Money or Data? The Ultimate Guide to Understanding Ransomware - Part I

Not long ago, a man committed suicide after an automatically generated notice from a computer virus threatened him with jail unless he paid a ransom thousands of dollars. The year was 2014. As incredible as the story seems, it marked the first known time a computer virus actually killed somebody. The next generations stole cash from users around the globe, and Cryptolocker raised the stakes – holding data of hundreds of thousands of users hostage. Despite successive short-lived take downs, the malware has made a comeback as CTB (Curve-Tor-Bitcoin) Locker.

This challenging breed of malware is continuously improving, reaching new levels of complexity as smartphones and tablets are increasingly used to store crucial personal and enterprise-level documents.

Bitdefender, the anti-malware solutions provider, zooms in on the subject to show how this type of virus works and to tell users how to prevent being locked out and extorted.

What is ransomware?

Ransomware is a type of malware that infects and locks a system until the user pays a fee to regain access to the data. Paired with server-side polymorphism and industry-grade delivery infrastructures, the malware can enter a system through a malicious downloaded file, a vulnerability in a network service or even a text message. Stay tuned to read an extensive article on how ransomware infects users` machines.

Why is it different from traditional malware?

• It doesn`t steal victim`s information, it encrypts it
• It demands a ransom, usually in Bitcoins.
• It`s relatively easy to produce”there are a number of well-documented crypto-libraries

Types of ransomware

Device lockers

This type of ransomware locks the device screen and displays a full screen image that blocks access to the device. The message demands payment, yet personal files are not encrypted.

File-encrypting ransomware

Some of the most notorious families of file-encryption ransomware include Cryptowall, Critroni and TorLocker.

File-encryptors like Cryptolocker encrypt personal files and folders such as documents, spreadsheets, pictures and videos. After infiltrating the machine, the malware contacts the command-and-control center to generate an encryption key to cypher each of the computer files using complex encryption algorithms. This will make the computer`s data unusable.

The malware then displays a message, often claiming to be from law enforcement agencies, to scare victims with threats of punishment and imprisonment unless they decrypt the data by paying (either through Bitcoin or a pre-paid cash voucher) before the stated deadline. Cyber criminals employ users’ computer IP information to show victims a localized version of the screen-blocking message. The same message sometimes threatens to delete the private key if the deadline is not met.

Some cyber-criminal groups are taking the business to a whole new level by anonymizing communication via TOR. TorLocker is a commercial ransomware toolkit sold on underground forums as an affiliate program. Renewable built-in keys allow TorLocker to encrypt files even if the victim`s PC is not online, while Tor-based communication makes it nearly impossible to shut down the operation.

“Things are getting worse, and we`re seeing more of these infections,” says Bogdan Botezatu, Senior E-threat Analyst at Bitdefender. “Once you fall victim to ransomware, there is absolutely no way to get your data back without paying. But, if you pay, you are only encouraging this business and funding their research and development. Sometimes, the criminals will take the payment and not release your data, leaving you without your money or your information.”