The health of ransomware
15/05/2017

Last week’s cyber attacks on the NHS, and across the world, were the latest in a long line of ransomware attacks, something that is fast becoming one of the most common cyber threats on the Internet. Ransomware is the name given to a class of cyber attacks that encrypt the files on a victim’s computer. The ransomware will then demand a payment from the victim in order to decrypt the files, essentially holding the victim’s data to ransom. Traditionally, these attacks have targeted documents, photos, and videos, on the victim’s machine and, while the malware doesn’t remove the files from the device entirely, the encryption is so strong that they are effectively inaccessible. However, if the ransom is paid the victim is given a decryption key and, in turn, access to all of their files.
One of the most attractive things about ransomware is that it effectively bypasses a number of the problems faced by cybercriminals, for example, the black market for stolen credit cards has largely collapsed. Therefore, generating tangible real-world value from cyber attacks is becoming increasingly difficult. As our economy becomes more focused on information and indeed our own daily lives become more information-dependent, then it is no surprise that we now place such a high price on our own information. What price would you put on your photos of your children growing up or what price would an organisation place on its key documents? Of course, it would be possible for a cyber criminal to sell this information to a competitor, but that would involve a lot of complicated interactions and a risk to the anonymity of the criminal.
How do the cyber criminals extract money?
Ransomware only needs a connection between the victim and the distributor of the ransomware. There is no requirement for trusted go-betweens, hence the appeal of this malware for cyber criminals. One of the keys to enabling this form is crime is the ability for attackers to receive money but still remain ‘anonymous’, for most ransomware this is through Bitcoin. Bitcoin is an entirely digital currency that I’ve talked about before on this Cranfield blog. Whilst it is anonymous (in that accounts can’t be tied to individuals) it is public in that it is possible to see every transaction. In fact, there are several wallets associated with particular variants of ransomware that contain over £5 million worth of Bitcoins.
The last year has seen ransomware authors become increasingly inventive. For example, they have begun to move to target a wide range of devices including smartphones, tablets and internet-connected TVs. There have even been demonstrations of ransomware targeting the systems used to run machinery in factories and power plants. As holding personal photos and videos to ransom is a very emotive attack it is also not surprising that this human element has been preyed upon. For example, the ‘PopcornTime’ malware will decrypt your files for free if you infect two other people with the ransomware and convince them to pay – a clearly well thought out game-theory tactic.
The piece of malware that has resulted in significant compromises within the NHS, amongst other large networks, is named WannaCry or WannaCrypt and has two main phases to the attack: an initial exploit (that ‘breaks into’ the computer) and the ‘payload’ that performs the encryption and manages the victims’ experience. This includes notifying the victim of the infection, payment and then decryption. Interestingly, the initial exploit is from a set of NSA (National Security Agency) tools that were leaked by the ‘Shadow Brokers’ group. This exploit has been copied from these tools, designed for national security applications, and repurposed for criminal activity.
Why can’t the authorities stop this?
Before laying the blame at the NSA’s door it is also important to understand that when these hacking tools were leaked, Microsoft looked at the tools and created an update for Windows that effectively rendered this exploit ineffective. This update was published in March with a Critical status indicating the severity and importance of applying this update. In September last year, both Microsoft and US-CERT strongly recommended upgrading the version of the filesharing that this exploit targets, again following this advice would mean that the attack was ineffective.
Victims of this cyber attack are potentially ignoring the advice of US-CERT and Microsoft from over eight months ago, have not applied critical updates that were released two months ago or are still using Windows XP, a version that reached end-of-life support from Microsoft in April 2014.
It has become apparent that a kill switch has been found that stops the spread of this infection, this is essentially a way of turning off the malware. Before spreading itself, the ransomware checks whether a particular website exists, if it does then the malware does not run. A researcher found mention of this website within the code for the malware and purchased it – inadvertently stopping the spread of the ransomware. This is too late for those already infected but should buy some time to allow those who are not up to date to install the critical software patches from two months ago.
How to stay protect yourself from a cyber attack
Ransomware is not going to go away and most analysts believe it is only going to increase, so it is important to protect yourself. Luckily most ransomware can be prevented by employing basic cyber hygiene: run an anti-virus software, update your operating system and applications (yes, this includes Adobe PDF reader and Microsoft Office!), regularly back-up your files and be careful with links sent in emails. This simple advice will help you deal with the majority of threats you are likely to face. If you are an organisation consider the NCSC’s advice with guidance such as the 10 Steps to Cyber Security or Cyber Essentials. Whilse these won’t protect you against all possible threats, if you followed this advice you would not be vulnerable to this WannaCry attack.
If you are a victim of ransomware, the standard advice is do not pay – this can be a difficult decision to make particularly as the malware often involves a countdown timer designed to make the victim nervous and force a rushed decision. The NoMoreRansom initiative provides a number of decrypters for particular ransomware variants so you may be able to decrypt your files without paying the criminal.
Dr Duncan Hodges and Dr Oliver Buckley, Information Operations Group, Centre for Electronic Warfare, Information and Cyber, Cranfield Defence and Security
Categories & Tags:
Leave a comment on this post:
You might also like…
Finding full-text Economist articles…
If you’re looking for The Economist, the place to go is ProQuest One Business. Follow these step-by-step instructions to get full-text access. Login here and click on the Publications option at the top, above the ...
Changes to Library Services over Easter, 18-21 April
Libraries on the Cranfield site Both Kings Norton Library and the School of Management Library (Building 111, first floor) will be open 24/7 over the Easter weekend. You will be able to use the study ...
Searching Statista: Effective strategies and Research AI tips
Statista is a global data and business intelligence platform with an extensive collection of statistics, reports, and insights on over 80,000 topics from 22,500 sources in 170 industries. It offers data on the global digital ...
Introducing…. BankFocus (Orbis)
For anyone researching the financial sector, BankFocus is a great place to start, providing financial and company data for finance institutions and companies from across the world. The service allows you to search for a ...
The Implications of US Tariffs on global supply chains
US President Donald Trump's new tariff policies announced on April 2, 2025 are expected to cause significant disruptions to the global supply chains, affecting multiple sectors and countries. A simple mathematical equation uses a country’s ...
Mastering the art of revising your writing
You’ve done the research and written your first draft. Now it’s time for one of the most crucial jobs as a writer - revising your writing to ensure your reader does not have to work ...