A hacker’s guide to Ransomware: How to successfully lose your data

To be clear, a ransomware developer’s goal is not to destroy your data. The main driver is money, and they care about lining their own wallets (usually bitcoin wallets but this does not make a big difference to you,) which means that destroying your data isn’t really the goal they are trying to achieve.

They usually try to make it impossible for you to use your own data, and at the same time they leave a chance to recover from the issue after you pay the ransom. The obvious question here is “why do I have to pay a bad guy instead of hiring a friendly computer expert to do the same job?”

The history of ransomware clearly shows that this approach made a lot of sense in the past. Unfortunately, all those bad guys quickly realized that their victims prefer to recover (even sometimes paying more for it) using any possible way which was not related to supporting cyber crime.

But as long as there is someone to pay, there will be someone to encrypt your data and politely ask for money. The amount of money people are prepared to pay is often breathtaking! According to a public service announcement from the FBI’s Internet Crime Complaint Center (IC3), in the past 12 months the estimated amount of ransom paid for the Cryptowall virus was circulating around $18 million between April 2014 and June 2015.

Nowadays, modern ransomware is not trying to be ‘clean-proof’. Any proficient computer user will quickly mitigate the malware using some webpages or online videos as a guide.

So why is ransomware so dangerous if the malware removal process is so straightforward?

The answer is very simple: it actually encrypts your data instead of destroying it. The encryption process itself has changed over the years to reach its final form of advanced well known and secure asymmetric encryption algorithms. Asymmetric means there is always a pair of keys: one for encrypting only, and the other for decrypting.

Nowadays, ransomware developers really care about the decrypting key. They will never send it to the infected computer during the attack and the only way you can get the key is to pay for it. Even if in the past, we could have somewhat badly (in technical terms) designed malware. Now, if your data is encrypted, the one and only way to decrypt it is to pay for the decryption key. This is not a thing you would actually like to do, right? So please, forget about any decryption based approach – it is virtually impossible without paying. You have to protect your data differently.

Let’s start from the very beginning. A Ransomware attack doesn’t happen by magic. In fact, there are two ways it can happen:

1. Your computer (OS and applications installed) is not up to date.

There are (and always will be) bugs in the software, some of those bugs can be used to take control over your computer and of course to infect it with ransomware as well. If any of those bugs can be used to infect your computer – at some point, someone will try to use it for malicious purposes.

If you do not patch your computer on a regular basis sooner or later it will be infected and that’s what you can be sure about! So if you want to avoid being a victim in this type of attack, a remedy is simple: patch your Operating System and applications. Do not ignore those update messages and annoying restarts. The general rule is simple: get newer versions of applications, update your system, update drivers etc.

2. You have launched a ransomware code (executable / script / macro) on your own.

Bad guys are extremely creative in trying to convince you to run their applications. They will post them on webpages as a video to download, send it to you as a fake invoice via email, drop it on a USB stick and leave it next to your company doors etc. So what can you do about this?

Actually, nothing! But you must be aware that this situation can and does happen. But your role here is quite simple: trust no one and know the context of what you do. Do not go to suspicious web pages, do not download cracks or key generators, do not trust emails even if you can clearly see that a business you recognize has sent you an unexpected invoice. If it doesn’t feel good, it probably isn’t good.

Neither of the above options sound that complicated, but you should be aware that even the smartest IT Security brains in the industry still think about the universal and cost effective solution.

The reality here is as follows: attacks happen and they will happen as long as there are humans on this planet. However they should not happen if you protect your computer properly and as I have mentioned above, trying to decrypt it on your own is usually a complete waste of time.

The deeper you go through dark corners of the Internet looking for the solution, the higher the risk of infecting your computer with another piece of malware. So what do you do?

The answer is extremely easy: perform backups and in case of an emergency restore the data from the backup. The problem is that people have no backup (apparently they have never played football!). Or at least the backup is not up to date or it is not stored on same computer.

If you take one thing away, choose this one: revise your backup strategy and choose one that corresponds to how much your data is worth, perform backups on a regular basis and store them on separate (not connected all the time!) media, well protected from being stolen, dropped, eaten by your dog, left with your laptop bag, out of reach of small children etc. You should definitely have a look at the cloud-based backup and review its terms. Then your data is immediately (and without engaging you) sent to some remote server room and stored safely, just in case you going to need it one day.

Still knowledge-hungry? On the enterprise level, from the technical perspective it is extremely important to prevent unknown code execution, so that whoever is tempted to pay this badly formatted invoice will be prevented to execute whatever is brought with it as a sweet encryption surprise. Of course security awareness should not be neglected, but all these things go together and when wrapped into one reasonable security focused prevention strategy the idyll can become a fact.

Stay CQURE!

Paula Januszkiewicz

Sources: http://www.ic3.gov/media/2015/150623.aspx