On March 18, 2021, the highest ransom demand ever was made by Russian cyber-crime group REvil to the Taiwanese company Acer. One of the biggest insurance carriers in the U.S., CNA, was hit by a ransomware attack, causing nationwide network disruption. Bloomberg reported CNA went ahead with the payment of a $40 million ransom to the attackers, though CNA has not yet confirmed the payment of the sum. 

In the past few years, the modus operandi of the biggest ransomware attacks globally has fundamentally changed. Widespread ransomware attacks have been replaced with extraordinarily well-targeted, damaging attacks, more often aimed at large organizations. Furthermore, attackers look like they are more focused on extracting and encrypting data - they have been, i.e., extorting confidential information and threatening to go public if the victims of the attack won’t pay. Attackers seem to want to launch fewer attacks though each with much larger rewards, rather than amassing lesser amounts from more victims. To this day, ransomware is considered the most dangerous malware threat. In 2021, it is said that a ransomware attack occurs every eleven seconds. 

Let’s take a close look into the growing threat of ransomware attacks that have, at times, rendered entire countries at a standstill. What makes ransomware so potent and dangerous? What can we do to protect ourselves against it? How can we keep our important data safe? What does the future look like for online security, in a world where everything seems to be going virtual? 

The history of ransomware

Ransomware has existed for a long time. The first asymmetric ransomware prototypes were developed in the mid-1990s. Asymmetric ransomware uses asymmetric cryptography, also known as public-key cryptography, which is a process that uses a pair of related keys — one public key and one private key — to encrypt and decrypt a message and protect it from unwarranted access or use. An encryption key is a random arrangement of bits generated to scramble and unscramble data. Encryption keys are created thanks to algorithms designed to make sure that each key is unique and impossible to predict. The longer the encryption key, the harder it is to hack into.

The idea of using public-key cryptography for attacks on computers was brought about in 1996 by Adam L. Young and Moti Yung in the 1996 Proceedings of the IEEE Symposium on Security and Privacy. In their abstract, Young and Yung proclaimed that their prototype was meant to demonstrate how cryptography could be “used to mount extortion-based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.” The two computer scientists introduced a proof-of-concept crypto-virus for the Apple Macintosh SE/30 employing RSA and TEA asymmetric block ciphers. We will talk more about the difference between RSA and TEA ciphers further down. 

Young and Yung had created the virus. However, there was a logistical problem. In their model, the ransom could not be paid without exposing the attacker. Some tried asking for payments to be sent to a post office box, like the “AIDS” Trojan ransomware hacker, who soon after getting arrested by law enforcement officials who had tracked the funds. That is why until 2005, nothing much happened in the way of ransomware. 

In 2005, GPCode, also known as PGPCoder, was launched. GPCode was a simple Trojan encrypting common user files that matched the extensions matching those in its code. (These extensions included .doc, .html, .jpg, .xls, .zip, and .rar). A Trojan is a piece of malevolent code or software that is sent to your computer and looks legitimate — however, it can command your computer once installed to it. The Trojan would send out a text file that forced payment in every directory that contained affected files. The payment was usually between $100 and $200 in e-gold or Liberty Reserve account. 

This Trojan-type ransomware sparked an array of responses from the security industry, like virus detections and ways to fight off GPCode. It was considered mildly successful because the authors of the malware were able to collect a bit of money but the flaws in its nature allowed users to take back data without ever needing to pay the ransom demanded of them.

It took a few years subsequent to the GPCode for ransomware to become truly successful at its attacks, and gain an astounding amount of popularity. In 2011, around 60,000 new ransomware was observed, which more than doubled in 2012. Then, from 2014 to 2015, ransomware more than quadrupled. Here is a list of the most important and notorious ransomware variants that have appeared since. You’ll also find their modes of operation. 

• CryptoLocker – by email.

• Locker – fake software that supposedly costs $150 to get the key. Users are prompted to sent money to a Perfect Money or QIWI Visa Virtual Card number.

• CryptorBit — is able to corrupt the first 1024 bytes of any data it can possibly find on devices it succeeds in attacking.

• CryptoWall – malicious advertisements on very popular websites that allowed the attackers to enter devices thanks to a Java vulnerability.

• Cryptoblocker – will only encrypt large files

• OphionLocker – offers 3 days to pay the ransom or they threaten to delete the private key, thus losing all data. 

• Pclock – 72-hour countdown timer to pay 1 bitcoin in ransom.

• CryptoWall 2.0 – by email

• VaultCrypt – pretends to be customer support

How does ransomware work?

Ransomware can take different routes to access a computer. One of the most frequently employed delivery systems is phishing spam, whereby attachments arrive onto the victims’ computer via an email, disguised as a source that looks utterly credible. Almost one in four recipients of ransomware attack attempts open phishing messages. More than one out of ten clicks on attachments that will redirect them to phishing messages. Nearly half of all recipients of ransomware attempts click the links within 60 minutes of the email being sent out. Drive-by downloads are also very much still frequently used. A drive-by download is the unintentional download of malignant code onto a device that risks the exposure of users to a diverse array of different types of threats. Ransomware attackers are able to compromise credible sights in order to redirect visitors to their dangerous software or file. 

The means of sending out the ransomware software or file is called the distribution phase. Then comes the infection. Once the victim has downloaded and opened the ransomware, the attackers are in the capacity to completely takeover the victims’ computer. The file turns up on the user’s computer and initiates the processes it needs to complete in order to fulfill its purpose. The infamous CryptoWall 3 ransomware will: 

Step 1: Generate a unique computer identifier

Step 2: Ensure “reboot survival” by installing the program to run at start-up (through service entry, scheduled task, AutoRun key, etc.)

Step 3: Deactivate shadow copies, start-up repair, and Windows error recovery

Step 4: Stop Windows Security Center, Windows Defender, Windows Update Service, error reporting, and BITS

Step 5: Inject itself into explorer.exe and svchost.exe

Step 6: Retrieve the external IP address

Step 7: Then go back to Step 3.

The files targeted by the malware for encryption, in most cases, include: 

• Microsoft Office files (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .rtf)

• Open Office files (.odt, .ods, .odp)

• Adobe PDF files

• Popular image files (.JPG, .PNG, raw camera files, etc.)

• ext files (.txt, .RTF, etc.)

• Database file (.sql, .dba, .mdb, .odb,. db3, .sqlite3, etc.)

• Compressed file (.zip, .rar, .7z, etc.)

• Mail files (.pst)

• Key files (.pem, .crt, etc.)

More complex and aggressive forms of ransomware that have appeared recently don’t even need to trick users into accepting a download or clicking on a link to hack into computers.

Once ransomware has taken over the unsuspecting victim’s computer, it will start encrypting a partial or total amount of the user’s files. This process is called communications. When it has finished doing so, the user will not be able to decrypt their files without a mathematical key only the attacker knows. That is where the ransom demand comes into play: the attacker promises to divulge the secret key in exchange for a hefty sum of money. In 2020, the average ransomware payment demand was around $200,000. Payments are often to be made in Bitcoin, because of its untraceable nature. 

Common forms of malware include an attacker pretending to be a law enforcement agency shutting down the victim's computer because of the recent viewing of pornography or the illegal download of pirated software, thus asking for the payment of a "fine". However, with ransomware, attackers employ other tactics. Leakware or doxware are attacks in which the perpetrator intimidates the victim by threatening to make sensitive data public unless a ransom is paid promptly.

So, these are the six steps ransomware will take in order to achieve its goal: 

• Distribution

• Infection

• Communication

• Ransom demand

• Encryption

• File search

Ransomware is costing countries millions

Over the past few years, ransomware has evolved from mild inconvenience to risk huge headline-grabbing hazard. The efficiency of the attackers to orchestrate cyber-criminal masterpieces has greatly matured over time.  What used to be straightforward data lockout threats have now become hauntingly sophisticated means to gain access and sometimes even leak sensitive data.

Damage, also, is growing. In 2019, ransomware cost the US $11.5 billion, average at $141,000 per incident. 113 state and municipal governments and agencies, 764 healthcare providers and 89 universities, colleges, and school districts, and 1,233 individual schools were affected by ransomware attacks. It is predicted that by the end of 2021, ransomware will have cost the United States up to $20 billion, which is near twice the amount it cost the country in 2019. The damage ransomware is doing has grown at an alarming rate.

Ransomware targets are growing increasingly large

On June 19, 2020, Crozer-Keystone Health System endured an attack by NetWalker ransomware cyber-crime group. The organization’s system was infected and stolen data was sold through a website on the darknet. One year prior to that attack, the known count of U.S. healthcare providers that had been impacted by the ransomware was 764. 

Initially, ransomware attacks were broadly focused on opportunity, targeting small businesses or civilian users’ computers, extorting money. Nowadays, cyber-criminals are focusing on much larger organizations that have the resources that allow them to pay bigger ransom amounts, such as healthcare, educational, municipal, and governmental organizations.

The larger organizations targeted by cyber-criminals are much more likely to see high ransom demands. The ransomware attackers coordinate careful calculations to estimate what the organization might be willing to pay. 

There is a fundamental difference between targeted and non-targeted attacks, which also go by the name of mass distribution attacks. Though they appear to be similar, they have many technical differences. Mass distribution attacks are usually based on an automated and fast process. They usually take around 15 minutes from the initial infection to the ransom demand. Targeted attacks on the other hand are usually set up by a human instead of an automated system, thus taking longer to carry out. Between 2019 and 2020, the number of single users affected by targeted ransomware went from 985 to 8,538, which is a whopping 767% jump.

The tools used for targeted and non-targeted attacks are different too. Non-targeted attacks use more tailored tools whereas targeted attacks utilize pre-made systems for the initial phases. Mass-distribution attacks are still an ominous threat, but the real worry is the unsettling amount of intricate and complicated targeted attacks being carried out to government and even defense organizations. 

Ransomware attacks on larger organizations often include: 

• Network compromise

• Reconnaissance & persistence

• Lateral movement

• Data exfiltration

• Data encryption

• Extortion

Ransomware Attacks are accessible to the general public - Ransomware as a Service

Brian Coulson, the main threat research engineer at LogRhythm said “Ransomware itself has become commoditized; literally anyone can contact a Ransomware as a Service (RaaS) group to deploy ransomware. Detecting potential ransomware attacks are and will be an increasingly critical part of enterprises in the future, as well the ability to respond quickly using automation (SOAR).” 

Ransomware-as-a-Service (RaaS), non-technical users too can employ ransomware to perform attacks on organizations at a worldwide level. Many authors of malware have recently been using Malware-as-a-Service to become financially independent from their 9 to 5 jobs. Yes, some computer experts are offering their wares as a service by orchestrating malware operations on-demand, just as a developer would provide an app or a website. 

Giving access to software that has the potential to be damaging and exploitative to the general public is definitely not going to slow the advent of ransomware down. If anything, ransomware might not be the product of mysterious and anonymous cyber-criminal groups’ skilled mastery, but the simple will of anyone looking to digitally harm a friend, family member, or foe. This suggests great uncertainty as to whether any data is ever truly safe...

Date encryption for more protection

The basic concept of encryption is to translate data into a form that masks its original meaning. Only those who have the appropriate authorization can decipher the encrypted data. Data is scrambled thanks to mathematical functions using a number called a key. A key is also used to decrypt the information. If the same key is used for encryption and decryption, the process is symmetric. However, if different keys are used for encryption and decryption, it is called asymmetric.

AES encryption

AES, which stands for Advanced Encryption Standard, has become the ultimate encryption algorithm for governments, financial institutions, and security-conscious enterprises globally. The AES algorithm implements a sequence of mathematical transformations to each 128-bit piece of data. The computational requirements of this method of encryption are so low that AES can be used with computing devices readily available like laptops and smartphones. It, therefore, helps to rapidly encrypt huge amounts of data at a time.

AES is a symmetric algorithm using the same 128, 192, or 256 bit key for encryption and decryption (the security of an AES system increases exponentially with key length). The longer the key length, the more secure an AES system is. Even with a 128-bit key, hacking AES by checking all of the 2128 potential key values - this is called a “brute force” attack - is so computationally intensive that even the most powerful supercomputer would need around 100 trillion years to do it. 

RSA encryption

RSA is an asymmetric algorithm that uses a public key for encryption, but a different key for decryption. This decryption key is only detained by the intended recipient. This system is called public-key cryptography, or PKC. The public key is the product of the multiplication of two huge prime numbers. That product, which could be 1024, 2048, or 4096 bits in length, is the only thing made public because RSA decryption requires knowledge of the two prime factors of that product. There is no known way of calculating the prime factors of such large numbers so only the creator of the public key can generate the private key needed for decryption. RSA is much more computationally intensive than AES and therefore slower. It’s habitually employed to encrypt only very small amounts of data.

How can we protect ourselves from ransomware?

A few factors can come into play when making you more vulnerable to ransomware. You should be particularly careful if you: 

• Have one or more older devices that you use. New computers and smartphones are supplied with state-of-the-art protection against ransomware, whereas older versions may not be as efficient in protecting users against potential threats. 

• Haven’t performed a software update in a while, for the same reasons as mentioned above. 

• Have browsers and/or operating systems that are no longer patched (yes, browsers actually need to be updated regularly to provide protection against any kind of malware).

• Have devices that haven’t been properly backed up, or in other words, some data of yours only exists on your device and not on an external hard drive. 

Traditional safety features are no longer a powerful enough barrier against ransomware. Some powerful forms of ransomware are resistant to: 

•  Antivirus software

•  Email/spam filters

•  Ad/pop-up blockers

•  Endpoint detection and response platform

Let’s talk about some concrete actions you can take to protect yourself against ransomware. 

Avoid phishing emails at all costs

Install strong email spam filters and avoid downloading attachments from any unknown sources at all times. Learn more about the strategies put in place by cybercriminals. 

Regularly update software

Updating all your devices’ software on a regular basis will allow you to make sure that you are maintaining your system’s security. You can download and install any latest patches you can find available on your device to fix your system’s potential vulnerabilities. This software is being continually updated and worked on the be able to cope more efficiently with the growing challenges ransomware has been forcing upon the world. 

Change passwords often

You can set passwords to expire after whatever period of time you wish. Changing passwords regularly will add an extra layer of security, especially if your sensitive password-protected data has a locking mechanism that blocks access to the system after a set number of failed attempts to log in, usually around three. 

Implement regular backups

You want to be able to walk away from a ransom demand if ever your data is compromised. In order to be in that position, you’re going to need to carry out frequent backups of your data onto external hard drives. 

Never click on unknown links

Never click on a link you don’t recognize. When in doubt, run the link through a link checker. Though free versions of these link checkers are available online, such as https://www.ipqualityscore.com/threat-feeds/malicious-url-scanner, you may want to think about investing in a paid software that lets you thoroughly scan unknown URLs for malicious intentions or activity. 

Keep your information to yourself

Avoid disclosing personal information as much as possible. Keep everything to the bare minimum, especially when dealing with a source you don’t fully trust who is asking you for your personal information. Never reply if you’re not completely sure. Some attackers collect personal information in order to deliver personalized phishing messages to you, to allure you into accepting their link or download.

Never use unknown USB sticks

Only insert a USB stick into your device if you know its source. This rule works for any storage media — always be sure of where it came from before connecting it. Cybercriminals have been known to plant malware-infected USB sticks in frequented public places, waiting for someone to pick the stick up and connect it to their computer, tickled by their curiosity. 

Use VPN for public WiFi

Your computer is far more vulnerable to attacks when connected to a public WiFi network. You should avoid using public connections for matters of personal data or any sort of transaction, and always use a VPN as a preventative measure. A VPN will encrypt all of your data and hide your IP address by constantly moving the activity of your network into a secure chain to reach another server far away.

Insurance and the fight against ransomware

Over the past few years, the market of cyber insurance has not ceased to expand. More businesses purchase cyber coverage now than ever before. Around fifty percent of respondents to Marsh and Microsoft’s 2019 Global Cyber Risk Perception Survey said they have cyber insurance, up from thirty-four percent in 2017. 

This exponential growth points to the fact that cyber insurance has great value as a risk mitigation tool and a real capability to react to ransomware. The CEO of the Colonial Pipeline Joseph Blount recently testified before the House Homeland Security Committee that his company filed a claim with its cyber insurance carrier for the $4.4 million cryptocurrency ransom it was forced to pay. 

How does it work? 

Ransomware insurance works just like any other type of cyber insurance. Bhavani Thuraisingham, director of the University go Texas’s Cyber Security Research and Education Institute noted that "Cyber insurance is about assessing the cyber risk, determining the potential losses due to attacks, and then obtaining coverage. [They aren't] just stealing your data but crippling your system by encrypting all of the data and files so that you can't have access unless you pay them a ransom. It’s like someone breaking into your house and stealing your jewelry, but also kidnapping your child and demanding a ransom.”

Ransomware insurance is usually sold with an overall cyber insurance policy.  The policy will vary according to the insured’s industry, though usually, any organization that handles information regarding a third party will be prone to subscribing to a cyber insurance policy. Cyber insurance is available in several different forms: 

• One type focuses on first-party responses and covers legal services to cope with the security breach, as well as any costs linked to regulatory compliance if a breach was to happen. 

• Insurance that addresses immediate customer needs like the monitoring of credit and communication to clients in order to educate them about the security breach. This includes crisis management and PR expenses, as well as any costs linked to the interruption of business and extra labor if engendered as a consequence of the event that prompted the claim. 

• Coverage that undertakes issues related to third-party defense and liability

Sub-limits and deductibles

Most of the existing insurance policies regarding cyber-security and more precisely ransomware set sub-limits for covering ransomware. 

Payment terms

Policies require written consent before the issuance of payment from the insured which can elongate delays of payment. This is problematic when an organization must act quickly to resume business frozen at a standstill and pay a ransom. The ransom may not be reimbursed if it does not meet the payment terms stipulated in the policy. 

Definition of extortion

Organizations may not always entirely comprehend and agree with their insurance company’s definition of extortion, though the definition sets the coverage trigger. 

The developments occurring within the ransomware sphere are most likely going to propel the world into a new digital era. An epoch within which no organization, small or huge, or person, anonymous or renowned, will be absolutely and positively immune to a ransomware attack. There has been a distinct transformation in the landscape of ransomware, whereby a proliferation of attackers extorting confidential information and demanding incredible amounts of money by targeting a handful of organizations. Techniques will only continue to grow more advanced and perfected in order to infiltrate any network and encrypt any type of data. 

This means that the world needs to change its outlook on cyber-security. Whether it’s taking a more comprehensive approach to online security by implementing regular patching, software updates, and other best practices; or subscribing to one of the growing numbers of insurance policies available to both private and public entities, we must keep up.