HistoryRansomware
Ransomware It is believed to have been discovered in 1989, in the form of AIDS Info Disk Trojan also called PC Cyborg Trojan (PCT) created by Dr. Joseph Popp, a biologist with a doctorate from Harvard University. PCT infects data stored on floppy disk (floppy disk) 5.25 inches. Each time the diskette is accessed, the PCT replaces its file autoexec.bat on the victim’s computer and it will monitor booting what the computer does. When booting has reached a count of 90 times since being infected with PCT, it will hide all directories and encrypt everything, as well as demanding a ransom of 189 dollars to be paid to PC Cyborg Corporation in Panama via post.
Figure 1: Ransom Demand from AIDS Info Disk Trojan or PCT
Since then there have been at least 23 cases of ransomware that have been sticking out to the public until now. Among the most famous are CryptoLocker, which appeared twice in 2013, and CryptoWall which appeared 4 times in 2014 and 2015 (three times). Countries most affected by the emergence of ransomware are the United States, Japan, the UK, Italy, Germany, and Russia. 2015 was the year of attacks ransomware most massive in historical records.
Types of ransomware
There are generally 2 types of ransomware:
- Locker ransomware, which is ransomware that locks user access to a system or device. So, locker ransomware performs a locking action on a file or computer device and then demands a ransom to open the lock. Sometimes what is locked is a file or software. However, sometimes what is locked are functions hardware, such as the inability to function of some or all buttons keyboard and mouse, or something similar. Ransomware of this type has a lower level of interference and is easier to handle due to its locking-only nature. When it can be cleaned up and dealt with, by deleting the script or other means, the problem is resolved, and so the threat level of ransomware of this type is low. The ransom money that came in was even less.
- Crypto ransomware, which is ransomware that prevents users from accessing files or data, either with encryption files or other methods. Ransomware This type is designed to search for valuable data on a computer, and then make that data inaccessible. Many people don’t have time to back up the data and are not aware of the threats that could occur to that data. This is the weakness targeted by crypto-ransomware. With the level of loss and disruption caused, ransomware of this type is a scourge. The more important and urgent the data a user has, the greater the risk of harm posed. Therefore, developers ransomware spreads more ransomware of this type. The higher the threat level, the greater the probability of the ransom being paid and the greater the profit.
Read Also: Tips for Securing your WordPress Website from Data Injection/Damage
Attack method ransomware
Asmalware generally, ransomware attack using a trojan that is disguised as a file or harmless application, then used to perform an action on it trojan that, in either formdownload (download) or open it. However, there are three methods most often used by spreaders ransomware:
- Exploit
Exploit is a tool used to search for vulnerability (system weakness) so that when a weakness has been discovered, spread ransomware can use these weaknesses to insert ransomware. Usually, malicious code embedded in a website (usually in the form of advertisements), when accessed, will perform a redirect to the page that led the user to download the exploit.
- Appendixemail
Spreaderransomware creates an email that seems trustworthy. Examples are job offers, newsletter IT information, and emails from deep social institutions and such email is attached files Whichexecutable such as .exe, .doc, .js, .msi, .ppt, or others, even though they contain ransomware. When the attachment is opened or downloaded, ransomware is secretly being infected into computers.
- Link(link) in email
Like the attachment method email, spreading ransomware with the method link makes the email seem trustworthy. However, emails contain links that are very interesting to click on, or even content emails instruct the user to click on the link. When clicked, the URL of the link downloadsfile which contains ransomware infects computers.
Apart from these three methods, they also use other methods that are generally used to spread malware like email spam, SMS spam, software downloader, affiliate business, social engineering, and also through penetration.
How to spread ransomware benefit?
Spreaderransomware profits from the ransom money (ransom). However, what about spreaders? ransomware can get their ransom safely and smoothly? If they display a bank account, it will certainly be easily reported and immediately blocked by the bank concerned. They are not at a loss, there are many ways to ensure the ransom money reaches them safely.
AIDS Info Trojan, ransomware First, use the method of sending a check to a mailbox in Panama. Ransomlock Trojan, ransomware was rampant in 2009 using payment methods wire transfer, whereas ransomware in later years generally used Paysafecard, MoneyPak, Ukash, CashU, and MoneXy. Even some ransomware Existing ones still use some of these payment methods.
The emergence of Bitcoin in 2009 changed the way people view digital payment tools. The reason is, Bitcoin is a decentralized payment tool. This means that it does not have a dependence on one party. Like the bank account you have, it is centralized at that bank. When the bank blocks your account, you can’t do anything. However, this is not the case with Bitcoin. Bitcoin uses distributed database nodes from the network peer-to-peer to the transaction journal. Bitcoin also uses cryptography to provide basic security functions, such as ensuring that only people can own it. So, Bitcoin is the perfect means of payment to demand ransom from ransomware!
Ransomware those that have developed recently almost all use Bitcoin to collect ransoms. The question is, how can victims send Bitcoin while their computers are affected by malware and inaccessible? Spreaderransomware has accommodated this. Ransomware intentionally does not turn off functions networking from the computer so that the victim can still send Bitcoin, even the spreader ransomware also provides “facilities” for victims to find out what Bitcoin is and watch Bitcoin tutorial videos. Extraordinary!
Picture 2: Ransom request with Bitcoin
Next question, let’s say they get a lot of Bitcoin, then how do they cash it out?
First, as already mentioned, Bitcoin is decentralized, uses a distributed database, uses encryption to verify ownership, etc. This all makes Bitcoin possible to own anonymously! Bitcoins can also be stored on a personal computer in a format file wallet or stored by a service wallet third party. Apart from all that, Bitcoins can be sent via the internet to anyone who has a Bitcoin address. Topology peer-to-peer Bitcoin and its lack of a single administration make it impossible for any authority, any government, to manipulate the value of Bitcoin or cause inflation by producing more Bitcoin.
Second, to penetrate ransomware usually do Bitcoin laundering, namely by transferring their bitcoins through some block transfer wallets, then adding some layer in the process to randomize the pattern and eliminate traces. Or, they can manipulate a job online from which they earn cash. Of course, this makes it difficult for people to separate and differentiate between real transactions and transactionsBitcoin-laundering.
Figure 3: Bitcoin transactions
How to prevent ransomware?
One effective way to deal with threats of ransomware is to suggest data on a regular basis. However, ransomware The latest rumor is that it doesn’t just encrypt files, but also encryptsWindows system restore points. Therefore, it’s best to backup data or restore points stored on a separate system that is not accessed by the network so that it can effectively restore data if attacked by ransomware.
Other ways to prevent ransomware attacks include the following steps:
- Educate employees about the basics of computer security, especially about malware, how it spreads, and how to prevent it
- Tightening restrictions (restriction) on the system. By limiting access to data and applications, determining role and password, code execution ransomware can be inhibited from spreading to the system.
- Reduce the number of users who have the role of administrator and restrict access. Partransomware is designed to attack account administrators in acting. Reducing the account administrator, will slow down the rate of spread and reduce the probability of the system being infected by ransomware.
- Maintenance and updating software periodically. Up-to-date software will have greater immunity and a better level of security in the face of interference with malware. Mainly software related to security such as antivirus, anti-malware, and firewall.
In addition to the above measures, we also need to take measures to prevent the spread of malware at the system level because of course it is impossible 100% for us to prevent people from opening websites and emails. This task needs to be done by the system administrator. Among the steps are:
- Using anti-malware which is reliable for detecting and blocking ransomware. Use anti-malware which always updates towards the latest.
- Usefirewallwho does whitelisting and blacklisting on data traffic is often a factor in the success of the system prevented from malware in general.
- Applyemail filtering a tight one that can filterpamandemail which could potentially bring malware.
- Blockattachment. This is a big policy, but it is worth considering for the sake of company security and stability. Ransomware often attacks through attachments from email through executable files, macros, or hidden scripts. Not only malware, potential virus attacks are also lurking. Data transmission can be replaced by using a safer information system or other media.
- Eliminatelocal administrator. Eliminating roles admin on individual computers can reduce the risk of spreading ransomware which generally requires access to change systems and directories as well as registry and storage. Eliminating local administrators can also prevent illegal access to change resource critical and files important.
- Provide limits touser for the capability to take action write to the system, limiting user directory, making whitelist for the applications used, and restricting access to the network or storage.
Read Also: Undiksha SSO: Getting to know, how to use, and overcoming failed logins
When hit by attack ransomware
If you feel you have been attacked by ransomware, the following actions should be taken:
- Take a snapshot (screen image) from your computer, either using a capture application snapshot if possible or use smartphone or camera. This will help for further analysis regarding the attack vector (attack method), knowing the type of ransomware that attacked, and of course, looking for a solution to the attack.
- Turn off the computer to prevent further spread and unwanted damage to the system.
- Try to identify the attack method, whether via a link email, exploit inserted on the web, attachment email, executed applications, or other methods.
- Block all access to networks, other computers, or servers that have not been infectedransomwareto prevent wider spread.
- Tell your boss to carry out further investigations or take concrete steps to address this problem.
Closing
Ransomware is a scourge in the digital world and has started to become more prevalent in recent years because of its nature which not only provides interference but also demands ransom from its victims. However, by knowing how it works and the methods used by attackers and implementing preventive measures, we can reduce or even eliminate the risk of being attacked. ransomware.
Source: http://kipmi.or.id