In computer virology, advanced encryption algorithms, on the bright side, can be utilized to effectively protect valuable information assets of enterprises. Yet, on the dark side, they can also be of use for malicious attackers to conduct pernicious activities. This article attempts to discover the surreptitious features of ransomware and to address it in information systems security research. It intends to elicit attention from enterprises with regard to ransomware—a newly emerged cyber hackjacing threat using such encryption technology as RSA—and to help both academic researchers and IT practitioners understand the technological characteristics of ransomware, along with its severity analysis. As ransomware infections continue to rise, and attacks employing refined algorithm become increasingly sophisticated, data protection faces serious challenges. This chapter draws a ransomware extortion scheme, compares ransomware with other malware, and discusses future trends and research directions in an effort to cater to both practitioners and researchers.
Today’s enterprises confront not only keen peer competitions in business society, but also increasingly sophisticated information security threats in cyberworld, as online presence and business transaction are considered as a possible profit-driven avenue and a necessary means for global competence. In computer virology, as technologies continue to evolve, advanced encryption algorithms, on the bright side, can be utilized to effectively protect valuable information assets of enterprises. On the dark side, however, they can also be employed by malicious attackers to conduct pernicious activities in search of profits or benefits. Past information systems security research has investigated such malware programs as Trojan horse, worms, and spyware from a plethora of scientific perspectives (Warkentin, Luo, & Templeton, 2005), and relevant strategies and tactics have been proposed to alleviate and eradicate the cyber threats (Luo, 2006).
Young and Yung (2004) indicated that future attacks will result from combining strong cryptography with malware to attack information systems. Very recently, the emergence of a new form of malware in the cyberspace, known as ransomware or cryptovirus, starts to draw attention among information systems security practitioners and researchers. Imposing serious threats to information assets protection, ransomware victimizes Internet users by hijacking user files, encrypting them, and then demanding payment in exchange for the decryption key. Seeking system vulnerabilities, ransomware invariably tries to seize control over the victim’s files or computer until the victim agrees to the attacker’s demands, usually by transferring funds to the designated online currency accounts such as eGold or Webmoney or by purchasing a certain amount of pharmaceutical drugs from the attacker’s designated online pharmacy stores.
This chapter attempts to discover the surreptitious features of ransomware, and to address it in information systems security research. In an effort to cater to both security practitioners and researchers, the rest of this chapter is organized in four parts. Part 1 will address ransomware’s underpinning structures (recent statistics and attack methodologies of ransomware infection are also offered); Part 2 will compare the technological differences between ransomware and Trojan horse, worm, and spyware (a sample attack scheme will be listed to address the attacking process); Part 3 will discuss the future trend of ransomware in terms of technological sophistication level; and Part 4 will propose the recommendations for antiransomware.Top
In-Depth Analysis: How Ransomware Works
In the cyber world, computer users have faced certain types of threat such as worms, spyware, phishing, viruses, and other malware. Ransomware is an extortion scheme whereby attackers hijack and encrypt the victim’s computer files, and then demand a ransom from the victim for these files in original condition. Kaspersky, one of the global leading antivirus companies, warned that ransomware is a serious threat, because there is no way to recover the effected data.
We thereby define ransomware as a piece of pernicious software that exploits a user’s computer vulnerabilities to sneak into the victim’s computer and encrypt all his/her files; then the attacker keeps the files locked unless the victim agrees to pay a ransom. In a typical ransomware attack, the attacker reaches into a compromised computer by seeking the exposed system vulnerabilities. If this system was victimized earlier by a worm or Trojan, the attacker can easily enter the weakly configured system. He then searches for various types of important files with such extension names as .txt, .doc, .rft, .ppt, .chm, .cpp, .asm, .db, .db1, .dbx, .cgi, .dsw, .gzip, .zip, .jpg, .key, .mdb, .pgp .pdf. Knowing these files are of possible crucial importance to the victims, he then encrypts these files, making them impossible for the victim or owner to access. Later, the attacker sends the victim an e-mail ransom or pop-up window demanding for the encryption key that unlocks the frozen files.