A KILL SWITCH to neutralize Ransomware attacks

Recently the computer servers of many companies and organisations in Europe, United States of America (USA), Ukraine, and  Russia were paralysed by a ransomware cyber-attack dubbed as “Petya”, A mass scale cyber attack.

All the affected computers displayed a ransom note in which the attackers demanded US$ 300 in bitcoin currency as a ransom. Most of the damage caused by the Petya ransomware was on Ukrainian systems, This has led to Ukraine blaming the Russian security services for the attack. But there are evidence that Russia’s largest oil conglomerate ROSNEFT was also hit by Petya.

This attack came a month after two other major ransomware attacks. One of these was the “Wannacry” ransomware cyber-attack, The other was the “Erebus” ransomware attack where a webhosting organization “Nayana” payed $1.5 million (397.6 bitcoin) as ransom to retrieve the data of its customers.

Now the question arises, What is Ransomware? 

Ransomware is a malware that prevents the user from accessing the system. It does so either by encrypting the files (Crypto-ransomware) or by locking the system’s screen and thus denying access to the device itself (Locker-ransomware). Ransomware was deployed as a tool for cyber-attack for the first time in 1989 when the AIDS trojan was released through snail mail. Once an infected machine booted 90 times, the malware would begin hiding directories and encrypt filenames on the “C:” drive. Once completed, the target would be asked to renew their license by contacting a random corporation. Upon contacting, they would then be instructed to send the payment to a post office located in Panama. Then disk labelled “AIDSOUT” that contained the tools for system restoration was released. The type of cryptography used by the attacker was symmetric cryptography, hence computer experts who analysed the malware were able to easily reverse it.

In 2005, a new ransomware called “Gpcode” was developed but its weak cryptographic algorithm meant it also could be decrypted easily. From 2009 until early 2013, locker ransomware was the most commonly deployed tool to extort money.

But these attacks became less successful as people started becoming aware of malwares and security solution companies started strengthening systems using tools that could shunt the effects of locker ransomware.

This forced cyber criminals into developing more sophisticated malware, which eventually resulted in the crypto ransomware. Unlike locker ransomware attackers, crypto ransomware attackers are generally upfront with their demands and intentions. An extortion message stating that the data would be given back upon payment of a ransom amount is displayed on the screen.

Mostly the target computer systems for crypto ransomware attacks have been those of Microsoft and Linux.  Although Microsoft Windows issued an emergency patch to protect devices using the Windows operating system, the attack was halted after the accidental discovery of a kill switch in the ransomware’s code and unlike Microsoft, there is a difficulty in finding a kill switch in Linux operating system.

Petya used the same exploits as Wannacry, but the difference between the two is that Petya does not have an in-built kill switch.

However, a “vaccine” has been found for Petya, Windows users can create a read-only file called ‘perfc’ in the “Windows” folder inside “C:” drive, which will stop Petya from even infecting the computer.

Most attacks prior to Petya were carried out by criminals for financial gain, but some characteristics of the Petya malware have led to doubts as to whether the culprits are criminals or state actors. As the attackers who deployed Petya asked for less than $10,000 in bitcoin (roughly 3.7 bitcoin). These numbers are meagre for a ransomware attack carried out on such a large scale given that, last year alone, ransomware attackers pocketed $100 billion.

Whoever might have been behind the attacks, their intentions become evident with time. Ransomware attacks have started targeting both governmental and non-governmental critical infrastructure agencies such as banks, airports, power grids, telecom networks, etc. This calls not just for more user awareness on the micro level but for collective cyber security mechanisms at a global level.

We have to take the threat of ransomware seriously and do something about it before it hits our data.

Some easy steps to protect your data from ransomware attacks-

  1. Don’t store important data only on your PC.
  2. Have 2 backups of your data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.
  3. The Dropbox/Google Drive/OneDrive/etc. application on your computer is not turned on by default. Only open them once a day, to sync your data, and close them once this is done.
  4. Your operating system and the software you use is up to date, including the latest security updates.
  5. For daily use, You don’t use an administrator account on your computer but a guest account with limited privileges.
  6. Should turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.
    In the browser
  7. Should remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, set the browser to ask you if you want to activate these plugins when needed.
  8. Should adjuste your browser’s security and privacy settings for increased protection.
  9. Use an ad-blocker to avoid the threat of potentially malicious ads.
  10. Never open spam emails or emails from unknown senders.
  11. Never download attachments from spam emails or suspicious emails.
  12. Never click links in spam emails or suspicious emails.
  13. Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.

 

 

Advertisements

5 Replies to “A KILL SWITCH to neutralize Ransomware attacks”

LEAVE A REPLY

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s