{"id":15038,"date":"2014-12-09T18:54:58","date_gmt":"2014-12-09T18:54:58","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3400"},"modified":"2020-02-26T10:58:16","modified_gmt":"2020-02-26T15:58:16","slug":"ten-facts-about-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/ten-facts-about-ransomware\/15038\/","title":{"rendered":"Ten facts about ransomware"},"content":{"rendered":"

1. Devised back in 1980s<\/strong><\/p>\n

The earliest known ransomware was devised by Joseph Popp. Popp wrote the \u201cAIDS\u201d Trojan (aka PC Cyborg) in 1989. It claimed the user\u2019s license for a software program had expired, encrypted file names on the hard drive, and then required the user to pay US$189 to the \u201cPC Cyborg Corporation\u201d in order to unlock the system. It encrypted the file names using symmetric cryptography. Once experts had a chance to analyze the malware code and encrypted tables, it became simple to reverse the process (these days encrypting ransomware uses asymmetric cryptography) and track down the author.<\/p>\n

Ten unstructured facts about #ransomware<\/p>Tweet<\/a><\/blockquote>\n

2. It encrypts data or blocks entire systems; asks for ransom in both cases<\/strong><\/p>\n

Essentially there are two types of ransomware \u2013 blockers and encryptors.<\/p>\n

Encryptors are the Trojans that encrypt every kind of data that may be of value to the user without their knowledge. This can include personal photos, archives, documents, databases, etc. Blockers are Trojans, too. Some of the more prominent blockers are based on other Trojans, such as Reveton<\/a>\u00a0based on ZeuS<\/a> banking malware. This kind of malware just blocks the infected systems and demands payment.<\/p>\n

\n<\/p>

3. Exists for multiple platforms<\/strong><\/p>\n

Ransomware became extremely popular in the second half of 2000. Initially, most of the victims were Windows-based PC users. In time, ransomware for other platforms emerged, including iOS, Mac OS X, and Android.<\/p>\n

4. Paying may be in vain<\/strong><\/p>\n

As with real-world extortionists, there is absolutely no guarantee that they will adhere to their part of the \u201cdeal\u201d. Even if a victim chooses to pay, it doesn\u2019t mean they will get access to their files. The best course of action here is to do everything possible to prevent infection.<\/p>\n

5. Distributed as other kinds of malware<\/strong><\/p>\n

There are many ways ransomware is distributed, but most often it is delivered via spam, or acts as computer worms, inciting users to launch or download the malicious payload using generic social engineering techniques.<\/p>\n

The original Cryptolocker<\/a>, for instance, had been distributed via Gameover ZeuS botnet, and was destroyed by law enforcement agencies during the famous Operation Tovar<\/a> targeting that botnet\u2019s infrastructure. Unsurprisingly, cybercriminals join forces for mutual benefits. During the operation a database of private keys used by Cryptolocker was recovered, after which an online service was established in order to help victims recover their encrypted files using those keys. For free, of course.<\/p>\n

\"Metropolitan_Police_ransomware_scam\"<\/a><\/p>\n

6. Displays fake message purported to be from law enforcement organizations<\/strong><\/p>\n

Ransomware commonly attempts to spook the users displaying fake messages purportedly from law enforcement agencies, and accusing them of various violations. There is a case described in Wikipedia, where a person turned himself over to police\u00a0after receiving a fake FBI message accusing him of possessing child pornography, which he had. He was arrested and held without bond. In this instance, one evil unearthed another.<\/p>\n

#Ransomware generates a good profit, even if only 1% of its victims choose to pay<\/p>Tweet<\/a><\/blockquote>\n

7. Sophistication grows<\/strong><\/p>\n

Encryptors have increasingly used sophisticated RSA encryption schemes, with ever-increasing key-sizes. By mid-2006 the dreaded Gpcode<\/a>.AG used 660-bit RSA public key. In two years its new variant already used 1024-bit key, which was next to impossible to break without a concerted distributed effort. Cryptolocker already used a 2048-bit RSA key pair.<\/p>\n

8. Procures uncertain millions<\/strong><\/p>\n

Ransomware \u201cprocures\u201d millions for its operators, although exact data is scant at best. The estimates of both amounts paid, and the number of victims who chose to pay, are varied.<\/p>\n

ZDNet monitored four Bitcoin addresses associated with CryptoLocker owners<\/a>, and found the movement of almost 42 thousand BTC (equivalent to about US$27 million) over three months in late 2013. Surveys of CryptoLockers victims showed various results \u2013 0.4% to 41% reported paying a ransom. After the Gameover ZeuS takedown, it was reported that roughly 1.3% of its victims chose to pay. That\u2019s not very much, but still good enough for the criminals to keep trying. New and \u201cbetter\u201d ransomware comes in droves, and some \u2013 like Onion Trojan \u2013 is quite unique, original, and extremely dangerous.<\/a><\/p>\n

9. Charges big<\/strong><\/p>\n

The extortionists demand a payment of 300+ USD or Euro via an anonymous pre-paid cash voucher (MoneyPak, Ukash) or an equivalent amount in Bitcoin within a limited timeframe. If the payment doesn\u2019t arrive in time, the public key gets deleted and encrypted file recovery becomes impossible. Companies receive much larger demands.<\/p>\n

10. Back data up to beat it<\/strong><\/p>\n

Preventing ransomware from attacking systems requires basically the same approach as with every other malware \u2013 keep vulnerable software up-to-date, block or limit any kind of unauthorized access to the data, etc. But there\u2019s a twist: an offline backup is an insurance policy against this threat, provided that encrypting malware hasn\u2019t already slipped in. But even if it has, there is a window of opportunity to get rid of it after the data is retrieved from the backup.<\/p>\n

Encrypting files takes time and needs processing power. There is none of the latter in the offline backup storage, so encryption doesn\u2019t occur and there is the possibility of recovering data or identifying the malicious files and processes to remove them.<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Ransomware is a common and much-feared problem. Here are ten facts to help in dealing with it.<\/p>\n","protected":false},"author":209,"featured_media":15828,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[648,2249,420,131,698],"class_list":{"0":"post-15038","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cryptolocker","10":"tag-facts-about-ransomware","11":"tag-ransomware","12":"tag-tips","13":"tag-zeus"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ten-facts-about-ransomware\/15038\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/ten-facts-about-ransomware\/8070\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ten-facts-about-ransomware\/15038\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ten-facts-about-ransomware\/15038\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/tips\/","name":"tips"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15038","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15038"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15038\/revisions"}],"predecessor-version":[{"id":33408,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15038\/revisions\/33408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15828"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}