The world around us is changing atan accelerated pace, technologies become obsolete within months of theircreation. Threats evolve with the same rate and it is a necessity for us to beaware of threats and attacks in this digital era. Ransomwares are malicioussoftware or code developed by black hat hackers to launch data encrypting andlock screen attacks for the sole purpose of ransom.
These malwares onceexecuted, usually deny users access and demand money by cryptocurrencies likebitcoins, MoneyPak, GreenDot. The first malware extortion was created around 1989as an experiment but was a big design failure. Researchers kept on working andidentified the concept of “Ransomware” in the late 90’s but it was not a threatbecause of no digital currency.
It wasn’t until 2005 when the digital currencywas being used, ransomware became prominent. The main impact of ransomware wasobserved through Fall’13 to Summer’14 when Cryptolocker struck the businessworld and extorted 3 million USD. Cryptolocker hit like a hurricane and wasjust the beginning of a new chapter in Information Security. Even thoughCryptolocker was removed in a short duration but a lot of similar named orsimilar tactic based ransomware have been spawned and are striking the markettill date. In addition, affected files could not be recovered without theransom payment and at times the files were not recovered even after the ransomwas paid.
Keeping in mind the level this ransomware has affected, a group or anorganization is responsible for this exploit. The use of cryptocurrency hasdisabled even the cyber law enforcing agencies to find thesecybercriminals. Since almost 90% of the worldpopulation uses Windows at work or at home so the impact of Cryptolocker washuge on Microsoft. Quick resolutions had to be produced to control the effect,but the infected systems had to pay the ransom for their files.
Microsoft cameup with a lot of mitigation plans and suggestions which are discussed furtherin this paper. 1. CryptolockerCryptolocker was one the earliestRansomware to impact the cyber world forcing professionals to take theinformation security aspect more seriously. This attack occurred through 5thSeptember 2013 to late May 2014 according to experts, and it spread around theworld via emails or Gameover Zues botnet. This botnet unlike its predecessoruses an encrypted peer to peer communication reducing its vulnerability tocyber police. The encryptions used by Cryptolocker are RSA or AES 2048 which istill date considered to be one of the most secured encryption. Usually Cryptolocker arrives the mailboxas “*.pdf.
exe” file but since Windows by default does not show the fullextension, it is overlooked as just another PDF file. Cryptolocker when enabledattaches itself to the documents and settings folders, by using randomlygenerated names. Also, it attaches itself to the registry and starts every timethe system is switched on. Once attached it tries to connect to random domainsat different time and uploads an Cryptolocker ID file to the connected server.This command and control server then sends the public key back to the infectedcomputer. This key starts encrypting files using standard bit encryptions likeRSA or AES-2048.
Cryptolocker has a list of files extensions which it encrypts,this list is shown in the end using an image. Once the encryption of all theavailable files is complete either the desktop background changes or a windowis popped up which is referred to as “Payment Page”. This page displays amessage “Your personal files are encrypted” and has a timer of 72 hours, afterwhich the private key would be destroyed along with the files. On the bottomright of the window there is next button which would typically take you topayment options, which are usually done through BitCoin or MoneyPack and apayment of USD 300 is demanded. There are other ways by which Cryptolockercould be spread, one of them being through the backdoor of a network.
Windows is the most used operatingsystem in the world. People use it at home, workplace and any other place theyseem fit. They have a market share of almost 90% which is followed by MAC with8-10% approximately. Since Windows is everywhere it seems fit that black hatstarget windows based vulnerabilities more than any other operating system.
Aprobable solution for this problem is that we can stop using windows and theattacks would stop altogether because MAC and LINUX are better in terms ofsecurity. In such a case it is highly unlikely that their security would remainthat secure and the switch would create a chaos in the infrastructure of thecompanies. So, it is better to improve the level of security and mitigatevulnerabilities by a combined effort by Microsoft and companies.
As a matter offact, Microsoft as well as many companies have come up with mitigation plansfor Ransomwares which are discussed further ahead.1.1. Solution, Prevention and MitigationFirst and foremost, when a user is infected byCryptolocker, they should immediately disconnect the system from the internet.This breaks the connection of the machine from the command and control serverthereby stopping further files to be encrypted. Files once encrypted are verydifficult to decrypt without the private key, the only chance of getting theprivate key is either by paying the attacker or the cyber police release someof the recovered private keys. Keeping a backup is a good practice and recovering frombackup is the best solution for a Ransomware attack.
Another solution toCryptolocker was designed by a Dutch Security IT firm which was able to procurethe private keys of Cryptolocker wen the Gameover Zues Botnet was took down bycyber police. Later, security devices and software which were able to prevent aCryptolocker attack and incase infected files enter the system the specializedtools can deny connection to the command and control server. Some of them are Kasperskyanti-ransomware tool, Malwarebytes anti-ransomware tool, Watchguard’s XTM tool.Nowadays, most antiviruses have this anti-ransomware tool.
Preventing Cryptolocker has become difficult with time asit is more aggressive than its previous versions. Only backing up the fileswon’t prevent the problem in the current scenario, but the user must be awareof the system’s behavior always. While browsing on the internet, unknown sitesor unsecured sites should be avoided and the antivirus should provide secureemail solutions like show hidden file-extensions, filter “.
exe” file extensions.On top of the security, users should be careful while opening new emails fromunknown or known senders, they can be phishing email. One more importantpreventive measure is disabling Remote Desktop Protocol (RDP) and files runningfrom App Data and Local App Data folders. The world is evolving every day, new threats are generatedeveryday with new technologies. We cannot prevent these risks of ransomware orother malwares altogether, instead we should be prepared to mitigate theproblem in case of risk occurrence.
The most effective and fundamental way ofmitigating these attacks is by spreading awareness amongst individuals. Everyonefrom a child to an old person is using digital devices and knowing about thesemalwares would eliminate the chances of easy attacks. On the contrary, it wouldbecome difficult for black hats to execute a successful attack because mostattacks are successful only when people are unaware of these trojans, phishesand other malwares.
If you use the system in office setup then the network issecured by updated policies, firewalls and software which will protect us fromattacks but at home users should be extra cautious because their network is notprotected by added firewalls by default. Antivirus would not be able to detectall malwares, so other added software should be installed for properprotection. They are:1. Real Time Protection: Kaspersky Total security2. Malware Scanner: Malwarebytes3. Content Blocker: Adblock4.
System Utilities: CCleaner5. Data Backup: Rollback RX(Free)