#665 How does Ransomware work?

How does Ransomware work?
Photo by Pixabay: https://www.pexels.com/photo/blur-bright-business-codes-207580/

How does Ransomware work? By infecting the computer, encrypting all the files, and then trying to sell the victim the decryption key.

The first ever ransomware was created in 1989, by an evolutionary biologist at Harvard called Dr. Joseph Popp. To this day, nobody knows why he made it. The Internet wasn’t as extensive then as it is now, so the creator made the ransomware on floppy disks and physically mailed them to a mailing list. He posted 20,000 floppy disks. When the floppy disk was inserted, the ransomware only encrypted the file names, leaving the data intact. The ransomware wasn’t very successful because the decryption key could be found inside the script. However, since then, ransomware has evolved. There is no way of knowing an exact figure, but it is thought that ransomware earns cybercriminals over $1 billion a year and costs over $40 billion in damage and loss. There is thought to be a ransomware attack every 11 seconds. The damage and having to reinstall the whole system after a ransomware attack costs organizations far more than the ransom demand, which is why so many organizations pay up. However, as with any crime, the more money the criminals make, the more ransomware attacks there will be.

So, how does ransomware work? There are methods where the criminals gain access to the computer networks, but I want to look at the type that install themselves automatically. The first step for any attack is to get the code onto the victim’s computer. This is usually done through a message that the user is likely to click on. Criminals are getting better at these emails and a lot of them look like regular emails from companies such as Amazon or banks. The mail will ask the user to click on a link and then try to get them to download software, which is the ransomware. It is possible to get the ransomware to download automatically when someone visits a site, but this is less likely these days because browsers are far more secure than they used to be.

Once the ransomware is on the computer, it starts encrypting all of the files on the computer. Computers are designed to be able to encrypt files, so this is not very difficult for the ransomware to do. Some types of ransomware also encrypt or delete backups so the data cannot be restored. They are designed not to encrypt files that are necessary for the running of the computer. The software then posts a notice on the computer saying it has been attacked by ransomware and explaining how the victim should pay. It is usually done through Bitcoin because it is untraceable. If the victim pays, the cybercriminals send the decryption key so the data can be decrypted. If the victim doesn’t pay, the data is lost.

How does the encryption and the key work? When the ransomware code is written, the criminals generate a key pair. They put the public half of the key in the code and they keep the private half. The two halves of the key are really large prime numbers that are mathematically related to one another. A computer can work out that the two halves of the keys match in microseconds, but trying to work out what private key number matches the public key is almost impossible. It would take a computer trillions and trillions of years. Private keys are often 256 characters long and more secure ones are 512. For a regular computer to crack a 256 character code, it would have to go through every possible letter, number, and character. It could check 160,000,000,000,000,000,000 combinations a second, which sounds like a lot, but it still means the computer will need 12,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years. Incidentally, a quantum computer could do that inside a day.

The software encrypts all of the data on the computer using a unique code. For example, A=2, B=3, but far more complicated. The software then saves this code on your computer in a text file and then locks it with the public half of the criminal’s key. The decoding key is saved on your own computer, but there is no way for you to open it because the private key is too hard for any computer to work out.

When you pay the ransom, you send the decoding key file that is saved on your computer. The criminals confirm that you have paid and they use their private key to unlock the file. Then they send the decryption key back to you. You can use this to decrypt all of the data on your computer. If you don’t pay, the decryption key is on your computer but you cannot open it and will never get your data back. And this is what I learned today.

Photo by Pixabay: https://www.pexels.com/photo/blur-bright-business-codes-207580/

Sources

https://en.wikipedia.org/wiki/Ransomware

https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/

https://www.digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time

https://nsfocusglobal.com/a-look-into-source-code-of-paradise-ransomware-a-custom-built-virus-2/

https://www.techtarget.com/searchsecurity/definition/public-key

https://www.quora.com/About-how-long-would-it-take-my-algorithm-to-crack-guess-a-256-bit-encryption