Ransomware: its history, impacts, and remedies
Abstract
Ransomware is usually a malicious code perform by hackers to restricts or prevents users from accessing their systems or servers, by either locking the files of the users in the system until a ransom is paid or by locking the system's screen. Recently new ransomware which is categorized as crypto-ransomware encrypts certain types of files on different infected systems which also forces users to pay their ransom through online payment methods to get the key to decrypt their file which something does not work. The research paper shows the history of ransomware, its impact on companies, and how those companies overcame this attack. This article also presents with careful research of ransomware we can produce an effective detection system that significantly reduces the number of victims of these attacks.
Keywords: Ransomware, Detection system, crypto-ransomware.
Introduction
Ransomware is a malware form that is used to encrypt victim's files. The attacker ends up demanding a ransom from the victim to ensure that access to the data upon payment is restored. Ransomware is undoubtedly one of the most threatening types of cyber-attacks in many organizations in the world today. Most of these hackers have changed their tactics, as they no longer chase everyday consumers but are now chasing money and are focused on businesses that have a higher return on investment. Ransomware is reported to have increased by 363% within the last year. According to a report by Trend security roundup, 61 million ransomware attacks were identified in 2019 (O'Kane, 2018). Most of the highly targeted industries include academic institutions, local governments, healthcare, manufacturing, the technology sector, financial and media services. However, it is essential to note that every business is at risk of facing a cyber-attack and should take the necessary measures to ensure that they prevent any opportunity of an attack. Unfortunately, most of the organizations do not give much attention to the threat posed. It is only when they are on the receiving end of an attack that they invest good time and resources to improve their cybersecurity defenses. At this time, it's always late because the damage is already caused. There are several vectors ransomware takes if they are to access a computer. For instance, phishing spam is one of the most common delivery systems that come to the email through an email. It masquerades as a file that can be trusted. After this system is downloaded and opened, it is effortless for it to take over the victim's computer. This aspect happens more assuredly when the system has in-built social engineering tools that are used to trick users into allowing administrative access. However, some other aggressive types of ransomware, such as Notpetya, infect computers by exploiting security holes without tricking its users. It is imperative to ensure that one's computer is protected. Once the files have been encrypted, they cannot be decrypted without a mathematical key known to the attacker. The user often gets a message describing that their files are not accessible anymore and the only way through which these files can be recovered is by making a payment to the attacker. The payment is usually an untraceable Bitcoin payment. Some attackers pretend to be a law enforcement agency who shut down the victim's computer because it has a pirated software or pornography content. They end up demanding a fine, and this move is mainly meant to scare away the victim from reporting the matter to the authorities. Some of these attackers threaten to expose sensitive information on the victims' hard disc if the ransom is paid. Regardless of one's computer being with malware, where the computer risks losing vital data, it is not advisable for the victim to pay the ransom fee because doing so only encourages the hacker to create more ransomware. Several steps are supposed to be taken in the event of ransomware attacks. For instance, an organization should inform its IT security team and change login credentials, among other notable measures that should be taken. However, the most important thing is to ensure that the organization's employees are given cybersecurity awareness training that educates them about cyberattacks and identifies the early stages of these kinds of attacks.
History of ransomware
Ransomware is an aspect that brings with it a specific history. It has been a present threat to organizations, SMBs, and people since the mid-2000s. The FBI's Internet Crime Complaint Center in 2017 got 1,783 ransomware complaints that victims more than 2.3 US billion dollars. These attacks, however, represented only the attacks reported to IC3. The actual number of ransomware attacks and the costs involved are higher. For instance, in 2019, the number of estimated ransomware attacks was around 184 million. The main intention of ransomware attacks was primarily targeted to people who still comprise the main attacks today. The history of ransomware is said to have started in 1989. According to Becker's hospital review, this attack was targeting the healthcare industry. Twenty-eight years now since then, the healthcare sector remains a major target for many of these attacks happening today. This attack was initiated by Joseph Popp, an AIDS researcher who carried the attack when he distributed 20,000 floppy disks to AIDS researchers that spanned more than 90 countries (Slayton, 2018). He claimed that the disks had a program used to analyze an individual's risk of getting AIDS through questionnaires. This disc also had a malware program that at first remained dormant in computers. This program had been activated after the computer was started 90 times. When the 90-threshold was achieved, the malware showed a message that wanted 189 and 378 US dollars to be paid for a software lease. This cyberattack was called PC Cyborg or AIDS Trojan.
This first cyberattack was rudimentary, and it is reported to have had its flaws. However, it began the evolution of ransomware for the cyberattacks that have been happening to date. Most of the attackers today depend on "off-the-shelf libraries that are greatly hard to crack" (Mohurle, 2017). They leverage more sophisticated delivery techniques, such as spear-phishing campaigns, instead of the traditional phishing email blasts, which are more often filtered out by email spam filters today. Some of these sophisticated attackers have developed toolkits that they can download and deploy with less technical skills. These advanced cyber attackers monetize ransomware by offering ransomware-as-a-service program, which leads to the prominence of well-known ransomware's CryptoLocker, Locky, CryptoWall, and TeslaCrypt (Takeuchi, 2018). After the first ransom attack that was documented in 1989, this kind of cybercrime was uncommon until the mid-2000s, when these attacks started to use more sophisticated and more demanding techniques that are hard to crack, especially encryption algorithms, such as RSA encryption (Humayun, 2020). Gpcode, Krotten, Archiveus, MayArchive, and Cryzip were popular during this time. For example, in 2011, a ransomware worm came up that followed the Windows Product Activation notice. This aspect made it hard for users to differentiate between genuine notifications and threats (Thomas, 2018). In 2015, multiple variants impacted multiple platforms that wreaked havoc on users globally. According to Kaspersky's SecureList Reports that as from April 2014 to March 2015, the most famous ransomware threats were Scatter, CryptoWall, Mor, Cryakl, TorrentLocker, and CTB-Locker (Connolly, 2019). These types of threats attacked 101,568 users globally, an aspect that accounted for 77.48% of all users attacked with crypto-ransomware during this time.
After 2012, ransomware began to spread worldwide, which infected systems and transformed into more sophisticated forms that promoted easier attack delivery as years went on. The first version of CryptoLocker was witnessed in September of 2013, while the first copycat software known as Locker was introduced later the same year in December. Stats show that using ransomware is increasingly on the rise. Veeam asserts that businesses needed to pay 11.7 US dollars on average in 2017 because of ransomware attacks.
Impact of ransomware
Ransomware attacks can have a lot of effects on organizations. By the virtue that it ensures that a company does not access its data until it pays a ransom to the attacker, it is a worrying aspect. There is also a likelihood that systems will be infected with other malware forms once the successful attack happens. Some of the messages that may be portrayed in the computer show that the computer is infected with a virus. Some of the impacts associated with ransomware attacks on companies may damage the company's reputation. It can also lead to temporary or permanent loss of the company's data. It also leads to financial loss because revenue-generating operations have been shut. Financial loss can also be witnessed linked to remediation efforts.
A certain study done by Arcserve recently has found out that 70% of an organization's customers do not trust these organizations keeping their data safe after they have been affected by ransomware attacks. This aspect happens to some organizations even when they have done nothing to lose these consumers' trust. The same study indicated that 25% of customers left a particular product or service provided by a specific organization and switch to a competitor if the organization was involved in ransomware-related disruptions. This move affects an organization adversely because one of the objectives of every company is to maintain their customers if they are to remain at the top. Therefore, research has shown that ransomware protection is of much importance to build and retain customer loyalty. It is an issue that has resulted in most of the customers considering the trustworthiness of a company before purchasing their goods and services. If this company does not protect their data from ransomware attacks, it can cause them to switch to other companies that can protect them from these attacks. Losing consumers implies that there will be a reduction in profitability as before because the company will not be able to sell its products and services to specific customers.
Ransomware attacks can lead to the closure of a manufacturing control system. If this effect happens, it will have repercussions up and down the supply chain. It is an aspect that affects business operations in this particular organization. However, it does not only affect the organization financially but also other companies that rely on this organization for their products and services. For example, Tower Semiconductor Ltd was hit by a ransomware attack, which caused it to stop its production of camera sensors and Nasdaq-listed wireless chips in its manufacturing units. This ransomware attack caused the organization to lose millions of dollars. Ransomware attacks have been known to affect productivity in companies. For example, it is very hard for employees to work if they cannot access essential business applications and data in the company. If the employees are not working, it is impossible for the company to generate revenue. It implies that most of the products are not sold, and services are not provided in the organization. This move leads to the organization not growing and expanding because if there is no financial growth, it means that the organization will not succeed. It is also an aspect that can lead to the organization losing some of its most essential employees because it cannot pay them their wages and salaries. If employees are not being paid, it will result in them moving to search for new jobs that will help them earn, which leads to the organization losing on employees that can help it grow productively. Overhead costs are still implicated even when the organization is not operating after the ransomware attack, which means that a lot of money will be going out while nothing is coming back. It leads to significant losses in the organization, which can take a long time before they are recovered.
Remedies of ransomware
To help ensure that these attacks are controlled, it is necessary to ensure that effective remedies are put in place to help prevent cyber threats. For instance, research has found out that the best way these attacks can be combated is to ensure that a cybersecurity and data protection solution is implemented to detect and prevent attacks. It also offers a strong defense that makes sure that data is not lost. It is imperative for an organization that has experienced ransomware attacks to hire a security audit team to help the organization where the holes of attacks are and how to stop these attacks. Suppose an organization thought it had an effective cybersecurity team that can help them fight these attacks but are still falling victim to these attacks. In that case, it is imperative for it to stop the guesswork and hire experts on this issue. Hiring a third party will play a significant role in carrying out a security audit, which will be an investment worth taking because it will help the organization know how to deal with these situations when they arise and even counter them before they come to manifest.
The most important thing is to ensure that ransomware attacks are prevented. It is because some of these ransomware attacks come to pass when they have been allowed on the primary level. For instance, most of them occur when one has clicked on unverified links. Therefore, it is imperative to ensure one does not click on unverified links in unfamiliar websites and spam emails. Some of these downloads that happen when one clicks on malicious files can lead to the computer being infected. When a ransomware attack is on one's computer, it will encrypt data or lead to the operating system's closure (Zhang-Kennedy, et al., 2018). Therefore, not clicking on these links will help control the probability of a cyber-attack happening. One should also not open untrusted email attachments. Ransomware attacks have been found to enter into a computer system via specific email attachments. Users of these systems should only open emails of people they only know. The organization should assess the sender of the email and see whether it is the correct one as they know it. It should also evaluate whether a link is genuine before accessing it. If one is not sure, they should contact the individual who has sent the email to assess who they are. Other attachments that employees in organizations should not open are those that request a person to enable macros if they are to view them. If the attachment is malicious and infected, it will give the malware control over one's system when opened by the user. This aspect implies that a company must pay a ransom fee if they do not want their data to be lost, which is not a guarantee either.
Users of the organization's systems should download from sites they know. It helps to reduce the prospect of downloading ransomware, which can cost a company financially. Users should go to verified and trusted websites if the users want to download anything. They should also not give personal data, especially from unknown sources, because there is a high likelihood that these sources are handled by cyber hackers. Before planning a ransomware attack, most of these cyber attackers always try to have personal data before an attack. They use this data from phishing emails to target organizations specifically (Zhao, et al., 2018). Their purpose is always to lure these users of the company's sites to open an infected link or attachment. The most imperative thing to do is to ignore information requested by a malicious-looking source. The user should contact the company or the source independently to assess whether they are genuine or not. The use of mail server content filtering and scanning is an intelligent way to control ransomware attacks. This software helps in the reduction of spam emails that contains malware-infected links from reaching one's inbox (Aurangzeb, et al., 2017). It is also good not to use unfamiliar USBs because they can be used as ways through which a ransom attack occurs. Most cyber criminals may have infected these devices and left them in the publicly to convince users into to use them.
Other ways through which ransomware attacks can be controlled can be through security awareness training. This aspect reduces the threat of employee error that can lead to ransomware infection. Being adequately trained helps employees to know about the early stages of cyberattacks. When they realize these signs, it is tough for cyberattacks to succeed in their plots. It is also imperative to have proper endpoint security hygiene as it prevents ransomware attacks. Most of these attackers look for misconfigurations and vulnerabilities to exploit to gain access to the network. Most of these recommendations help to ensure that public sector organizations can deal with the effects of malware, which includes ransomware. They provide guidelines that can be used by these organizations to prevent malware infections or even the necessary steps to be taken incase an organization has been infected. If the measures mentioned are followed effectively, then they will help to ensure that the likelihood of the user’s computers being infected is reduced. It will also reduce the spread of malware in the whole organization. Even when an organization has already been affected, the impact of the whole thing will be decreased. Therefore, because it may not be clear on how to completely protect an organization from cyber-attacks, it is important to develop a ‘defense-in-depth’ technique that helps ensure that the possibility of ransomware attack happening is minimized.
Generally, cyber experts advise organizations not to pay the ransoms. However, most of these firms pay because they do not want to lose data and even ensure quick recovery from the problem. For instance, the University of Utah paid a sum of 500,000 US dollars because of a ransomware attack to protect students' data and that of the faculty being exposed to the public. However, paying a ransom is not a guarantee that the attackers will keep to their deal. Researchers also assert that the computer will still be infected, meaning that it is not a solution. It is also an effort of trying to negotiate with criminal groups when one pays these ransoms to them, which is not right. It is a move that encourages them to continue being involved in these dealings. This aspect may not stop after the company has been attacked because these attackers may try to come later in the future because one is easy to agree to their terms. Therefore, it is essential to ensure that the proper measures are taken to help ensure that organizations are protected from ransomware attacks, hence risking the prospect of having data loss. These measures should be taken to help reduce the impact of data exfiltration. Many businesses are being targeted from every side by ransomware attacks, which can cause adverse direct and indirect repercussions to the company's bottom line and reputation. It is paramount that the organization starts a business continuity and disaster recovery program that ensures that business operations are maintained, especially during a crisis, by ensuring that data loss is restored as fast as possible with 0 percent loss. If these measures are implemented, they will help ensure that cyberattacks are controlled before they come to be. Having a security team that is well trained and equipped in dealing with these attacks will play an essential role in preventing ransomware attacks.
References
Aurangzeb, S., Aleem, M., Iqbal, M. A., & Islam, M. A. (2017). Ransomware: a survey and trends. Journal of Information Assurance & Security, 6(2), 48-58.
Connolly, L. Y., & Wall, D. S. (2019). The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Computers & Security, 87, 101568.
Humayun, M., Jhanjhi, N. Z., Alsayat, A., & Ponnusamy, V. (2020). Internet of things and ransomware: evolution, mitigation and prevention. Egyptian Informatics Journal.
Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5), 1938-1940.
O'Kane, P., Sezer, S., & Carlin, D. (2018). Evolution of ransomware. IET Networks, 7(5), 321-327.
Slayton, T. B. (2018). Ransomware: The virus attacking the healthcare industry. Journal of Legal Medicine, 38(2), 287-311.
Takeuchi, Y., Sakai, K., & Fukumoto, S. (2018, August). Detecting ransomware using support vector machines. In Proceedings of the 47th International Conference on Parallel Processing Companion (pp. 1-6).
Thomas, J., & Galligher, G. (2018). Improving backup system evaluations in information security risk assessments to combat ransomware. Computer and Information Science, 11(1).
Zhang-Kennedy, L., Assal, H., Rocheleau, J., Mohamed, R., Baig, K., & Chiasson, S. (2018). The aftermath of a crypto-ransomware attack at a large academic institution. In 27th {USENIX} Security Symposium ({USENIX} Security 18) (pp. 1061-1078).
Zhao, J. Y., Kessler, E. G., Yu, J., Jalal, K., Cooper, C. A., Brewer, J. J., ... & Guo, W. A. (2018). Impact of trauma hospital ransomware attack on surgical residency training. journal of surgical research, 232, 389-397.