Ransomware: a threat to the present and the future

Ransomware has become an increasingly prominent threat to cyberspace security globally and the recent statistical data collected would seem to confirm this trend also for the years to come.

 

What is ransomware and how it works

The term “ransomware” refers to a type of malware that limits access to the device it infects, requiring a ransom to be paid to remove the limitation. Some forms of ransomware, for example, block the system and order the user to pay to unlock it, whereas others encrypt the user’s files instead, asking the user to pay a sum to make the files readable again. There are of course many variations of ransomware, but the basic mechanisms are almost always the same.

The driving force behind ransomware attacks is, in fact, almost always monetary and, unlike other types of cyber-attacks, the victim is usually notified that an intrusion has occurred and instructions are provided on how to obtain the recovery of infected systems. Payment is very often requested in a virtual currency, such as bitcoin, so that the identity of the cybercriminal is not as easily identifiable.

As for the transmission of the infection, there is a wide range of channels that can be exploited to spread this type of malware. Phishing is certainly the most widespread, but carriers that exploit browsing on compromised sites and browser vulnerabilities are also suitable for transmission to convey malware through “drive by download” or the use of bridgeheads such as advanced Emotet framework.

The malware then performs a payload, which can encrypt the files on the hard disk (normally through an asymmetric encryption system, with a public and a private key), or simply limit interaction with the system, acting on the Windows shell and making it inoperative and controlled by the malware itself, or even modifying the master boot record and / or the partition table preventing the operating system from starting.

 

The spread of ransomware

The first ransomware in history was the AIDS trojan, also known as “PC Cyborg”, written in 1989 by biologist Joseph Popp. Since then, ransomware has spread more and more, with some cases rising to the headlines for their effectiveness and for the economic damage caused. Among the best known there is certainly “CryptoLocker“, a ransomware released in 2013, which was extremely difficult to eliminate and estimated to have extorted at least 3 million dollars before its removal. The 2017 WannaCry attack is considered to be the largest ransomware attack ever, with over 230,000 computers infected in 150 different countries.

These are remarkable numbers, which explains why this type of attack is spreading more and more. In fact, the Clusit 2020 report showed that in the last year there has been an increase of + 23% in cases of ransomware, with a percentage frequency equal to almost half (46%) of all types of malware analyzed. Furthermore, according to the latest reports, Italy in 2019 is the second most affected country in Europe, after Germany, with 12.68% of cases across the continent.

 

The future scenario and possible countermeasures

The spread of IoT devices, cloud services and the increase in digitalization caused by the Covid emergency further increased the dangerous potential of these malwares, leading them not only to undermine the safety of commonly used devices, but also to compromise services and entire corporate networks, as in the recent case of the Italian company Geox, whose communication systems have been blocked for some time by a ransomware.

So if you are sure that ransomware will continue to be one of the main cyber threats of the future, you need to start preparing effective security systems and protocols. In particular, considering that these attacks are more likely to succeed if they manage to pass the first reconnaissance phase, it is absolutely necessary to develop and use systems that are able to promptly detect the indicators of an ongoing attack, allowing one to intervene before the given malware can compromise your systems.

The simplest and most effective defense strategy remains, however, to keep a safe copy of the files, adequately guarding the files through regular backups made preferably with offline or cloud solutions. As always in the world of cybersecurity, it is almost impossible to guarantee absolute protection, but it is clearly possible to develop a system that can greatly mitigate exposure to risk.