Ransomware

The idea goes back to 1989, when AIDS TROJAN DISK encrypted data using an infected floppy disk. The virus claimed a license had expired and gave the name of a company from which the license key can be purchased. The procedure was therefore not immediately recognizable as blackmail. The author of this pest, Joseph Popp, was convicted and was sentenced to imprisonment, which he could not serve because of a mental illness. He announced that he would donate the extorted money to AIDS research. One of the first attackers to use ransomware to spread over the Internet was the TROJ_PGPCODER.A trojan, which was charged with several hundred dollars to decrypt .

One case is mentioned as an example in the police crime report of the state of Saxony-Anhalt from 2011. A perpetrator infected 831 computers in this state with blackmail software.

Meanwhile, paid and free modular systems, so-called crimeware kits, appeared in underground forums, can be created with the help of ransomware.

KeRanger, a variant of a crypto trojan for OS X , was found in March 2016 . At the beginning of June 2016, the Fraunhofer Institute for Secure Information Technology announced that smartphones can also be affected by ransomware, especially if they are equipped with security apps that contain security gaps , as found by the Fraunhofer Institute in all of the seven exemplary tested applications and reported to the respective manufacturer for rectification.

In May 2017, WannaCry attacked several large global companies in a very short time; over 230,000 computers in 150 countries were infected. Because of these dimensions, the European Police Office described the outbreak as an unprecedented event. In addition to the usual distribution through e-mail attachments, WannaCry has worm properties and tries to actively infect other computers via security gaps in operating systems without user intervention. The systems with the current update status (April at Microsoft) were not affected. Certain file and printer services have to be released, which means that WannaCry was able to spread, especially in internal company data networks with computer systems that were sometimes faulty for a long time.

Procedure of the pests

Ransomware can get onto a computer in the same way as a computer virus. These methods include specially crafted e-mail attachments, exploiting security gaps in web browsers or using data services such as Dropbox .

Screenshot of the German version of Locky's ransom note

Screenshot of Goldeneye Ransomware in December 2016

For example, e-mails are sent stating that a ZIP file attached contains an invoice or a delivery note for the goods ordered. It is also sometimes claimed that the Federal Criminal Police Office , the Federal Police , GEMA or Microsoft have detected illegal activities on the computer and have blocked it thereupon.

A compromised computer can be blocked in different ways.

Blockage of the system

Simpler and more harmless attempts at blackmail are only expressed in a message window that appears at every regular system start and cannot be closed. The task manager is also blocked. Inexperienced PC users don't know how to end this blockage. The only way out seems to be to pay the ransom, for example by buying a Paysafecard or Ukash card. The amount is credited to the blackmailer by entering the voucher number of the payment system on the infected PC, which is then communicated electronically to the perpetrator. The crypto currency Bitcoin is used as another anonymous payment method .

Encryption of documents

Malicious variants of ransomware in particular have a greater potential for damage: They encrypt files on the computer; preferably files that are believed to be very important to the owner of the computer and possibly irretrievable. On Windows systems, ransomware therefore usually starts in the My Documents folder and prefers documents created there with Office applications , as well as documents created there. a. also e-mails, databases , archives and photos. Without a decryption password, the user no longer has access to your content. In contrast to spyware , no large amounts of data are moved here.

In order to be able to decrypt the data encrypted by the ransomware again, the compromised user is requested by the intruder to pay a ransom so that he can receive software for decryption or the required password . Sometimes he is first asked to contact the ransomware producer separately, for example by e-mail to a specific e-mail address, by calling up a specific website or using a form. The criminals often threaten that all data would be destroyed if they contacted the police.

The infected computer can be further manipulated and monitored by the malware; it must therefore not be used for further work, in particular not for activities that require a password. Transferring the ransom from the affected computer via online banking is to be regarded as gross negligence .

In some cases, the attacker does not even have the option of decrypting the encrypted files, so that these files are irrevocably lost unless a backup copy of the encrypted files exists.

Protective and countermeasures

The Reporting and Analysis Center for Information Assurance MELANI in Switzerland has published recommendations for private users and companies on its website:

• Regular data backups on an external medium that is only connected to the computer during the backup process. If the backup drive remains connected, the active ransomware can also destroy the data backup.
• Keep the operating system up to date, install updates quickly.
• Be careful with e-mails from an unknown sender. Links can lead to websites with malware; attached files can contain malware.
• Install virus protection and update regularly.
• Use a firewall .

The German Federal Office for Information Security has published a situation analysis in which extensive recommendations on protective and countermeasures are listed, as well as the recommended behavior in the event that has occurred. The analysis is aimed at professional users and IT managers in companies, authorities and other institutions. The No More Ransomware website is an initiative of the National High Tech Crime Unit of the Dutch Police, Europol's European Cybercrime Center and two cyber security companies with the aim of explaining ransomware to users, recommending countermeasures to effectively prevent infection, as well as Help ransomware victims decryption.

A very effective remedy against encryption Trojans would be a versioning file system , which by design only allows write operations to be performed on released areas and always leaves an older version of the files on the hard drive. The problem-free restoration of the previous data is a central feature of these file systems. One example of this is NILFS , which has been supported under Linux since 2005 .

Advice for those affected

The first measure to be taken when an infection is detected on the computer is to immediately and hard turn off the computer ( not "shut it down", but disconnect it from the power supply!) - even if the ransomware window "forbids" this, so that as many unencrypted files as possible remain unencrypted. The next steps can then be researched on another, unaffected computer.

Although, according to a 2010 survey, around a quarter of the victims would pay a ransom, the Federal Office for Information Security (BSI) also advises not to respond to the demands. Even after paying the ransom, it is not certain whether the data will actually be decrypted again. Since the willingness of the victim to pay would also be identified, further claims cannot be ruled out. When paying by credit card , the perpetrator would also have access to further private information. It is advisable to report this.

Access to the data was prevented for the malware, which was widespread between 2011 and February 2012, but no encryption took place. Commercial antivirus programs were able to remove some of these pests. Free programs such as Malwarebytes Anti-Malware or Avira were sufficient for this. All cleaning, decryption and other measures are to be carried out from a “clean system” - never “from the affected operating system itself”.

In some cases, security researchers have managed to crack ransomware and provide decryption tools with which the encrypted data can then be decrypted again. For example, in February 2016 it was possible to break the encryption of TeslaCrypt 2 up to version 2.2.0. In April 2016 the encryption of the extortion trojan Petya (version up to December 2016) was cracked. The hack-petya software generated a key with which the data could be decrypted again.

Web links

• Ransomware situation dossier In: Federal Office for Information Security (BSI), 7 July 2016.
• Ransomware: threat landscape, prevention & response. In: BSI, March 11, 2016.
• Gerald Himmelein: WannaCry & Co .: How to protect yourself - heise online. In: heise.de. May 15, 2017. Retrieved May 15, 2017 . 
• Determination of ransomware:
  • id-ransomware.malwarehunterteam.com
  • nomoreransom.org - Crypto Sheriff from Europol and the Dutch Police
  • bleib-Virenfrei.de - ransomware list including decryptor
• botfrei.de : Anti-Botnet Advisory Center
• Federal Office for Information Security: Description: Trojan.Gpcoder, activities and recovery. May 22, 2005, archived from the original on February 16, 2008 ; Retrieved January 3, 2013 . 
• Security-Insider.de, Stephan Augsten: How ransomware is developed and distributed. November 2, 2015, accessed November 3, 2015 . 
• heise.de: Goldeneye Ransomware: Recognize the threat, warn employees, prevent infection. December 7, 2016, accessed December 13, 2016 . 

Individual evidence