Mariia Mazokha, Polina Fitsak, IE, group 110i, KNEU
Cybercrime of the future today: Ransomware Attacks
It is an undeniable fact that cybercrime and, in particular, ransomware attacks are a real threat to network users. At the same time, the main threat is that not only regular users of the network are harmed, but also large companies whose activities are impossible without modern technology, computers and data storage on the Internet. This has interested us as researchers, so in the process of writing, based on the analysis of available materials, we identified the main types of virus and investigated the measures that should be taken in case you are the victim of an attack, as well as the measures taken by the government to protect citizens from cyber-fraud.
The purpose of the given work is to carry out the research of the given type of a computer virus, spheres of its influence, the most scale cases of application of the given program and definition of methods of protection against similar threats.
The relevance of the topic is due to the constant expansion of the spheres of application of modern technology in all spheres of human life, the emergence of new requirements of mankind to computers and technical safety in connection with the development of this area.
In the course of the research, the following tasks were performed: analysis of sources on the subject, identification of types of ransomware attacks on the basis of the conducted research, development of algorithms of protection against the given threat with the application of various methods and programs and search of rules for the regulation of their activity in the legal sphere.
1.1. The concept of the ransomware, the concept of its action.
A ransomware attack is a type of malware which in turn belongs to cryptology, a discipline that learns how to use the cryptography of malware development and cryptanalysis that originated when it was discovered that public key encryption could be used to create malware.
The ransomware (or extortionist virus) itself threatens to publish the victim’s data or permanently block access to it in case of non-payment of ransom. While some simple ransomwares can block the system in such a way that it is easy for an experienced person to reverse it, more advanced malware uses a technique called cryptovirus extortion, in which it encrypts the victim’s files making them inaccessible and requires a ransom to decrypt them.
There are several ways that ransomwares can use to access a computer. One of the most common delivery systems is phishing spam, an attachment that comes to the victim in an email disguised as a file they should trust. Once they are downloaded and opened, they can capture the victim’s computer, especially if they have built-in social engineering tools that trick users into granting administrative access. Some other, more aggressive forms of extortion, such as NotPetya (which will be discussed in more detail in the next paragraphs), use security holes to infect computers without deceiving users.
In a well-organized cryptovirus extortion attack, recovering files without the decryption key is an unsolvable problem – and complex digital currencies such as Ukash or Bitcoin and other crypto viruses are used for ransom, making it difficult to track and prosecute criminals.
1.2. The concept of encrypting ransomware files
In 1996, the concept of encrypting extortion files was invented. It was invented by Adam Young and Mordecai Yung at Columbia University, who also presented it to the IEEE Security & Privacy conference. This is called cryptovirus extortion, and it was inspired by a fictional killer in Alien. Cryptovirus extortion is the following protocol for three rounds:
– [Attacker → victim] An attacker generates a key pair and places the corresponding public key in the malware.
– [victim → Attacker] To execute a cryptovirus ransomware attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malicious program to encrypt the symmetric key, clearing it and the source data to prevent recovery. It gives the user a message containing the asymmetric encrypted text and information about how to pay the ransom. The victim sends the attacker to asymmetric encrypted text and e-money.
– [Attacker → victim] The attacker receives the payment, decrypts the asymmetrically encrypted text with the attacker’s private key, and sends the symmetric key to the victim. The victim decrypts the encrypted data with the required symmetric key, thus completing the cryptovirus attack.
The biggest ransomware attacks
Over the years, extortionist hackers have created new viruses and increasingly successfully carried out their attacks. Such activity reached its peak in 2017, but then fell with the growth of the cryptocurrency miners. Attacks by extortionists of various meanings have made news over this long period. These are some of the most relevant attacks:
- Hollywood Presbyterian Medical Center. The computer system was hit by an extortion virus called Locky. The president and CEO said the attack was accidental, while Symantec said that Locky is usually spread through a malware document called Word, disguised as an invoice. Who sent the message and opened it was not notified when the email was sent. An internal emergency was immediately declared and the computer system was shut down. Some departments were ordered not to turn on their computers at all and some patients were redirected to nearby hospitals.
- San Francisco MTA. Hackers managed to infect and capture more than 2,000 computers used by the San Francisco public transport system, forcing the Urban Transport Agency to open the gate and allow passengers to ride for free. The San Francisco MTA representative declined to comment. MTA’s working and working machines were also affected, disrupting e-mail and payment services but not basic operations, which allowed the trains to continue operating without payment.
- WannaCry. The mass spread of WannaCry began in May 2017 – some of the first computers were attacked in Spain and then in other countries. Russia, Ukraine and India are leading in the number of infections. A total of 500,000 computers owned by individuals, businesses and government agencies in more than 200 countries were affected by the worm in a short time. The spreading of the worm blocked the work of hospitals, airports, banks, factories, etc. Early versions of the program included a self-destruction mechanism – the program checked the availability of two specific Internet domains and, if available, was completely removed from the computer. This was first discovered by Markus Hutchins on May 12, 2017, and he registered one of the domains in his name. Thus, he managed to temporarily partially block the distribution of this malware modification. Later, the second one was blocked as well.
- NotPetya/ GoldenEye. The program encrypts files on the victim computer’s drive and overwrites and encrypts the MBR, the data needed to boot the operating system, making the files inaccessible. The first version of the virus did not encrypt the files themselves, but the MFT table, a database with information about all files stored on the disk. The ransom payment is useless, as the 2017 version of Petya does not assume the possibility of decrypting the information on your hard drive, but destroys it irrevocably.
- Bad Rabbit. Encryption virus developed for Windows family operating system and detected on October 24, 2017. According to analysts, the program has the similarity of separate fragments with NotPetya virus. For the initial installation, the virus must be downloaded and run manually by the user, it asks for confirmation of authorization via UAC Windows. After installation, the application registers in the regular job scheduling mechanism and starts to spread itself on the local network through remote SMB and WMIC connections by intercepting tokens and passwords with the Mimikatz utility and searching NTLM passwords on remote Windows hosts for several common usernames.
What to do?
In an era of de facto dependence on computer technology, in which public authorities, banking institutions, private companies and individuals are located, the topic of ransomware attacks is becoming increasingly important. This situation reached its peak in 2017, after Petya.A virus became a real shock and disaster for many Ukrainian companies and ordinary citizens. That is why representatives of the SBU and the team of the State Service for Special Communications and Information Protection of Ukraine have published their recommendations on protection against possible cyber attacks. Unfortunately, it is impossible to completely eliminate the danger, but by following these recommendations, you can significantly minimize the risks.
1. Make sure that all the latest updates are installed in the system.
Any operating system receives periodic updates, many of which are security-related. Therefore, it is advisable to always use a system that has received the latest updates. This can significantly reduce the risks of a ransomware attacks.
2. Think about choosing an operating system
As much as Microsoft supporters may object, Windows is much more vulnerable to hacking and viruses than Mac OS or various Linux distributions. The point is not even that *nix systems have a more advanced architecture (although many are sure that they do), but that Windows is more common, and therefore a more interesting target for attackers. Thus, it is safe to say that by buying a MacBook or installing Linux on your computer, you will reduce the risk of file corruption.
3. Use good antiviruses.
This information mostly concerns Windows machines, although the days when the antivirus was not needed at all on Mac OS and Linux are long gone. Companies that develop expensive antiviruses care about their reputation and try to respond quickly to threats by updating their products.
4. Make the backups.
All important data must be backed up. Moreover, CERT-UA specialists recommend storing particularly valuable data in storage that are not connected to the Internet. This will reduce the chances for intruders to get to them without having physical access to the storage.
5. Users must be careful
The recommendation not to open attachments in letters from unknown addresses has almost existed since the advent of the e-mail service. And yet, it is still one of the most popular ways to spread viruses. Also, it is necessary to be cautious when clicking on links from unknown senders. Sometimes it too is fraught with consequences.
6. Sysadmin’s vigilance
The role of enterprise system administrators is very great. At the first signs of cyberattacks, sysadmins must ensure that the network is disconnected from the Internet. As well as disabling storages with important data. Sometimes a physical shutdown is the best way to keep the data safe. For such tasks, companies have a “red command” and “white” (or “ethical”) hacker drill. The former is aimed at identifying weaknesses through internal attacks, using weaknesses in the second group, the ‘blue team’ (tests security and provides security for client data, R&D reports, control codes and technical specifications). The “ethical” hackers, on the other hand, are looking for security gaps in large companies and government agencies. Intel pays a fee to such hackers for identifying vulnerabilities in the company’s products, which helps the company disclose and address real risks. The Coinbase cryptographic exchange cooperates with the platform of rewards for detecting vulnerabilities and attracts the most effective “ethical” hackers.
The multi-level security system allows for the timely detection of various suspicious activity in the infrastructure, provides additional protection for user accounts from theft, and protects employee computers from launching malware.
Identify and repel cyberattacks in advance, investigate their causes, and minimize the possible consequences!
Ukraine’s legal steps towards cybersecurity
Cybersecurity experts in most of the world’s leading countries have noted a steady upward trend in the number and range of cyber attacks aimed at violating the confidentiality, integrity and availability of state information resources, including at critical information infrastructure facilities. Therefore, to counter such threats, in 2017 the Ukrainian parliament adopted a law on the basics of cybersecurity. This law creates a national system of protection, defining it as “a set of political, social, economic and information relations along with organizational, administrative, technical and technological measures through an integrated approach in close cooperation between the public and private sectors and civil society”.
The objects of cybersecurity in the document named constitutional rights, society, development of information society, the state, national interests and critical infrastructure. At the same time, these communication systems and critical infrastructure objects are listed as objects of cyberdefense. At the same time, the procedure for forming a list of critical infrastructure objects is to be approved by the Cabinet of Ministers.
This document, which is very important, defines the concept of public-private collaboration in the field of cybersecurity, which is carried out, inter alia, through the establishment of a system for the timely detection and neutralization of ransomware attacks; the digital literacy of citizens; the exchange of information between public authorities and the private sector; partnerships and coordination of response teams to cyberattacks; the attraction of expertise; the introduction of a mechanism for public scrutiny of the effectiveness of cybersecurity measures.
There were introduced the concept of responsibility not only for cybercrimes, but also for the poor protection of information by its owners. This will mainly apply to government agencies, and it is hoped that they will pay more attention to cyber defense. It will also apply to the private sector if a company operates with user personal data or government information.
The law also provides for Ukraine’s participation in international and European systems of cybersecurity, which will improve communication with many world masters and raise the level of knowledge of Ukrainian specialists.
It is mentioned in the law not only about education for specialists, but also for average citizens, to raise the general education of the population in the issues of cyber protection, so ordinary users will also become more secure.
Cybersecurity is quite expensive, and despite the fact that the law provides for payment from the state budget, in what amount and how regularly it will be – is unknown.
However, what can be said for sure is that this law is quite generalized and will not lead to any direct action. But the laws and regulations that will be created and implemented on its basis should be much more specific.
In general, the law can be considered the first pawn in the general policy of Ukraine towards cybersecurity. Its further development depends only on the painstaking work of specialists who implement systems on the ground.
The world’s first computer took up a whole room. Since its creation, one generation of people and thousands of models have changed. Today, a personal computer is a familiar and actually necessary thing. It is in it are stored terabytes of personal information and other work data. And hackers have learned how to evaluate such data in cryptographic software.
The topic of our study is quite extensive, but, based on the objectives, we were able to address some aspects of the problem.
A review of the literature on the topic showed that ransomware attacks by hackers pose a very high threat because of their serious training and profit orientation. Such attacks have clear goals, a specific plan of action and the attackers use the most modern and effective tools to implement them. Through a sophisticated attack, attackers gain global administrator rights and full control over their IT infrastructure. For an organization, this can result in business stoppages, financial losses, and reputational risks.
Currently, most ransomware attacks are aimed at stealing or compromising user credentials, which hackers use to spread to other PCs and servers in the organization while collecting other credentials and increasing their rights.
Back in 1989, with the advent of the first ransomware virus, network security became a rather shaky concept. Over the years, extortionist hackers created new viruses and more and more attacks were successful. Attacks by extortionists of all kinds have become a real threat over this long period of time.
Therefore, in order to create an algorithm of actions and methods that will allow you to secure your activities in the network, we have investigated this issue and presented this list of actions in the third chapter. Thus, after the work carried out, we can say that nowadays the very concept of cybersecurity has become much broader. Our country is taking steps towards the legal designation of the cyber threat and the legal regulation of this sphere. We cannot overlook the hacker attacks of this type, because ransomware attacks are a real threat to the modern world. However, we must realize that if we follow a simple algorithm, it is certainly possible to protect ourselves from such attacks.