What is Ransomware in Cyber Security

Let’s explore a very dangerous threat to our digital world: ransomware, and discuss exactly what ransomware is in cyber security.

Hi friend! I, Abhijit Ranjan, welcome you to this blog article, which is related to ransomware, which has become a big cyber threat in our world these days.

Today’s world is dependent on technology. Whether it is business, entertainment, education, technology, or every walk of life, the Internet dominates every place.

Today, we do not need to go to the bank to withdraw money. The Internet is available on your phone or computer at your finger tips, and you can transact your money using net banking or mobile phone banking. Now, UPI has come one step further, using which you can also do your money transactions. All over the world, whether small or big, any business is based on technology, and its precious data resides on its servers or in data centers that are connected to the Internet. Along with this, the risk of data theft and cyber threats has also increased. Hackers can install viruses, malware, or ransomware on your computers or mobile phones, which can hack your device and corrupt your entire data.

The history of ransomware is about 35 years old. In 1989, the AIDS Trojan (PC Cyborg Virus) was one of the first ransomware assaults ever recorded. It was distributed via floppy disk. Even though it was a straightforward virus that made use of symmetric cryptography, victims had to spend $189 to a P.O. box in Panama in order to get back access to their systems. After the evolution of the Internet and smartphones, it is spreading rapidly.

Let’s find out what ransomware is. Ransomware is a type of malware, or you can call it malicious software, designed by hackers to extort money. Ransomware either completely locks your computer or Android phone or encrypts the data and files on the computer or phone. It prevents you from accessing these data or files until the extorted money is paid to the attacker or hacker. Most of the time, attackers compels the victim to pay in crypto currency, i.e., bitcoins, etc., because it is very hard to trace out. If you do not pay money to the attackers, your data will be compromised, and it may be published on the dark web by the attackers. Still, it is not certain that even after paying ransom money, everything will be fine as before.

It is not considered a good solution to pay a ransom and get rid of this situation due to the following reasons:·

• Firstly, there’s no assurance that paying the ransom will unlock your files; in certain situations, the hackers might just pocket your cash and disappear.
• Second, hackers can still access and infect your computer even after the ransom is paid.
• Third, since the hackers know there is a chance to make money, they can choose to target more victims if the ransom is paid.·
• Fourth, you can unintentionally support additional unlawful activity that the hackers may be engaging in by paying the ransom.·
• Finally, if you pay the ransom, you can endanger not just yourself but also others because the hackers might exploit your personal data for identity theft or other nefarious activities.

• Crypto Ransomware: It encrypts your data and files and demands extortion money for decryption.
• Locker Ransomware: Lockers prevent you from accessing any of your data or applications and entirely lock you out of the system. The ransom demand is shown on a lock screen, maybe accompanied by a countdown clock to make victims feel compelled to respond.
• Scareware: Intimidates victims with false threats to extort money. It is fraudulent software that asks for payment after claiming to have found a virus or other problem on your computer. While some scareware programs really damage files, others just overload the screen with pop-up notifications.
• Doxware or leakware: Threatens to release sensitive information if the ransom isn’t paid.
• Double Extortion: The term “double extortion” refers to a particular kind of cyberattack when the attacker encrypts the victim’s data and then threatens to make it public unless they get payment in ransom. Because it places the victim in a tough situation—pay the ransom and run the danger of having the data released, or refuse to pay and lose access to the data entirely—this kind of attack is especially successful. Attacks using double extortion have become more common in recent years because they provide attackers with a comparatively simple means of profiting. Since businesses and organizations are more likely to have the financial means to pay the ransom, they are frequently the targets of attackers. Individuals, though, can also be the target.
• Ransomware-as-a-service (RaaS): Cybercriminals can conduct ransomware attacks using a type of malware known as ransomware-as-a-service, or RaaS, without having to create or install the software themselves. RaaS vendors usually list their services on dark web forums or marketplaces and receive a cut of the money that victims pay in ransom. RaaS has grown in popularity recently, making it possible for even inexperienced thieves to carry out complex ransomware assaults.
• Mobile Ransomware: It can infect your tablet or Android/iOS mobile phones and encrypt your personal data.

• Akira
• WannaCry
• TeslaCrypt
• NotPetya
• Sodinokibi
• SamSam
• Android/Filecoder.C
• Android OS/MailLocker.B
• Koler.a
• SimpLocker etc.

Ransomware often infiltrates computers or Android/iOS mobile phones in the following ways:

• Phishing emails
• Downloading software from unknown or un-trusted source
• Clicking on unknown links
• Third-party websites
• Infected USB drive
• SMS scams, etc.

As soon as the ransomware activates itself, it searches both local and network drives for files that need to be encrypted. It targets files that it believes are crucial to people or your company. This contains backup files in case the data needs to be recovered. For example, the following files are mostly infected by ransomware:

• Microsoft Office: earlier versions as well as .xlsx,.docx, and .pptx files
• Image having extensions: .png,.jpeg,.gif
• Images for business purposes:
• Data: .ai and.sql
• Video:.mp4,.avi, and.m4a, etc.

The 365 Defender Research Team of Microsoft claims that in the past, Android malware would make use of the SYSTEM_ALERT_WINDOW feature of the operating system. On Android phones, this function would display notifications that users couldn’t ignore and that needed to be answered right away. Additionally, hackers exploited this feature to display ransom notes.

To tackle this, Google added a “kill switch” that enables users to disable the alert window in Android OS versions 8.0 and later. Before, users often forgot to authorize apps or software requests for access to SYSTEM_ALERT_WINDOW capabilities because it only required one click. However, consumers now have to pass through numerous panels in order to authorize such use.

• Creating Notifications: After infecting a device, Android ransomware starts to build a notification that includes the ransom note. The setCategory(“call”) function is used to signal that the notification is critical and requires extra permissions.
• Attacking the Screen: The alert is kept in the GUI, and the setFullScreenIntent() function of the API pushes the ransomware notice window when the user clicks on it or any other pre-determined trigger.
• Preventing users from accessing anything else: The ransom snippet prevents the Android device’s onUserLeaveHint() function from operating as soon as it appears on the screen. This implies that users won’t be able to close the snippet even if they click the back button. The top screen will stay intact with a ransom note, and the main screen will not display any other phone functionality.

Apple products like iPads, iPhones, Macs, and MacBooks can also be infected by ransomware, despite their amazing security features.

                                                            Image credits: sectigostore.com

Cyberattacks using ransomware are disastrous. They may result in the loss of data, monetary harm, or even reputational damage to a business. The difficult choice of whether to pay the ransom or try to retrieve their data through alternative means is often placed before victims.

As I said earlier, paying ransom is not suggested by experts to get rid of this situation. Let’s discuss how to deal with ransomware if it infects your computer system or Android or iOS phones.

Disconnect the infected device from the network: You should disconnect the infected system or phone from all networks and wi-fi immediately. Attackers spread ransomware or malware with the help of a network or wi-fi. If your phone is infected, then also remove its SIM. This will prevent other devices from getting infected. Don’t try to get a backup of these infected devices into another one.

Try to use Online Decrypting Tools: You should try to find out the type of Ransomeware used with the help of various software available in the market like ID Ransom, Crypto Sheriff, BitDefender, etc. After obtaining this information, try to use an online decrypting tool available on the market to decrypt the data. Some of them are:

• Avast
• QuickHeal
• Kaspersky etc.

In the case of mobile phones, if your phone has been infected, remove the SIM card, and you can also use Restore Factory Setting and re-install the OS in addition to the above steps.

Report This To The Concerned Cyber Crime Prevention Department:

You should report this cybercrime to the concerned department. It is very necessary to keep our society safe from this type of crime.

Here are some essential steps to safeguard your digital life against ransomware or malware:

• Take Regular Backups: Take regular backups to recover your data without paying a ransom.
• Use Strong Security Antivirus or Anti-Malware: Always install good antivirus and anti-malware software on your system to avoid this type of issue. Some good Anti-virus programs are AVG, McAfee, BitDefender, Nortan, etc.
• Don’t click on unknown emails. Avoid clicking on suspicious and unknown email attachments or links. You should always validate the sender’s authority before that.
• Software Updates: Keep your operating system and software updated to patch vulnerabilities.
• Avoid using infected USB or Pen Drive: You should always avoid using others’ pen drives or USB drives, as these may be infected.
• Download software from a trusted source: Always download your software from a trusted and renown source. The use of modified software or apps should also be avoided.

Some examples of the latest android ransomware threats are as follows:

• Sodinokibi (REvil): This ransomware variant targeted Android devices, encrypting files and demanding a hefty ransom for decryption. It spread through malicious apps and attachments.
• DoubleLocker: A mobile ransomware that not only encrypted data but also changed the device’s PIN, rendering it nearly unusable.
• Cerberus: While initially a banking Trojan, Cerberus evolved into ransomware, locking Android devices and demanding a ransom for unlocking.
• This strain of ransomware displayed a full-screen ransom message on Android devices, making it impossible to use the phone.
• WannaCry, Mimikatz, and Trozan: These ransomware or malware infected five servers of AIIMS (All India Institute of Medical Science) in the year 2022.

Image credits: microsoft.com

Ransomware is malware that infects your files and data and demands a ransom in exchange for the decryption key. Once your files are encrypted, you will not be able to access them until you pay the ransom.

Ransomware can be spread in a variety of ways, including through phishing emails, malicious attachments, and infected websites. It can also be spread through USB drives and other external storage devices.

There are many different types of ransomware, but the most common type is crypto-ransomware. Crypto-ransomware encrypts your files using cryptography, making them inaccessible without the decryption key.

You should do the following:

• Keeping your software up to date
• Using a strong antivirus and anti-malware program
• Being careful about what emails you open and what attachments you download Avoiding suspicious websites
• Backing up your data regularly

If you get infected with ransomware, the first thing you should do is disconnect your computer from the internet. This will prevent it from spreading to other devices. You should also try to identify the type of ransomware that you have been infected with. This will help you decide what appropriate action to take.

Paying the ransom is not recommended. There is no guarantee that the attackers will decrypt your files, even if you pay them. Additionally, paying the ransom encourages the attackers to continue developing and spreading ransomware.

In some cases, it is possible to decrypt your files without paying the ransom. There are a number of free and paid decryption tools available online. However, please note that some ransomware cannot be decrypted.

Once your files have been decrypted, you should change all of your passwords and enable two-factor authentication on all of your accounts. You should also scan your computer for any other malware that may be present.

Businesses can take a number of steps to protect themselves from ransomware, including:

• Start building security awareness among employees.
• Segment their networks.
• Use multi-factor authentication.
• Regularly back up their data

If your business is infected with ransomware, you should contact a cybersecurity expert immediately. They will be able to help you assess the damage and develop a plan to recover from the attack.

Image credit: Internet

• Be careful about what links you click on and what attachments you download, even if they come from people you know.
• Always use strong passwords.
• Keep all the software, including the OS, web browser, and antivirus software, updated.
• Take backups of your data regularly and store it offline.

At this stage, we can say that ransomware is a significant threat to individuals and organizations as well. However, with knowledge, preparedness, and a proactive approach to cyber security, you can protect yourself from these malicious attacks. Prevention remains the most effective strategy.

That’s all for now, my friends! I am waiting for your valuable feedback and suggestions. You can contact me through the following emails:

Yours

Abhijit Ranjan