Wednesday, April 26, 2017

Ransomware 101

As a computer technician, ransomware is one thing that I get asked about often, and encounter occasionally. It's probably one of the biggest threats to user data today, as it can effect all sorts of devices, including IoT devices and smartphones. Not only is it a nuisance, it's downright destructive to user data.

The ransomware trend started because of a big shift in the goals of cybercrime. When viruses and malware first started, they were for recognition and causing destruction. Nowadays malware producers and their products live to make financial gains from their victims directly. This can either be by obtaining information to drain victims bank accounts, or locking them out of their computer and/or their files and waiting for them to pay the ransom (hence ransomware).

Since ransomware is somewhat targeted, here are some attack surfaces that the ransomware typically takes:


  1. Email Attachments: This is by far the most popular. The majority of the time I see a ransomware victim, they've received an email from what seems to be a shipping label from a reputable shipping company, but it is a spoofed email. A trained eye can easily tell because shipping labels usually come in PDF format (with a ".pdf" at the end of a file). The malware payload typically comes in a ZIP, EXE, or JS format (".zip," ".exe," ".js" in order)
  2. Social Media requests and files: This attack typically starts with someone sending a request to an employee within a target company, and asking them to proofread a file. The file may have an alternate datastream and a macro to execute it.
  3. Advertising Networks: Some strains of ransomware have been spread on various advertising networks. Some advertising networks don't filter advertisers as well as they should, so advertising has become a big driver for all sorts of cybercrime lately.