The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help family and loved ones from being the next victim.
"Ransomware" is make up of two words "Ransom" and "Ware" which is blackmail someone (asking for 'Ransom') using a malicious software ('Ware'). In short, the poor victim not paying up the ransom can no longer use his or her infected computing notebook. You can catch the detailed FAQ on Ransomware too.
Cybercrime is rampant and anyone using the web can be the next prey. Cyber criminals have been quite successful in their attempts, exploiting the many vulnerabilities in user's poorly patched user system and manipulating user ignorance and guilt. Below is a "classic" ransom email which is the first email that does not attached any ransomware (yet) to stroke fear in user to succumb to the threat. The followup will open the gate to all the nasty malwares despite.
Cyber criminals also do their homework to hunt down their next prey in order to maximize their effort. They worked through an underground cyber dark market. This is a buy and sell arena which advertised stolen "loots" (fullz), outsourced crimeware services and DIY crime toolkit etc. Ransomware is actually a hot favorite toolkit and arsenal which Cyber criminal buy as a crime ware. Below is a snapshot of the underground offering.
Know your enemy - Mode of Operation
Ransomware targets the user's desktop/notebook and Mobile smartphone. Below demonstrate a typical ransomware modus operandi, once the prey is identified, all the resources of the target are locked and any payment feeds the cybercriminal to repeat the whole cycle.
- Target infection to be installed via exploit kit or any form of means to bypass any security software
- Encrypt all your files and target specific file extension locally and on network
- Start extortion campaign - asking payment around $100–400 via Bitcoins or pre-paid cash vouchers in return for the decryption key.
- Deactivate any victim defense, give short notice for payment, manipulate one fears to make hasty decision (warn "no" law enforcement)
- Spin-off Copycats and Underground forum Ransomware-as-a-Service . The hype lifecycle goes on ...
One of the most notable strain is CryptoLocker. Based on the latter's reported infection cases in web news, it has already impacted over 500,000 users whereby 1.3% of them pay the ransom - totaling a paid out estimated at $3 million. Copycats trend also starts to evolve in this lucrative "business" in the underground which the dark community reuse ransomware codes and even the backend command and control servers. They are doing more with less to say efficient and effective in their attempts.
Know your enemy - Family Tree
Below is a snapshot which I summarised using a mindmap depicting the top 3 strains having the greatest success in spreading infection in the past and current time as well as the variant targeting the various platform.
Notice that "Cryptolocker", mentioned in previous section, stands out among others with its many versions. Here is one write up on Cryptolocker which I encourage you to rea don to find more of its journey. The various versions can adopt slightly different scam scheme. For example, for Cryptolocker v2, also known as “crypt0l0cker” is delivered using the below Post Office scam. Another instance is it locks a victim's emergency center using a typical phished email which due to the need to ensure critical service availability, the victim has no choice but to pay off a $700 Bitcoin ransom immediately to restore the system running.
Note - For those that is really desperate and wish to pay off the ransom to get back the data (because of no backup or for whatsoever reasons), you may want to try this service. But I do advise think twice as such online decryption will also leave sensitive information copy online too.
October 28 update: ALL Coinvault and Bitcryptor keys (14k+) added to the database
April 29 update: 13 decryption keys added to the database
April 17 update: 711 decryption keys added to the database
Know your enemy - One glance into its DNA summary
Ransomware is an "Swiss Army Knife". It is a sophisticated piece of cyber criminal weapon. From below depicts it multi-facet capabilities. We as end user need to stay well prepared, otherwise be ready to lose out to their ransom that include all your asset and document stored in the locked machines and devices.
At this juncture, I hope this quick starter have given you a better knowledge of this malware family. Expect more of their descendants to emerge strongly to take over their precedessor - CryptoLocker. Start educating your loved and close one too.
A word of caution - Avoid rushing into any buying of cyber insurance packages. Opportunistic insurance companies comes knocking your doorstep at that moment where you are at the most vulnerable after going through the ransomware saga. Such package may provide a sense of reassurance to avoid being again the victim. This is false sense of security. It plays down the good fundamental and downplay the urgency to re-examine existing security measures in place safeguarding those critical business information assets. Not only must we always stay vigilant in the cyberspace, security is everyone responsibility. Share your good and bad experiences. We learn by learning from others too.
Final take away tip
EE platform shares good decent articles and you can search for "Ransomware" as done below (note this is just a snapshot and not the latest). It listed out nicely all possibly relevant related articles topic. These articles provide the "bolt and nut" that is handy to better safeguard and stay prepared against these "pest". One instance is Ransomware by author Thomas. The latter has other good articles too so do check it out.
Also last thought is this infographicsum up well the scary ransomware DNA too. The whole gist is you need to put your heart to stay safe!
The best way to keep your information safe is by being proactive about your security measures.