Ransomware, malicious software specializing in lock or file and then ask for ransom

Ransomware is a type of malware (malicious software) that prevents or limits users from using their device, system or data. Some encode files that prevent you from opening important documents, while others use lock mechanisms to prevent them from continuing to use them.

Learn about malware - Ransomware

Trend Micro, the security firm, further explained that the malware forced victims to pay to have the right to use their system again, so there was ransom - meaning ransom. This amount is sometimes only a few dollars, sometimes up to several tens, even hundreds of dollars (each case has to pay $ 600). Some other hackers use bitcoin safely and avoid being caught. But it should be emphasized that even if you have already paid, there is no guarantee that hackers will grant you permission to return or do anything worse.

Picture 1 of Ransomware, malicious software specializing in lock or file and then ask for ransom

In what ways does Ransomware infect and what does it do when it comes to our computer?

Ransomware can be downloaded to a user's computer in many different ways. The common way is to trick users into a fake website or website that has been maliciously inserted . Some ransomware are "bombed" on our machines by attaching other malware or attaching them to emails.

Besides taking advantage of email, websites to spread, ransomware also takes advantage of the operating system or software vulnerabilities to infect and run. Just in the middle of this year McAfee said it discovered a ransomware family that exploited Adobe Flash bugs to invade the computer.

Once started running, ransomeware is usually one of two things:

  1. Lock your device screen
  2. Encrypt some files and ask for password to open

In the first scenario, ransomware will display a picture or warning that occupies your entire screen and you have no way to continue using it, whether it's a PC or smartphone or tablet. Images or announcements will also guide the victim as to what they should do to pay the ransom for hackers. Meanwhile, ransomware use file encryption mechanism to find documents, spreadsheets and important document files in the computer and lock them.

According to Trend Micro and Norton, ransomware is also called " scareware" because it forces users to pay through threatening users. Hackers can say things like: " If you don't pay me, your data will be gone in 7 days", or " Pay now or never use that phone again". Imagine that you have documents worth hundreds of millions of VND, even if the project files are worth billions of VND, are you afraid or not when you lock that file? Or suppose you only have a single computer, how many precious photos and files are in it, now that the device is like that, then you must be worried.

It should be noted that ransomware not only runs on computers, but it can also access phones and mobile devices. In 2014, there was a ransomware that displayed a fake message as an FBI to ask users to pay if they wanted to continue using the device and were not arrested.

Picture 2 of Ransomware, malicious software specializing in lock or file and then ask for ransom
The ransomware screen on Android pretended to be an FBI

Ransomware history

The first cases of ransomware that were recorded in Russia in 2005 - 2006. At that time, a ransomare with the number TROJ_CRYZIP.A compressed the user's important files into a zip file and deleted it original files. To open this zip file, a password is required. TROJ_CRYZIP.A also created a text file to make "extortion letters ", which said that users who want a password to open a zip file must pay $ 300.

At first, ransomware often finds and locks document files , such as .doc, .xls, or library files, executable files of software such as .dll or .exe. By 2011, we started listening to SMS ransomware. The ransomware with the number TROJ_RANSOM.QOWA constantly displays a notice asking for money that annoys the user, so they end up paying " ransom " by texting some special SMS for a fee.

More dangerous, there are some ransomware that also infiltrate the Master Boot Record (MBR) of a computer. In this way, ransomware will prevent the operating system from running up, in other words paralyzing the system. To do that, ransomware has copied the original MBR part, then overwritten this MBR with its own malicious code many times. When the system is forced to reboot, the malware will begin to work. The operating system will not run up, instead a line of money claims in Russian.

Beyond the Russian border

Initially ransomware only raged in Russia, but thanks to the fast, more profitable and easy way like this, many hackers began to apply it to European countries. As of March 2012, Trend Micro said it has recorded the spread of ransomware in both Europe and the US and Canada. At this point the ransomware no longer displays a simple money claim message, instead it impersonates the local police agency saying that the user has done something bad and asks if he doesn't want to be arrested or something. Investigating (in fact, no hackers are only profiteering).

In 2012, ransomware TROJ_RANSOM.BOV was "embedded" in a French sales site, thereby infecting user computers in France and Japan (where the company has a large number of users). The malware also displays a fake message from the French police agency to threaten people.

Also in 2012, some ransomware did not display a "money order" but a voice recording in the local language. Others display fake security certificate logos to attract users' trust. Others interfere with important system files and prevent the machine from functioning properly.

The revolt of ransomware forged police

In a post on his blog, Symantec said that ransomware was so smart that it was able to identify the country you were in (via IP address) to display the message in the local language, attached to it. is the local police logo. Malware like this is also known by the name Reveton. More alarmingly, the ransomware spread rate is getting faster and faster, and there have been a number of variations discovered by Norton up to 500,000 times in just 18 days.

Picture 3 of Ransomware, malicious software specializing in lock or file and then ask for ransom
Add an example of FBI ransomware forged on the computer

Symantec's experts also gave a concrete example of a case in which they studied for 1 month. Of those infected, 2.9% paid, and although this number looks small, for cyber criminals it is a big money because:

  1. In one month of the study, 68,000 computers were infected, or about 5,700 computers a day
  2. Ransomware ransomed for about $ 60 to $ 200 to unlock a computer
  3. Every day, about 2.9% of users - equivalent to 168 people - pay for hackers, so he can get $ 33,600 per day, or $ 394,000 per month. Now, do you think that number is still small?

But this is just one case, there are Reveton variants that ask for less money, others are asking for money in another way, so the money cannot simply multiply like that. Symantec estimates that about $ 5 million has been "withdrawn" about ransomware victims every year.

Some Reveton variants do not require direct transfer, instead they force victims to pay through the UKash, PaySafeCard, or MoneyPak system. These are money transfer systems that can ensure anonymity and leave no financial traces, so that hackers can receive money and withdraw smoothly without being investigated or arrested.


Video of how ransomware works is TorrentLocker

The evolution of CryptoLocker

Around the end of 2013, people recorded a new type of ransomware. These variants now encode files instead of locking computers like before, so they are called by the name " CryptoLocker " (crypto means root secret, and in the computer world it is code chemical). In this way, hackers can ensure that users still have to pay even if they use security tools to delete malware.

In claims for money, CryptoLocker often says that it uses the "RSA-2048 " encryption mechanism, but according to research by security companies like Symantec, Trend Micro or McAfee, malware incorporates AES encryption with RSA.

RSA is an encryption method that uses asymmetric keys, ie it uses two keys (the key here is simply a long character string, based on the character in which the file encoding will change). A key used to encrypt data, the remaining key is used when needing to decrypt the file. One of the two keys will be widely available to outsiders, called public keys, the other will only be stored by the user and called private key. Meanwhile, AES uses a symmetric key, which means that encryption and decryption use the same key.

Picture 4 of Ransomware, malicious software specializing in lock or file and then ask for ransom
A key to encrypt / decrypt looks like this

Back to CryptoLocker, it uses AES to encrypt files on your computer. In theory, there should be a key to decrypt this file, and that key is embedded in the affected file itself. But the problem is that the key is encrypted with an RSA public key, so we need a private key to decrypt . And of course, that private key is only in the hacker hands. To be provided with this private key, you must pay the hacker.

Further research shows that in order to distribute CryptoLocker, hackers have used a spam mail campaign . These spam letters contain an attachment belonging to the malware TROJ_UPATRE, a compact maleware family and have a simple download function. After running on the user's computer, TROJ_UPATRE will download another malware called ZBOT, then ZBOT will download CryptoLocker again.

Picture 5 of Ransomware, malicious software specializing in lock or file and then ask for ransom

Around the end of 2013, a new variant of CryptoLocker appeared. With the name WORM_CRILOCK.A, this variant can spread through removable USB or HDD drives, which increases the spread rate compared to other variants. It also does not depend on downloadable malware, instead it masquerades as a hidden software hidden on peer-to-peer (torrent) files.

Another variant that is equally dangerous is CryptoDefense (another name: Cryptorbit). It encrypts a lot of things, from browsing history, databases, images, movies, Office files and more. It is so smart that it is possible to find backup files and delete them so that users cannot do anything but pay to be provided with a decryption key.

Virtual money

In recent times, Ransomware have evolved to demand ransom with virtual currencies (eg Bitcoin, MultiBit, Electrum .). This malware is called BitCrypt . The first variant will add the ".bitcrypt" extension to the encrypted files and use only the English extortion paper. The second variant adds the ".bitcrypt 2" extension to the files and can display redemption notifications in 10 different languages. They also use AES and RSA encryption methods to encrypt files.

There are also types of Ransomware that encrypt important files of virtual currency software . These files contain transaction lists, user preferences or account information. To continue using them, users have to pay for hackers.

The future of ransomware

In 2014 there was a type of malware called Critroni, also known as Curve-Tor-Bitcoin (CTB) Locker. It uses the Tor network to hide contact with victims, others also claim bitcoin for ransom. By 2015, CTB Locker also has a free file-decoding service, but still has to pay for a large number of files.

Security firms all predict that in the coming time ransomware will be improved by hackers to operate more efficiently, encrypt more files and have a more dangerous, insidious way of spreading. New ransomware will also be improved on the ability to hide themselves from being detected by antivirus programs or operating system security features.

In just a few years, ransomware has crossed the Russian border to go to the rest of the world. With a lucrative " business " model with anonymous payments, ransomware will be increasingly used to usurp our money. Therefore, each person should know how to protect themselves against such hazards to avoid losing money.

Tips to avoid getting ransomware

These tips are compiled from McAfee, Trend Micro and Symantec. These include:

  1. Back up data regularly to a removable drive, to miss files that are encrypted, you can get backup files to use and pay nothing to hackers
  2. Apply security patches to the software and the operating system as soon as they are released, because some ransomware take advantage of security vulnerabilities to invade the system.
  3. Bookmark frequently used web pages and only access the web with bookmarks
  4. With strange links, you must carefully read the domain name of the link to see if it is the same as the official page, whether or not to add any characters, if so, delete the message immediately, and do not click on the link
  5. Only download email attachments from trusted people.
  6. With emails sent in bulk to multiple people, do not open attachments because it may be an impersonation message
  7. Use anti- virus software and regularly scan your computer (of course, this line is already available, security companies are demanding to sell anti-virus software).