Ransomware; beware of the dangers

The aim with ransomware is to encrypt the data on your devices and extort a ransom.

The term ransomware stands for a type of malware that restricts or prevents access to data and systems. A ransom is then required for the release. Such malware either blocks complete access to the system or it encrypts certain user data. Ransomware, which is directed against Windows computers, is particularly widespread. In principle, however, all systems can be attacked by ransomware.

Ransomware group ‘REvil’ blackmailed hundreds of companies

In the latest ransomware attack on the American IT service provider ‘Kaseya’, cyber criminals attacked hundreds of companies at the same time. The ‘REvil’ hackers exploited a vulnerability to paralyze Kaseya’s customers with an encryption Trojan. They blocked access to systems in order to extort large sums of money. A kind of domino effect developed because the customers of the IT service provider included numerous other IT companies all over the world that also have a large customer network. Among other things, this had a major impact on the cash register systems of a Swedish supermarket chain – but German companies were also hit. Private users have not yet been victims of this blackmail attack. However, further dynamics and spreads cannot be ruled out.

As we can see, the phenomenon of this form of digital blackmail is not new. The first ransomware variants appeared before the turn of the millennium. Since 2006, ransomware attacks on Windows systems have increased. For example, the malicious program compressed all PC data into a password-protected ZIP archive and demanded money for the password.

The notorious Reveton ransomware family followed four years later: With this malware, a warning appeared on the desktop, for example with the claim that the computer was blocked in the course of police or customs investigations and would only be released again after a “fine” had been paid. In order to deceive their victims about the real authorship of the system lockdown, the perpetrators used various logos and names of various government agencies. Colloquially, therefore, there was a choice of BKA, BSI or GVU Trojans.

Under the name CryptoLocker, ransomware with an encryption function appeared on a large scale for the first time in 2005: the malware encrypted user data of a certain type using cryptographic processes – not only on local hard drives, but also on connected network drives.

In today’s ransomware attacks, the ransom is usually demanded in virtual currency such as Bitcoin – although the payment does not guarantee the release of encrypted data or blocked systems. Instead, the BSI recommends that those affected report to the police immediately. The general advice to back up regularly is also an effective ransomware prevention. Because in the event of an attack, data can be reconstructed without paying a ransom.

WannaCry: Several hundred thousand Windows systems affected worldwide

One of the largest waves of ransomware observed to date hit the headlines in May 2017: Within just three days, the WannaCry malware encrypted data on more than 200,000 Windows computers in over 150 countries. In total, the program probably infected several million computers. However, thanks to the rapid activation of a certain function by analysts, it could not do any harm on many of them.

Contrary to what the common term blackmail trojan suggests, WannaCry was a worm that spread independently on Windows computers without any user intervention. This blurred the boundaries between ransomware and “classic worms”.

WannaCry’s infection mechanism exploited a security hole in the Windows operating system for which Microsoft had already released a software patch eight weeks before the epidemic broke out. That means: A timely application of this security update could in many cases have prevented the WannaCry infection and all damage caused by it.