Ransomwares, a growing threat within the crypto sphere and how to prevent it?
By Inkarias - 2019-11-24
In recent years, a particular category of cyberattacks has been heavily used within the crypto sphere: the encryption of sensitive data via so called ransomware. While this type of attack is not new and has existed since the 1990s, the increasing use of digital currencies as a means of paying ransoms is regularly mentioned by journalists. As examples, we can quote the previous attacks which occurred such as WannaCry or NotPetya. The bullish trend around crypto currencies has led to many frauds and attacks on users. However, even if this kind of attacks tend to arrive more and more often, it is still important to know how to prevent it. In this document, we will introduce the notion of ransomware and how does it work and then how to adopt some rules to protect your portfolio with your crypto assets.
What is a ransomware?
A ransomware is a program that leads to a cyberattack of taking control of a device (or a computer system as a whole) and demanding the payment of a ransom so that the user can have it again access. Blackmail is usually done by encrypting data of value to the victim or by blocking access to computer resources. We can date the appearance of the first ransomware in 1989, when a biologist, Dr. Joseph Popp, created PC Cyborg, better known as AIDS. It was a trojan (Trojan), which is a malicious program running in the background, allowing the hacker to gain access to the target machine. The means of infection used was the floppy disk: the latter presented an intelligence program on the AIDS virus, distributed free of charge to patients and to medical institutions.
The model was quite simple: once installed on the target machine, PC Cyborg hid the directories on the hard disk C: and encrypted the names of the files that were present. The victim then had to pay a ransom of $ 189 to a post office box in Panama to decipher his data. The encryption method used was symmetric cryptography; it was soon enough for cybersecurity experts to reverse the process by analyzing the source code of the malware. Dr. Popp ends up being trapped because of his paranoid behavior in an airport that alarmed the authorities and he finally got arrested.
Today, the methods used have evolved and attacks of this kind pose a threat to both businesses and individuals. With the value associated to cryptocurrencies since few years, some crypto holders and supporters and even projects have been subject to these attacks.
How a ransomware works
Without going into all the technical details, it is important to understand how a ransomware works to guard against it. The current ransomwares are grouped under the generic term "cryptovirus": the encryption methods now use public key asymmetric cryptography and the program behaves like a worm, as the infected machine will automatically broadcast the program within its network. The advantage of public key cryptography for the attacker is that it is theoretically impossible for the victim to decrypt his files without having the associated private key: it is the object of exchange of the ransom. Researchers Adam Young and Moti Yung formalized the term cryptovirology in a paper dating from 1996 and broke down the protocol used by crypto viruses in three phases: installation, victim response, and attacker response. We can now break down a little more finely these different stages:
- Distribution - initial phase to install the ransomware on the target machine (s).
- Infection - once installed on the victim's computer, the ransomware initiates various processes: mechanisms of persistence and / or replication of the malware, destruction of backup files, execution of the tasks necessary to establish communication with the hacker's server.
- Communication - once communication is established, the server generates the encryption keys and transmits them.
- Search - the ransomware then launches search processes inside the host machine to identify the files to be encrypted.
- Encryption - the program encrypts the data to prevent the user from accessing it or even starting the machine properly.
- Ransom Request - the program exposes the situation to the user, usually with a threatening message, and directs them to pay ransom as soon as possible.
The malware distribution phase concentrates all possible and unimaginable infiltration techniques on a target machine, but with a preference for the following:
- Social engineering: it is about recovering access to the target machine by using human faults in the system. The classic case: an employee receives a message from one of his chiefs asking him to update a program or to consult a file. It is not his superior but a hacker who has usurped his identity: the naïve employee then runs a program, usually hidden in an attachment which will allow the deployment of the crypto virus.
- Phishing: hackers also impersonate big multinationals, for example by masquerading as a well-known application like Adobe Acrobat and recommending the installation of an update, which is a program allowing the installation of the malware on the targeted machine. Phishing techniques are typically used by hackers to steal information, but in the case of ransomware it is only a matter of prompting the target to take action to deploy the malware.
- Through advertising: this is to hide in an advertisement (banner or pop-up) a malicious code that will redirect the user to a page containing the code required to deploy the ransomware (exploit landing page).
- The well-known botnets: these are the "zombie machines" already infected, who will try to spread the malware within their network.
Once installed, the ransomware will be active on the target machine and will communicate with a server which will allow him to obtain the public key used to encrypt the data: nowadays, the ransomware use communication protocols and encryption methods that prevent the traceability of exchanges (including HTTPS and TOR). The data encryption is done after contact with the server and sending the public key. The program will generally select file formats that maximize the probability of encrypting sensitive data (XLS, DOC, PPT, JPG ...). Once the encryption is done, the victim will be notified, and the perpetrator will offer to give him the private key needed to decrypt the data for a certain amount of money. The latter should not be too important so as not to discourage the victim immediately but not too weak in order to maximize the earnings of the ransom in case his victim gives a crucial value to his data.
Why Bitcoin and crypto currencies?
Contrary to popular belief, the anonymity of transactions is not the main reason why cyber criminals use Bitcoin. On the one hand because Bitcoin is pseudo-anonymous: transactions made via the blockchain being public, a Bitcoin address can very quickly lose its anonymity if certain associated transactions involve addresses that are linked to an identity. On the other hand, converting the ransom into fiat currency is complicated, as most currency cryptocurrency / currency exchange platforms incorporate a KYC process. The public address of the attacker will be quickly identified, and any transfer of funds closely monitored. The main reason that cyber criminals use Bitcoin as a way of paying ransoms is therefore especially effective: Bitcoin transactions are fast, easy to make, and irreversible - the criminal can quickly make sure the payment has been made by the victim.
What about the ransom?
With this type of attack, if the data is encrypted correctly, it is almost impossible for the victim to access it again without paying the ransom. Even by paying this ransom, the malicious hacker can always settle for the payment and never communicate the private key (this was obviously the case with NotPetya). However, it is in the interest of the cyber-offender to keep his promise if he intends to reiterate the operation. Paying only encourages criminals using this means to extort funds to continue and develop ever more efficient methods. Providers of computer security solutions have tools to check the nuisance of a crypto virus: in some cases, it is already obsolete and there are ways to decrypt the data without having to pay ransom. If the victim has been careful to properly back up their data, the attack will cost them only enough time to reinstall the system and restore the backups. It is therefore recommended not to pay the ransom or to do so only as a last resort: the victim must ensure that this is the only way to access his / her data again, or at least. The cost of ransom is lower than the financial losses inflicted by the corruption of its data or the cost of an intervention to restore them.
How to protect yourself against malware?
- Regularly back up your data to a place that will not be in contact with a vulnerable system (any system connected to the Internet is by definition vulnerable).
- Always use the latest version of an operating system and perform regular security updates.
- Make sure to update regularly all the software tools used on the system (browsers, Adobe Flash Player, Java ...).
- Protect your computer system with a powerful antivirus software (up to date)
- Protect your system with a firewall, anti-spam software, anti-malware, adblocker, check security and privacy settings for all applications.
- On the Internet, never open a suspicious link (unknown source, unreadable link, masked or questionable). A lot of hackers send first links through discord or telegram channels.
- Never open an e-mail with attachments from an unknown sender. In the case where the sender is known, always check that it is not an identity theft by comparing the names and addresses letter by letter, by examining his certificate ...
- Do not open google documents from unidentified sources.
- Never activate the execution of macros for documents received by email (this option is disabled by default in most email programs, but the cybercriminal will try to justify the activation with the victim).
- Always enable the display of file extension (this may help to locate a "disguised" file such as photo.jpg.exe).
- Do not activate Bluetooth / Infrared wireless connections if it is not necessary, like for file sharing, automatic execution of CD-ROMs / USB keys, remote access services (RDP).