Ransomware is a computer malware that installs covertly on a victim’s device either a computer, or a smartphone or even a smart wearable either holds victim’s data by encrypting the whole or threatens to publish the victim’s data, until the ransom is paid. Ransomware stops you from using your PC or files for “ransom”.
They usually target PC users, whether it’s a home computer or key nodes in an enterprise network, or a datacenter. The ransomware may also encrypt the Master File Table (MFT) or the entire hard drive! Thus, its also called a denial-of-access attack.
- Prevent you from accessing the machine
- Encrypt files so you can’t use them
- Stop certain apps or process from running
What is the Deal then?
Initially popular in Russia, the use of ransomware scams has grown internationally. In June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013.
Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities, and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.
How does it Work?
The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.
The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext to the attacker (the asymmetric ciphertext).
There are a number of tools intended specifically to decrypt files locked by ransomware, although successful recovery may not be possible.