The Ransomware Threat in Australia
Updated: Jan 10, 2019
ISACA defines ransomware as: “Malware that restricts access to the compromised systems until a ransom demand is satisfied.”
Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid.
There are different variants of ransomware; with some strains designed to attack windows PCs while other families infect Macs and even mobile devices.
Ransomware is highly effective because the methods of encryption or locking of the files are practically impossible to decrypt without paying ransom. There are two basic types of ransomware in circulation; crypto and locker.
Locker ransomware is designed to deny access to computing resources. This typically takes the form of locking the computer’s or device’s user interface and then asking the user to pay a fee in order to restore access to it.
Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom.
This means access to the mouse might be disabled and the keyboard functionality might be limited to numeric keys, allowing the victim to only type numbers to indicate the payment code.
Crypto ransomware primarily identifies and encrypts valuable data stored on targeted computer systems, rendering the data useless unless the user obtains the decryption key. Generally, crypto ransomware target Microsoft Office, CAD and other productivity tools. Image files may also be locked.
Developers and sellers on the Dark Web advertise fully customisable ransomware files for amounts as low as 50 dollars (BTC equivalent) some are even offered for free. Generally, low price malware attracts a commission based model where the developer receives ten percent of each successful ransomware attack. This model is now commonly referred to as Ransomware as a Service (RaaS)
How Does Ransomware Work?
Email based spam is the most common method for distributing ransomware. It is generally spread using some form of social engineering whereby victims are tricked into downloading an e-mail attachment or clicking a link. Fake email messages might appear to be a note from a friend or colleague asking a user to check out an attached file, for example.
A favoured method of getting victims to click on links involves fraudulent emails purportedly come from a trusted institution or brand (such as Australia Post or electricity and telecommunication companies) asking would-be victims to perform a routine task.
Once the user takes action, the malware installs itself on the system and begins encrypting files. It can happen in the blink of an eye with a single click – the faster the device, the quicker the attack.
Another common method for spreading ransomware is a software package known as an exploit kit. These packages are designed to identify vulnerabilities and exploit them to install ransomware. In this type of attack, hackers install code on a legitimate website that redirects computer users to a malicious site.
Unlike the spam method, sometimes this approach requires no additional actions from the victim. This is referred to as a “drive-by download” attack. The most common exploit kit in use today is known as Angler.
Each ransomware variant can be engineered to operate differently. However, common traits include fairly complex obfuscation and covert install and launch processes meant to avoid early anti-virus or malware detection. This means the malware wants to stay hidden and thus, uses techniques to thwart detection and analysis, including obscure filenames, modifying file attributes, or operating under the pretence of legitimate programs and services- most ransomware is very hard to detect.
Most ransomware has additional layers of defence that leaves the data unreadable, which make the process of reverse engineering extremely difficult.
If affected, should you pay the ransom?
Law enforcement agencies recommend that ransoms are not paid as this encourages further attacks against not only the victim but also other users. There is also no guarantee that decryption keys will be provided upon payment.
In some cases, the ransom is increased or more sinister means of extortion are introduced, including physical threats against family members.
Ransomware payment is generally conducted using BitCoin as this digital currency is reliable, anonymous and appears quickly in criminal bank accounts.
Internet users need to be aware of the risks and how to identify phishing emails and other forms of distribution.
The ransomware threat showing no signs of abating.
There are security software tools available on the open-market, however these are only effective against known software strains.
Staff training, vigilance, backing up of data, and effective response and recovery plans are critical.