At the end of March 2018, the entire region of Atlanta, in the United States (US) was attacked by ransomware, and various administrative systems were paralyzed. For 120 hours, all civil complaints from the state had to be resolved using only paper and pen. But, it is not only that: the fear of ransomware is spreading throughout the entire world. Some people including Kingos might also have had experience of losing personal study materials because of ransomware. Ransomware, which brought about a lot of controversy last year, are threatening people again this year. As time goes by, it is expected to change its characteristics as well. In this article, the Sungkyun Times (SKT) looks at what ransomware is, how serious it is, how it is changing, and how it can be dealt with.
What Is Ransomware?
Appearance of Ransomware
Ransomware is a compound word of “ransom” and “malware”. Once installed illegally on a computer without the user’s consent, ransomware encrypts the user’s file and then holds it as a hostage for money. If the files are infected with ransomware, their file extension changes and the user cannot execute them. The first ransomware, the Aids Trojan Virus, appeared in 1989. It blocked the process of accessing the computer’s operating system by encryption and demanded money for the recovery of the infected files. After spreading the virus randomly, the distributors took profits by demanding $189 in exchange for the recovery tools. In the early days, however, it was difficult to attack with ransomware and demand money because it was easy to be tracked. The main payment methods at that time were text messages or remittance through internet banking. When investigating an incident, it was possible to identify the attacker easily by tracing back the payment process. Ransomware such as GPCoder, VunDo, and Reveton appeared following the Aids Trojan virus, but the situation did not change much. The development of tracking technology gradually increased the number of attackers being arrested, and the profitability of ransomware naturally decreased as a result. Ransomware has, therefore, disappeared slowly since 2005.
Hash Functions and the Revival of Ransomware
Ransomware started to thrive again from 2009, when the encryption of Bitcoin emerged. Bitcoin uses a system called the hash function to secure transactions. The hash function is a system that produces the result (hash value) of an input data as a string of a certain length. Since there is no consistency between the input data and the hash value, the hash value varies greatly even with a slight difference in the input data. For instance, if someone enters “His wish is to win the competition” and “Her wish is to win the competition” respectively in the hash function, the hash values would be “FDCE34912A2D” and “932E2ACEC1B”, which are totally unrelated values. Although there are only two alphabetic differences in the input data, the hash values fluctuate greatly. Due to this nature, it is very difficult to restore the input data for the hash values
in hash functions. If someone wants to find the input data, the exact hash function used for encryption needs to be known, the initial person to encrypt the data is the only one who knows it. Using this hard-to-track encryption system, ransomware targets the data itself, unlike with previous viruses. The CryptoLocker ransomware, for example, which appeared in 2013, resulted in more than $3 million of damage. In the past, document files, pictures and music files (JPGs, MP3s) were mainly encrypted. Recently, however, the encryption range has been extended to more complicated files like AVI, Computer Aided Design (CAD), and compressed files.
Dangers of Ransomware
According to the Ransomware Computer Emergency Response Team Coordination Center (RanCERT), the number of ransomware victims in Korea is expected to increase from 53,000 to 400,000, from \109 billion to \1.5 trillion each year for the next three years. In addition, the worldwide ransomware damage was expected to exceed $5 billion in 2017. Still several varieties of ransomware are being created, and the total number of ransomware has reached into the hundreds. The most destructive ransomware so far was the Wannacry Ransomware, which appeared in May 2017. According to the White House, 300,000 computers in 150 countries were infected with the Wannacry Ransomware virus within just four days. It attacked not only individuals but also corporations and even government-related organizations, including Deutsche Bahn AG, Fedex, and Telefonica. After this incident, countries recognized that ransomware not only causes individual damage, but also can be a dangerous means of attack between countries. In December 2017, the White House officially nominated North Korea as the source of the Wannacry Ransomware and criticized them for it. Not only that, ransomware can cause serious damage to individuals’ computer systems as well as nations. Even if people are fully aware of ransomware, they are always exposed to its dangers. One victim, who lost all the files on his computer, said, “I am afraid to go online. It is frustrating, and I cannot say whether people should or should not be on the Internet in the future.”
Change in Ransomware
Refining Targets Through Victim Profiling
While the existing ransomware has a feature of indiscriminative aggression, the newly produced ransomware profiles its targets ahead of the attack. Not only does it search for the targets, but it also examines what situation they are in and how much money would be available from them. Then, it attacks critical systems and services to eliminate any possibility of waiting for backups, then demands the victims to pay the ransom. Lastly, by suggesting a rational level of ransom that fits to the victim’s situation, it maximizes the possibility of collecting a ransom. Using these skillful methods, for example, SamSam Ransomware took over $300 million in profits in a single month by attacking public facilities such as hospitals in 2018.
Lowered Entry Barrier for Initiating Attacks
Until now, the ransomware producer was the attacker and vice versa. After the appearance of ransomware as a Service (RaaS), however, it became possible for the producer and the attacker to exist separately. Attackers who want to use ransomware for financial gain but lack the knowledge to build ransomware can utilize Raas. Producers sell ransomware codes to the attackers as a service and share the profits earned by the attackers. As a result, ransomware became available only if people had enough money. As access to ransomware became easier, the number of attacks also increased. The most representative example is Cerber Ransomware. With a condition of sharing 40% of the revenue with the producers, attackers purchased and spread it. Cerber Ransomware, as a result, accounted for 52% of the total ransomware domestic damage cases estimated by the Korea Internet & Security Agency (KISA) in the second half of last year. Moreover, a RaaS that is available even without money exists: Satan Ransomware. The creator of Satan Ransomware provided codes to attackers without any charge, the only condition to the attackers was to share 30% of their revenue. As ransomware is becoming available without any technology nor capital, it is impossible to estimate how many attacks we will see in the future.
|Satan Ransomware/ etnews.com|
Targets Beyond Computers
|Smartphone Ransomware/ it-story.tistory.com|
It is not only computers and laptops, but also other electronic devices that have fallen into the range of ransomware attacks. The first was smartphones. In October 2017, ESET, a security company, discovered a ransomware called “Double Locker” installed in smartphones, clarifying that ransomware has already extended to smartphones. The second was the Internet of Things (IoT). In regard to the IoT, most people use Bluetooth when connecting devices. Since Bluetooth is relatively insecure, however, it is highly likely that ransomware can penetrate through it. According to ESET, it is possible to request a ransom by increasing the temperature of a smart refrigerator after infecting it with ransomware with the current technologies. British security researchers have actual ly shown that this can happen. They infected a room temperature controller with ransomware and requested a ransom for regaining contro l of the IoT after setting the room temperature to the maximum heat. Until the payment was made, the IoT would not work at all. It was a one-time demonstration, but was enough to prove that IoT ransomware can also appear at any time, and anywhere. Lastly, ransomware can be applied to robots, too. Lucas Apa, a researcher at the security company IOActive, proved that robots can also be targets of ransomware. He developed ransomware and uploaded it to a humanoid robot, maliciously attempting to change the robot. As a result, the display of the robot exposed pornographic content, and the robot used curse words and even acted violently. The condition for the attack was simple: accessing a computer to the same Wi-Fi network as the robot. If the technology develops and ransomware is inserted into an autonomous vehicle, it may lead to situations where human life can be put in danger through ransomware.
|IoT Infected with Ransomware/ zdnet.co.kr|
Response Against Ransomware
Threat Hunting as a New Security Paradigm
The security system had been evolved in a way that adds newly known risks by rule of thumb. If there is no ongoing update, therefore, there is an immediate risk of being exposed by the latest viruses. That is, the previous system could not prevent unknown first attacks. Due to this weakness, the conventional security system had a limit to block ransomware which continuously produced variants. In that situation, the threat hunting appeared as a solution to ransomware. Threat hunting is a method of searching networks or data actively, so that people can detect vulnerabilities which can become targets of ransomware in advance. The fixing of errors as quickly as possible after the process is also included in threat hunting. Figuratively speaking, the previous security was a “treatment” which operated after the problem happened, while threat hunting is a “prevention” which operates repeatedly before the problem happens. Much more data can be scanned in threat hunting, and the searching range in the previous system is just the tip of the iceberg compared to threat hunting. Through threat hunting, it turns out that it is possible to reduce the time to detect a n d i n v e s t i g a t e threats by 50%.
|While previous systems dealt with the size of an iceberg above water, threat hunting deals with the size of the whole iceberg/ m.comworld.co.kr|
Close Cooperation Between Security Agencies
Each country has a cyber-security system and has two or more relevant departments as well. There are five departments in the US, ten in the UK and six in Korea. For more effective work of each department with its different role, having close cooperation is necessary. Baek Seung-won, director of the KISA, supported this argument, saying, “For effective cyber security response, there is a need to have a system of cooperation between agencies performing practical functions”.
As mentioned in the title, ransomware is not over, and is still changing. No one is able to keep individuals totally safe from ransomware. Individuals, therefore, should do their best to prevent themselves from ransomware. The SKT hopes that this article acts as an alert about ransomware. Dear Kingos, it is important to try and prepare for ransomware with file backups and immediate Windows updates! Stay Alert!
<저작권자 © THE SUNGKYUN TIMES, 무단 전재 및 재배포 금지>