What is Ransomware Anyways?

I know we are all on edge when it comes to viruses so you probably don't want to hear about another one right now. I get it, trust me. If you don't want to hear about "methods of infection" or "Who is responsible" I TOTALLY understand. With the plague of misinformation out there I just wanted to clear some things up before you inject your computer with bleach. So if you can take just a tiny bit more, I'd love to have a conversation with you about how ransomware works and how all these big companies get infected by it.

First off let's talk about what ransomware even is. As with everything there are lots of variations to this particular type of malicious software but in all forms the approach is more or less the same. The malicious code gains access to your computer, it gets permission to run, encrypts your files, then demands payment for the key to unlock them. Of course that's about as broad as you can get so let's dive down just a wee bit more here. We'll start from the beginning.

Why are we even talking about this ransomware? I know that seems like a silly question for a security website but it's worth talking about the why a bit. For starters it's causing quite a lot of problems for a lot of people right now. If you work in any enterprise company you have likely gotten some kind of training that discussed it. You almost certainly have seen a story about it in the news: CNN BBC NYT

You may have even been unlucky enough to have fallen victim to it yourself. To put it simply, ransomware is a highly effective way to cause a lot of damage with the best odds of financial return for the attackers. In a normal hack or virus infection, you could get hit with malware that may trick you into purchases some bogus software or service. Or perhaps a bunch of data gets stolen and the attacker sells the data on the black market. These methods can be extremely damaging and do yield results or else they wouldn't be used, but comparatively they don't pay out as much as ransomware can.

Ransomware, like it's name suggests is malware (malicious software) that encrypts any data that it gets its hands on, then demands payment before unlocking your data...Maybe. With value of the data in mind, an attacker will undoubtedly go for data with a high sensitivity level to push the victims to pay purely due to the panic of not having that data any longer. In some cases the data is so sensitive or critical that the victim has no choice but to pay the ransom. Examples of this are healthcare records or financial records. If the victims aren't adequately prepared they'll find themselves backed into a corner where not having the data isn't an option, so they are left with no choice but to pay the ransom. On top of the loss of business while dealing with the infection, lost customer trust and funds to pay the ransom, these entities will likely have to pay heavy fines to government agencies for not having adequate protections. Bad news bears all around right?

So how does one stop this from happening? Well before we get to those answers we need to dive into the anatomy of the attack first. I know your brain just told you to click away from the page but please hang tight with me here. I promise it's information worth understanding and as always, I'll be gentle.

Let's work our way through the attack by starting at the beginning. The infection.

There are lots of ways that hackers get into system but as we have discussed before, the weakest link in a computer network are the users. Chances are the initial infection will come to you via an email using a carefully crafted phishing campaign. This email will likely have an attachment of some kind on it that probably looks and feels normal. Maybe it's a invite to a meeting from someone you don't know, or an invoice from a company you recognize. In whatever the case, this attachment isn't going to be what it says it is. Once you open the attachment, the code will run and start the initial infection.

"Wait but I thought we have technology that is designed to protect us against this kind of thing?"

You're right! We do! They are called firewalls, antivirus, and a whole big pile of tech that monitors, blocks, and filters. The problem here isn't that the technology isn't working, it's that the malicious code is really good at hiding itself. This is why you got an invoice, or a spreadsheet, or a calendar invite. The attacker used what we in the business call a "dropper" to hide the malicious code in something that looks normal to your computer (and all that fancy security tech). Your security staff can't block all Excel and PDF documents that come through email cause that would prevent business from happening. The tech is getting really good at identifying the code behind the malicious attachments but the issue is that scanning attachments takes time and resources, which translates to money. To get around the time needed to scan these documents, tech uses what's called signature-based detection. Essentially the tech scanning these attachments have a massive database of known malware and tries to match the code it's scanning with one of these signatures. If there is match, the attachment is blocked. This is fine if attackers weren't constantly finding new ways to hide their code to get around this protective tech. Hiding malware is almost an art these days and let me tell you, there are some master artists out there.

Of course there are other ways to hide malicious code from antivirus and firewalls, such as polymorphic code that changes itself so it can't be recognized. For the sake of simplicity, both our time, and sanity, we'll cover those a different time.

"So I've made a boo boo and opened the attachment, what happens now?"

I really hope that this is all theoretical otherwise some nasty things will start happening behind the scenes. This is where the bulk of the variation in code will come into play. There are lots of different things that the code could do based on how it was made or what it was designed to do. A good comparison to think about is to a human virus. There are tons of different types of the common cold just like there are tons of different versions of computer viruses that essentially all do the same thing. In most cases though, the malware will need to need to gain more permission on the computer than it currently has. What it's about to attempt requires a bit more permission that your average user on the computer. Most of the time the account that opened the attachment won't have that permission by default, so the virus will attempt to gain those permissions in one of two ways. It will either ask you to elevate it's permission, or it will use a known (or unknown) vulnerability in some installed software or operating system. If we were comparing this to someone trying to break into a bank, one way would be asking to be let into the vault claiming they were a vault repair tech, and the other would be picking the broken lock on the back door. You may be asking yourself, who would be oblivious enough to just let someone into the bank vault just by asking?! I ask the same thing when I see people clicking "yes" on any popup that comes up on their computer just cause it's mildly annoying to read. That may not seem like the most accurate comparison but they essentially function the same if you really think about it.

"Once it's taken control of my computer what does it do now?"

Gee golly you really are asking all the right questions here. What happens next is it starts to encrypt every file it can find. As with all other parts of this type of malware, it can vary on how it does this. At the end of the day though, your files are now encrypted and inaccessible without the key to decrypt them. At this point, the virus will likely give you a message that alerts you to it's nefarious plans with a message stating all your files are encrypted and payment will be needed in order to unlock them. With our ongoing theme, this message will vary depending on who made it, what it is, and how it works. In some cases it will claim to be the FBI or other government agency claiming you broke some law and your computer has been locked till you pay a fine. Most attackers don't bother with these antics though and just go straight to the "We got you, pay us or else."

If the ransomware virus is advanced enough or if an attacker was directly on the other end of the line controlling it, the virus can spread to other systems using the same credentials it used from earlier. If an attacker was able to gain the credentials of a high enough user, say an administrator of the company, the infection could spread to everywhere that the user had access to. If the network wasn't set up with adequate security, this could mean the attack can spread to everything and lock the whole computer system. Big old yikes. This is especially bad if it finds it's way to the company backups and locks those too.

"Why can't we just unlock it?"

Unfortunately in this case encryption is so strong these days that in order to break the highest level of encryption it would take years to find the right password. For reference, AES-256 is thought of as the gold standard of encryption. According to this article here, in order to systematically guess the key to break the encryption on a file locked with that algorithm, it could take the worlds fastest super computer upwards of 27,337,893,038,​406,611,194,​430,009,974,​922,940,323,​611,067,429,​756,962,487 years. Since that's slightly longer than we have to get our data back, cracking the encryption using a brute force method just isn't going to fly.

"So we are just stuck paying?"

Yes and no. Like with everything, it depends. If you have offsite backups that weren't hit and you can accept the loss of data between when the backups last ran and the time of infection then you could theoretically restore the data. Unfortunately if you are someone like a hospital, you probably need that information so you may have to pay. This is also where the problem lies. If companies pay the ransom, it will encourage this attacker and others to attack more targets. It works so why not do it again right? The US government is actually stating they don't advocate paying either. It's also worth noting that if you pay the attackers, you still may not get your data back. It's totally possible that the attackers will just take your money and run without sending you the decryption key. This really isn't in the best interest of the attacker since they want people to pay and people will stop paying if they don't get their data back. Let's say you do pay the large price tag and you get the key from the attackers. This STILL won't guarantee you'll get your data back in one piece. Encryption is a risky business that when not done correctly can actually do a lot of damage including making your files unrecoverable. This would be absolutely horrible to have paid the fine and still lost all your data.

"So we can't pay, and just suffer the loss of data? That's hardly a solution. What are we even suppose to do then?!"

We be better.

Let me be direct here. Yes, in some cases malware and attackers can get in and take over your computer without your help. But since this type of attack method usually requires a known vulnerability (which is often quickly fixed) or a highly skilled team (which most aren't) it then falls on the next best route of attack, the user. Getting a user to click on an attachment is pretty easy and the reality of it is all it takes it one person to do so to bring down a whole company. You, me, everyone need to be more conscious of what they are clicking on otherwise this will keep happening. A healthy amount of suspicion goes a long way and could make the difference between life and death. I'm not exaggerating with that either.

There are tons of other things that us tech folk are working on and implementing to mitigate these kinds of attacks but I wanted to keep this simple to give you an idea of what ransomware is, how it works, and what you can do as a user to stop it. Claiming you don't know what you are doing just makes your IT team nervous and shows the company you work for that you are a vulnerability. Now more than ever before, security is a team effort and we all need to contribute. Kind of like how battling another virus requires everyone's participation. Something something, wear your damn mask.