How Does Ransomware Work?
Cybersecurity expert Sherri Davidoff walks you through the history of ransomware, how it works, and how to respond (including negotiating tips) when you are faced with the most common form of denial extortion.
This material is excerpted from Davidoff's book Data Breaches: Crisis and Opportunity, which offers practical guidance for reducing risk and mitigating consequences for cyberattacks that compromise company (and customer) data.
Ransomware is software designed to lock up user files or entire operating systems in exchange for a fee. Modern ransomware outbreaks commonly begin in one of two ways:
- Phishing: The attacker sends a phishing email or social media message to an employee. The employee clicks on the link, which infects a workstation with malware.
- Remote login: Attackers scan the Internet searching for remote login interfaces with default or weak account credentials. Once obtained, they can access the systems themselves or sell access to other criminals.
Once the attacker installs ransomware, typically:
- The ransomware encrypts files on the local computer, as well as writable network shares and accessible cloud storage repositories. Depending on what files the user has access to, this can prevent him or her from accessing a large volume of valuable data, potentially crippling operations.
- An electronic "ransom note" appears on the user's desktop or screen, notifying the user of the encryption and providing the user with an opportunity to purchase decryption keys. Often, a deadline is included, after which the price for the decryption keys increases substantially. Some strains of ransomware also permanently delete files periodically (e.g., every hour).
- If the victim pays the ransom, the criminal (theoretically) provides a decryption key, which will allow recovery of all or part of the volume of affected files.
Ransomware can wreak havoc, particularly if it spreads through an organization's network. In addition to denying access to the victim's data, attackers may steal or access sensitive information, which means that a ransomware infection may also constitute a data breach. Even if the operational impacts are short lived, the fallout from the data breach aspect may be long term and significant.
Encryption and Decryption
The first known ransomware, the AIDS Trojan, was released in 1989 by biologist Joseph Popp, who studied baboons in East Africa. He distributed the AIDS Trojan by mailing a floppy disk labeled "AIDS Information - Introductory Diskettes" to 20,000 AIDS researchers across 90 countries. After 90 reboots, the malware hid directories and encrypted filenames, and instructed victims to send $189 to a P.O. box in Panama in order to obtain a repair tool. The malware had a critical flaw, however: It used symmetric key cryptography, meaning the same key was used to encrypt and decrypt. Moreover, the key was the same for all victims, and defenders quickly developed decryption tools.1
In late 2004, modern ransomware emerged and began to spread via phishing and web-based attacks. This early ransomware was clunky and often had deficiencies that allowed savvy users to bypass the malicious software and regain access to their data without paying a fee. For example, Kaspersky2 Labs reported encountering a new malware strain called GPCode, which encrypted files and left behind a ransom note that instructed the victim to "buy our decryptor" by contacting the attacker at a Yahoo email address. The researchers found that GPCode was likely of Russian origin and used a custom-written encryption algorithm that was easy to break. The author quickly fine-tuned the malware and released new, stronger variants, eventually switching to the strong RSA encryption algorithm.
Over the next several years, ransomware authors experimented with different models of extorting money from victims, including fake antivirus scans, which locked the user's computer and posted a warning on the screen requiring the user to call to "activate" the antivirus license. This evolved into law-enforcement-themed locker ransomware, which locked the victim's computer and posted a notice from law enforcement that accused the user of downloading pirated data or viewing pornography. The victim was told to "pay a fine" in order to have the computer unlocked. "[I]n the early days, attackers tricked victims into downloading fake tools to fix computer issues," wrote Symantec researchers. "Eventually, it dropped any pretense of being a helpful tool to just displaying a blatant request for payment to restore access to the computer."3
In some cases, ransomware strains delete but do not overwrite the original files, enabling forensic analysts to use common file recovery software to restore the original content. Another recovery tactic is to attempt to reverse-engineer the decryption key. If an analyst has access to both encrypted files and a sample of the original, nonencrypted files, then in some cases it may be possible to use cryptographic techniques to determine the key. However, this takes time and computing power, if it is possible at all.
Over time, ransomware developers refined their software and processes. Ultimately, they found that asymmetric cryptography was an effective means of rendering victims' files inaccessible. Attackers encrypted the victim's files with one key and held the corresponding decryption key hostage until they received payment. When implemented carefully, it is virtually impossible for victims to recover their files without a backup.
CryptoLocker was one widespread ransomware variant that emerged in 2013 and leveraged strong encryption (researchers observed it using the popular RSA algorithm with up to 2048-bit keys). It also overwrote the original files, rendering them impossible to recover even for forensics experts.4 In 2014, a team of law enforcement agencies and security firms infiltrated the botnet used to spread CryptoLocker and captured a huge database of private keys, enabling many victims around the world to finally decrypt their data.
Today, many reputable security firms have released tools that can decrypt popular ransomware strains, either leveraging implementation issues or available private keys. Sites such as NoMoreRansom.org can help defenders determine their ransomware strain and quickly obtain decryption utilities. While there is no guarantee that these tools will be successful, it is often worth trying as a first step.
Before cryptocurrency existed, it was difficult for cybercriminals to extort payments over the Internet. Cybercriminals attempted to collect payment using wire transfers, payment voucher systems such as MoneyPak or paysafecard, or more creative methods such as text messages to premium phone numbers. All of these payment transfer systems were brokered by a third party and could potentially leave a trail that would help law enforcement track down the attacker. As a result, criminals typically used a money-laundering service in conjunction with a money transfer method.5
The rise of Bitcoin gave criminals a new, convenient option. When CryptoLocker erupted in 2013, it accepted payment using either Bitcoin or prepaid cash voucher. Victims in the United States were typically given 72 hours to pay the equivalent of $300. The ransom note warned that the victim's decryption key would be destroyed when the deadline passed, rendering the files permanently unrecoverable. However, victims reported that they could still purchase the key even after the deadline—at a much higher price.
Cryptocurrency dramatically reduced the risk of engaging in cyber extortion, which in turn caused the crime to proliferate. By 2014, a wide range of ransomware had sprung up that instructed bewildered victims to pay using cryptocurrency. Since most nontechie users were not familiar with Bitcoin, ransomers often left user-friendly, detailed instructions that walked the victim through the process of purchasing and transferring cryptocurrency.6
At first, the majority of cryptocurrency ransom demands were relatively small, on average about $300. Criminals soon realized, however, that when they locked up an organization (as opposed to an individual), they had leverage to extort far larger sums of money. For example, in 2015 the Swedesboro Woolwich School District in New Jersey was held hostage for 500 bitcoins (approximately $124,000 at the time).7 This trend became more widespread, particularly as more and more organizations purchased cyber insurance that covered large ransom payments.
In 2018, sophisticated ransomware evolved that encrypted individual file shares and devices with different keys ("key differentiation"). That meant criminals could charge victims money to recover each individual file share or storage device.8