lockThe purpose of ransomware is to devastate and it becomes more popular with each successful attack.  Ransomware has evolved beyond random attacks on gullible victims and has grown into a full-fledged business of profiteering.  The modern cybercriminal who perpetrates ransomware attacks is smug, efficient and entrepreneurial.

Ransomware used to be straightforward; threaten or trick a victim into paying a fee and then disappear before the user realized that they weren’t getting their files back.  Recently, this has changed; cybercriminals have realized that is more profitable to adopt traditional customer service and marketing techniques.  Many types of malware now come complete with detailed instructions on how to pay the ransom. Directions are often translated into multiple languages to maximize potential targets.  Cybercriminals have also changed their overall strategy and many will now provide valid decryption keys to victims that pay their ransom.  The reason why?  It’s good business sense.  A victim who pays and recovers their files is likely to do so again, or better yet, tell others about the experience.

As ransomware attacks become more sophisticated you might wonder what an infected user will have to go through.  Below we have attached a case study of a user who decided to give into ransom demands.

The user discovered that many of their files had become encrypted and converted to an unreadable format.  The encrypted files included: .docx, .xls, .ppt, .pdf, .eps, .ai, .indd,.mp3, .jpg and .log files.  The encrypted .log files meant that data could not be restored easily from a backup and even registry entries had been corrupted.  To make matters worse, the infected system had lost its ability to connect with Group Policy Services, which meant all admin privileges had been revoked on the system.

With no easy fix in sight, the victimized user looked into the ransom demands.  Included with his locked data files was a simple text document shown below:

This text file was added to every directory that contained the users encrypted files.

This text file was added to the directory that contained the users encrypted files.

The victim decided to play along and contact the hacker.  The hacker promptly replied with instructions on how to make a payment with a type of digital currency known as Bitcoin.  Bitcoin is the popular choice for ransomware payments because it is virtually impossible to trace and once a payment goes through, it can’t be reversed.

The hacker exchanged a number of emails to ensure that the victim knew how to secure the Bitcoin currency.

The hacker exchanged a number of emails to ensure that the victim knew how to secure the Bitcoin currency.

The actual process to secure the Bitcoin currency proved difficult.  Bitcoin is a purely digital currency and can only be acquired through specialized vendors.  Many Bitcoin vendors put blocks into place to prevent charge-backs, which makes it difficult to purchase with most credit cards.  While reputable online vendors do exist, such as PayPal, it is not uncommon for even them to put holds onto accounts due to suspicious Bitcoin activity.

Eventually it was discovered that Bitcoin could be purchased from a local ATM like machine called Coinbase.  The machine looked like any standard ATM but only accepted payment in USD and BTC.  An individual from the hacked company was chosen to make the exchange, these are his words:

I’ve heard of Bitcoin but knew nothing about it. I was assured by the tech people and some European friends that it wasn’t as shady as I thought it was. They said it’s used more widely in other countries. I set up an account online using a throw-away email address.

What struck me was that there existed bitcoin “ATMs” in our city where cash would be applied to an account and the hijacker would just withdraw the money as “Bitcoins.”

We checked out a site where one of the Bitcoin ATMs was located in midtown NYC. My apprehension heightened when I had to pass a group of loud, arm flailing men outside of a bodega. Mind you I’m carrying cash, and although I’ve walked around NYC carrying cash in my pocket countless times, this time I felt like everyone knew what I was doing. I kept my head down as I went into the bodega and saw a regular ATM right in front. The Bitcoin ATM was way in the back of the store. I nervously put the necessary information in and fed it my cash – printed a receipt of course. I checked my Bitcoin account with my cellphone and saw the money was there. Then the info was sent to the hijacker whereupon the encryption instructions were sent to me and our files were released.  I couldn’t help feeling that I was taking part in something criminal.

After the transaction was processed, the hacker delivered the decryption file required to unlock the computer.  The hacker also included his own advice on how to prevent infection in the future.  The closing email had an almost jovial tone to it, as if the whole ransomware attack was just business as usual.

Ransomware is just business as usual for the hacker.

Ransomware is just business as usual for the hacker.

When you pay the ransom, you give complete control of your business to a stranger who has little incentive to keep his word.  Instead consider this; ransomware can be avoided with disciplined design, maintenance and monitoring.  Be diligent about security; one cut corner in the wrong place can make for an extended system outage or worse.  As long as you do not become complacent about security, you can protect your business from ransomware.