Understanding Ransomware

In this issue of newsletter we will explore ransomware. I will provide an introduction to ransomware. By the end of this article you will be able to understand the following topics:

1. What is it?
2. How does it work?
3. What is Ransomware as a service (RaaS)?
4. How to defend against ransomware?

What is a ransomware?

Malware is the broad term for any malicious software that enables unauthorized access to a user's systems. Ransomware is a subset of malware that demands payment to unlock and decrypt the data, enabling the victim to regain access.

Let us understand it with this scenario. Any computer has an operating system like windows or Linux. An operating system has some vulnerability, when vulnerability is discovered it can be exploited by malicious user via internet. The malicious user can enter into your computer via internet and execute a code/software that will encrypt all your data including documents, videos and pictures. Suddenly you cannot access your personal data. To recover data the malicious user asks for a ransom amount in form of cryptocurrency/bitcoin. When you are unable to pay the ransom amount they threaten to upload data in the dark net or delete your data. Dark net is place where all criminals and illegal activities takes place.

How does it work?

The following steps gives an overview on how it works:

1. Infection phase : In this stage the ransomware gets into the system in various ways. Common methods are phishing emails, malicious advertisements on the websites and exploiting the existing vulnerabilities in network services.
2. Encryption phase : Once it finds a way to your computer the ransomware program/code will be executed and will start encrypting the files. The typical target files are the files which are important to the users such as documents, pictures and databases. It uses asymmetric encryption. It is a encryption method that uses pair of keys to encrypt and decrypt a file. The public-private of keys is uniquely generated by the attacker for the victim. The private is only made available to the victim once the ransom is paid though is not guaranteed.
3. Ransom demand phase : After the files are encrypted, the ransomware will display a message commonly in a readme text file to the user demanding a ransom payment. This is usually done in a hard-to-trace digital currency like Bitcoin. The message often includes instructions on how to pay the ransom and may include threats of what will happen if the ransom is not paid (e.g., the files will be permanently deleted)
4. Decryption phase : If the victim pays the ransom, the attacker may provide a decryption key that can be used to decrypt the files. However, there's no guarantee that the attacker will provide a working decryption key even if the ransom is paid. Paying ransom is not recommended as it encourages the attackers and there's no guarantee you'll get your files back.

What is Ransomware as a service (RaaS)?

RaaS is a cyber crime model that allows malware developers to earn money for their works without the need to distribute their threats. This gives access to non-technical criminals to buy their malwares and launch the infections. These criminals will pay some share of ransom to the developers. The developers run comparatively few risks as their customer do most of their work. For example RaaS use subscriptions while criminals/clients require registration to gain access to the ransomware.

How to defend against ransomware?

Follow these tips to be protected against it.

1. Back up your data regularly.
2. Secure your backup files. Some of the ways to do it using a store it in a separate operating system, encrypt them, third party key management etc.
3. Use security software and keep it up to date. Some of the security software are Microsoft defender, Avast, Bitdefender, Norton.
4. Practice safe surfing be very careful what you click. Don't respond to unknown mails and download apps from trusted sources.
5. Use secure networks, avoid using public networks. Public networks are vulnerable to attack. If using public network try to use VPN which provides secured connection to any network.