Ransomware: Hackers Infiltrating Secured Systems

Nilesh Jain Trend Micro First things first! Today, ransomware is a sophisticated threat affecting users across many countries worldwide, particularly those living in developed and high-tech economies. Not to say, developing economies are any less threat prone. The ransomware world is like any real life ecosystem. 

Threats that can adapt and evolve to their surroundings, can survive and even thrive, while those that can’t or won’t adapt may eventually disappear. The ransomware world is a good example of where Darwinian-style evolution is at work.

CIOs and security-software providers are in a constant chasing game with ransomware makers who can find ways to penetrate even well-guarded potentially secure systems. Here is an account of a real case scenario: The employees of a highly cyber-security conscious company received invoices in their mail inboxes that suggest they have racked up huge fees on a well-known car service. One employee opens the mail and clicks the link - “download this invoice.” Though the company has adequate security protocols and technologies in place, still this employee’s curiosity led the firm to fall prey to a phishing ransomware attack. 

The company had already detected and blocked this ransomware long before but since this is a new variant of the same ransomware, it started installing as firewalls and other security systems did not recognize the oncoming threat. There were only two options: Pay or lose your files, data and information. Turning off your computer, unplugging it from the Internet - none of that will work. The files on the PC are continuing to be encrypted real fast.

The company chanced upon a lucky break as this TeslaCrypt ransomware was designed to immediately look for shared folders, connected servers and any data-backup systems that the PC might connect to. In this case, the infection stayed on a single PC. The machine was located, separated from the network and some files were restored but most of that which was locally saved by the user were gone. 

This is not always the case: Some variants of ransomware encrypt and then send the files to a remote server controlled by the hackers, to be used for potential blackmail. The data can be decrypted by hackers and the plain text read for possible intelligence on future attacks. Hackers are targeting companies that hold onto sensitive documents: Law firms, insurance companies and hospitals are increasingly targeted by actors who once focused mainly on quick, low-dollar blackmail from individuals or large-dollar extortion of financial institutions.

Internet users in India are burgeoning by the day. The ever-growing number of people accessing the internet has given rise to hundreds of cybercrime incidences as well, such as – Data breaches, Identity theft, and fraud through the misuse of highly unethical invasive softwares, viz. Viruses and malwares. In recent times, one such malware that is gaining notoriety and prominence is Ransomware.

Ransomware had undergone several modifications over the last couple of years – with each new one even more malicious than its predecessor. Initially, the malware was developed along the lines of Fake AV framework – malicious Trojan horse programs that deliberately manipulate the security system in computers.  Users of such computers were targeted by being approached to purchase a software that could remove non-existing malware or security threats from the system. The moment users clicked on infected links or mails, the ransomware changed its model to extract money by locking the PC screen. Aptly named ‘Locker’ ransomware, these malwares force users to pay up in contemplation of unlocking the computer screen, usually with a false promise of retrieving data that has already been jeopardized. Seldom does ransomware makers provides the key to unlock after receiving the money. 

Another form of ransomware that is quite prominent is ‘CryptoLocker’, which freezes affected systems and conceals relevant data found in the system’s hard drive. Dispersed as infected E-mail attachments, this particular malware mainly targets systems running on Microsoft Windows.

Becoming a prominent game changer in cyber threat systems, new and upgraded versions of ransomware extort money by encrypting the files within the computer or server, which are only decrypted after the cyber-criminal is paid ransom for the same. The constant threat that each version of ransomware poses, increasing its lethal quotient with every upgrade has resulted in making it the most talked about malware in the cyber security industry.

Another threat that is becoming apparent due to ransomware is its sudden invasion of businesses and organizations, shifting along corporate networks towards various critical information assets within the same. Staged attacks like these along the cyber kill chain are becoming prevalent and extremely destructive for many business ventures. 

Well-established organizations are realizing this growing threat and are installing systems and tools that can detect irregular patterns from business network data models and can quickly discern potential staged attacks. Nowadays, many types of safety tools are needed that can cast a wider safety net, rather than just detect malware signatures. In such cases, Indicator of Compromises (IOCs) are used which are elements in computer forensics used to detect any form of system or data intrusion. 

Regularly upgraded Antivirus software are extremely helpful in keeping computer systems safe. Yet we need multi-dimensional approaches to curb malware attacks. Raising general awareness about such threats are the need of the hour to avoid future data breaches.