AIDS researcher. He created a malware that has the ability to gather files from the user’s system and encrypt them after the system has been powered-on for 90 times. After which, the malware will prompt for payment to Joseph Popp for the files to be released back to the user. Currently, in 2018, there have been numerous ransomware attacks which have been broadcasted and made known to people around the world. WannaCry, which was discovered in 2017 where numerous targeted companies and industries such as Healthcare have been affected by the attack. After targeted companies and industries were attacked with malware, their daily operations were affected as their confidential files have been encrypted by the attacker. The files were only released back after the ransom was paid using cryptocurrency.
Description of Threat 1
Ransomware is classified as a malware that either encrypts the user’s files or locks the system screen. It can be downloaded into the user’s system through user’s action when the user visits malicious websites with suspicious downloadable files. It prevents the user from gaining access to the files or the system unless a ransom has been paid to the hacker. There is a ransomware which is known as crypto-ransomware, locks the files that are on the infected system and pressure the user to pay the ransom through a certain type of online payment or through a common way which is using crypto-currency such as Bitcoin. Otherwise, the files will either be permanently deleted or the system will be locked until the ransom have been paid. If the payment has been made by the system’s user, the hacker will send a decryption key which can be used to decrypt the files encrypted or unlock the system that is being locked by the hacker. However, after receiving the decryption key to unlock the files and system, the hacker will be able to reuse or re-exploit another vulnerability of the system to re-encrypt the files and lock the system to ask for another ransom.
Type of Ransomware 2
1. WannaCry: WannaCry is spread to major countries which affected different organizations such as The UK’s National Health Service (NHS), US Hospitals, FedEx, and Nissan. The ransomware was carried out by encrypting files in the system and demanding payment from the organization before releasing the files back to the organization. It occurred when the attacker found a vulnerability in the operating system. Such attacks have caused major disruption to the organizations and cause them to face difficulties in performing their daily operations.
2. CryptoWall: CryptoWall performs its role similar to CryptoLocker and its role is to be distributed using spams and exploit kits. It consists of numerous names such as CryptoDefense, CryptoWall 2.0/3.0 and CryptoBit.
3. TorrentLocker: TorrentLocker is similar to CryptoLocker which uses AES Algorithm to encrypt existing files on the user’s computer and is disseminated using spam emails. Also, it retrieves email addresses from the target’s address book to further disseminate malware to other users and repeat the process.
Nature of Threat 1
System users would face threats from a variety of ways. Most of the targets are business and individual users. Ransomware can infect a computer when users download an unknown or suspicious software. Some of the ways that are known to spread ransomware to users are through spam emails that contain attachments, downloading of software from malicious websites through malvertisements, or infected by exploit kits onto vulnerable systems.
When ransomware has been executed into the system, it can both lock the system or encrypt files from the user’s system in a case of a crypto-ransomware. When the system has been infected with ransomware, a full-screen image will be shown on the system which limits the user access to their files and internet. The image will show the ways on how users can pay their ransom to regain control of their system. Also, ransomware can prevent the user from accessing files such as documents and spreadsheets.
Ransomware is considered as a ‘scareware’ as it scares users to force them to pay ransom to the attacker to retrieve their files that were encrypted or their system which was locked by the attacker after the ransomware infected the user’s computer. In a scenario, there is an anti-malware program known as FAKEAV malware. It shows mock-up scanning result from an antimalware that convinced users to purchase fake antimalware software to protect their system.
Various ransomware infections were discovered in Russia between 2005 – 2006. In 2006, A report was published by an antivirus software company called Trend Micro that involve TROJ_CRYZIP. It is a ransomware variant that will overwrite the original files in the user’s system after zipping certain file type and replace it with password-protected zipped files in the system. A ransom note has also been created to inform the user to pay a ransom for an exchange of their files that have been locked.
Mitigation of Threat 3
There are various ways where ransomware can be mitigated and is known to be possible to reduce a large number of ransomware attacks, including the capability to lock user’s system and delete files from the user’s system. Firstly, Monitoring File System Activity, by observing the file system logs and changing the monitoring ways to activate an alert when a similar behavior is observed, the user will be able to detect encryption, deletion and creation of files in the system.
Secondly, users can Create Honeypots to reduce the threat from occurring. Cybercriminal would encrypt previously accessed files and prevent encrypting all files in the user’s system to raise the user’s suspicion. To determine if the system is infected with ransomware, the user can create duplicate files and folders to monitor the activity of the system which will show if the files are being encrypted internally in the system.
Lastly, Least Privilege Model can also be used to reduce the threat of ransomware against the user’s system. The purpose of the model is to reduce exposure of the system’s information by removing unrequired access groups from access control list. Files stored in system folders should be given limited access to other users. Having an exposed folder will have a higher chance to a target and would be likely to be attacked by malware which will cause damages to the company such as data losses or data encrypted.