David Maimon

Cyber Criminologist

August 1 2016

Ransomware: What Is It and How to Reduce the Risk for Infection? 

Although most computer users in the U.S. and around the world are familiar with the risks associated with malicious software (i.e. viruses, worms and Trojans), relatively few users are aware of the hazards of Ransomware and its potential consequences for an attacked computer system and its users. Since several scholars believe that a new campaign of Ransomware is just around the corner, it is important that clients of Internet Service Providers will be familiar with this type of cyber attack, and apply extra caution when opening unfamiliar emails, browsing suspicious websites, and downloading software, music and movies from peer to peers websites.

What is Ransomware?

Ransomware is a malicious software that is designed to hijack computer user files, encrypt them, and then demand ransom payment in exchange for the decryption key (Luo and Liao 2007)). The prevalence of Ransomware campaigns has been significantly increased during the last 5 years (Kharraz et al 2015). Initiators of Ransomware campaigns plan the execution of ransomware in a careful manner, and use various techniques to get their malware onto a victim’s computer. Specifically, malicious advertisements, spam emails, and botnets are commonly employed by Ransomware initiators in effort to propagate their attacks (Savage et al 2015). However, next to the Ransomware initiators’ efforts to employ these methods, Ransomware affiliates provide services those Ransomware initiators who wish to carry out these attacks (Kharraz et al 2015). Importantly, the Ransomware affiliates do not need to have technical skills to create a Ransomware or to maintain and run the operation – all they are required to do is to spread the Ransomware as much as they can. In return to their service, the Ransomware affiliates are offered with a cut of the profit from each Ransomware infection they were responsible for. In some cases, Ransomware initiators offer Ransomware affiliates with access to the Ransomware control panel in exchange to an access fee (around US$300)(Savage et al 2015).

Once infecting a target computer, the Ransomware encrypts the files that are hosted on the target computer, and then sends a message to the legitimate computer user with a request to pay the ransom if the victim would like to restore access to the encrypted files. Since Ransomware scammers are trying to disguise their identity and avoid detection by law enforcement agencies, the Ransomware asks victims to send the ransom money using money wire transfers, payment voucher systems or cryptocurrencies like Bitcoin (the majority of new Ransomware threats require victims to use Bitcoin transactions as a method of payment). When payment is received on the offender’s end, the server on which the decrypter is hosted sends the key to the victim and allows access to the encrypted files again.   

From that point on, Ransomware offenders try to launder the ransom money in order to avoid detection by law enforcement agencies. However, laundering money depends on the victims’ method of payment; if the Ransomware offender chooses to receive ransom payments in the form of payment vouchers, he will use online betting and casino sites that accept voucher codes for payment for laundering the money. Once laundered through these sites, the money could be cashed by prepaid debit cards and withdrawn from ATMs in different locations around the world. In contrast, if ransom payments are made through Bitcoin, Bitcoin laundering services (also known as Bitcoin mixers) are used to mix up Bitcoins from legitimate and illegitimate sources. By the time the Bitcoins are cashed out in the Bitcoin exchange market, it is difficult to differentiate between legitimate and illegitimate Bitcoin transactions.

How to Reduce the Risk for Infection?

In general, increased awareness among computer and Internet users could reduce the risk of Ransomware infection on your private computer or your company network. The following tips should be useful in protecting your computer from Ransomware:       

a.     Make sure you have anti-virus and anti-spyware software installed on your computer.

b.     Do not download anything in response to a warning banner you receive from an Internet website you visit or a program you did not install on your computer.

c.     Always keep software and applications on your computer up-to-date.

d.     Make sure that your pop-up blocker is always enabled on your Internet browser.

e.     Do not disable your firewall.

f.      Don’t open email from people you don’t know, and be sure that you can verify the source before opening attachments or clicking links in any email, IM, or posts on social networks.

g.     Make sure that all computer users in your organization are familiar with these security awareness practices.

While there are no guaranties that applying those tactics will completely prevent your computers from getting infected by a Ransomware, awareness to this type of attack and understanding some of the ways to prevent it, reduce your risk to fall victim to this type of cyber crime.

 References

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the gordian knot: a look under the hood of ransomware attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 3-24). Springer International Publishing.

Luo, X., & Liao, Q. (2007). Awareness Education as the key to Ransomware Prevention. Information Systems Security, 16(4), 195-202.

Savage, Kevin, Peter Cogan and Hon Lau. 2015. The Evolution of Ransomware. Symantic. Available in : http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf

 

July 1, 2016

Sharing is Caring

David Maimon and Eric Chapman

In October of 2010, the Securities and Exchange Commission issued a detailed guidance for publically traded companies regarding their obligation to disclose information related to their cybercrime victimization incidents. The stated goal of the guidance is to allow investors with the opportunity to consider the risks associated with investing their money in the relevant company. Unfortunately though, we are often reported that major U.S. companies chose to ignore the guidance and do not report their digital security breaches to the public. Related to this, numerous public and private companies are uncomfortable with sharing their cybercrime victimization experiences with cyber security professionals and scholars. The rationale behind concealing this information embedded in companies fear that admitting in digital breaches will scare away potential investors and current costumers.

By keeping this valuable information to themselves, companies and governmental agencies exacerbate the magnitude of cybercrime and expose themselves to future attacks on their systems. Moreover, by preventing scientific analyses of this valuable information, public and private companies sabotage experts’ efforts to generate a comprehensive understanding of cybercrime. Indeed, few public companies make cybercrime attacks data available to the public, allowing analyses of small portion of their cybercrime victimization incidents. However when allowing access to their records, companies insist to have these data analyzed and observed out of context. Specifically, the information provided by these companies is given without any mention of attacks timing and patterns, and type of activities network users were involved in during time of attacks. This approach makes the task of studying cybercrime and security breaches extremely difficult and inefficient since while it may promotes the development of technical knowledge, it prevents the accumulation of scientific understanding on social predictors of this phenomenon.

This is probably the place to remind readers that despite its heavy reliance on technical tools, cybercrime is still a human phenomenon! Indeed, computers and electronic systems (for instance bot-nets) are employed for hacking, spamming and web defacement (among other things). However, in all cases, human players (including hackers, innocent network-users and information-technology managers) have some responsibility for the success of this crime.  Thus, in parallel to the work of criminologists who analyze crime incidents and data in specific social contexts (schools, neighborhoods), any investigation and analysis of cybercrime data should take place within the context of the victims’ social environment and e. The fact that we still do not know much about cyber criminals and victims is directly tied to companies (both publicly and privately owned) and governmental agencies resistance to report digital security breaches and allow access to their records (like they would have allowed in any other crime incident against them or their employees).

We encourage public and private companies as well as governmental agencies to support cybercrime prevention efforts by reporting data breaches and allowing cyber-security experts with access to this valuable information. We believe that nowadays, everyone, including investors, costumers and trustee boards understand the importance of studying cybercrime, and the risks associated with failing to do so.  (like the common understanding of policy makers and social scientists 100 years ago that it is crucial to compile data on neighborhoods demographic and social characteristics in order to allow a comprehensive understanding of the underlying causes of crime).

In order to generate a better understanding of this problem, something needs to change. Sharing is caring !