Ransomware in plain English

In the good old days viruses were almost friendly, they very rarely did that much harm, were easy to get rid of, and were typically written by bored geeks with no social lives. Today it’s a very different story, viruses have become a multi-million dollar industry, and they are doing very real harm, not just to our computer systems but as with the WannaCry virus, they can threaten human lives.

I’m a Kiwi, and in New Zealand we have lot to be proud of, first to climb Mt Everest, first to split the atom, first to win the America’s Cup and defend it, first to give women the vote, and the first to fly (sorry USA it wasn’t the Wright Brothers). Sadly, in a lesser known first, in 1987 New Zealand was also the home of the first computer virus to achieve mass infection.

Mind you, as with all things Kiwi, it was quite a friendly virus, kind of funny even, and completely harmless, this one just popped up a nice message to say “Your PC is now Stoned! Legalise Marijuana”. Some would say it was well ahead of the times.

Jump forward 30 years and in May 2017, the world was hit with the first real life-threatening virus. The healthcare system in the United Kingdom was brought to a standstill as the virus spread throughout hospitals. Emergency departments were closed, ambulances were not dispatched, and surgeries were cancelled. This was as serious as it gets, and within the space of 48 hours the rate of infection looked almost unstoppable. It would have made a great Hollywood sci-fi thriller, but unfortunately it was real.

So what happened? After 30 years of fighting viruses and almost every computer in the world having some form of virus protection, how did we get it so wrong? Why would someone want to create a virus that put thousands of lives at risk? Why was healthcare so badly impacted? Who were these sick people (excuse the pun) that targeted the healthcare industry and put lives at risk? How can we stop it happening again?

Well let’s take a look at what actually happened, take away some of the media hype, and try to explain all of this in Plain English.

When I started writing this article after several people suggested Ransomware would be a good topic for explaining in plain English I thought it was a waste of time, surely everyone knows what ransomware is, no need to explain it, and it will be fully covered by Wikipedia. Then I looked up the most famous ransomware attack and read this:

WannaCry is the ransomware computer worm that targets computers running Microsoft Windows. Initially, the worm uses the EternalBlue exploit to enter a computer, taking advantage of a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. It installs DoublePulsar, a backdoor implant tool, which then transfers and runs the WannaCry ransomware package. [Wikipedia]

Okay, there’s no way my mum is going understand that, in fact many IT professionals would struggle to grasp that explanation. So let’s step back a bit and start at the beginning.

Computer Viruses

Most people know what a computer virus is. A bit of software that spreads between computers usually with malicious intent. Older viruses were typically written by bored hackers who just wanted fame, it was a challenge to create the most famous virus in the world. Sometimes the virus did nothing but spread, sometimes they were simply a nuisance, and sometimes they were malicious and did nasty things like deleting your files.

Viruses are just software, or as we call them today, apps. They can be complex apps, or simple scripts, but they are just software. They don’t create themselves, they can’t spread from a computer to a person, and they aren’t evil. The people that write the software may be evil, but virus software is just software.

Types of Virus

No doubt there’s an official categorization of viruses, but it will be based on technically how they work and spread, which is important to technicians whose job it is to stop them, but it doesn’t help explain what they do or why they exist. So here’s my simple five types of viruses in plain English:

• Ego Boosters
• Vandals
• Thieves
• Extortionists
• Leaches
• Saboteurs

Ego Boosters — Mostly harmless

These are mostly harmless but prolific propagators, they have no purpose other than to make the author famous by spreading as far and wide as possible. Unfortunately, they can often cause unintentional harm as they inadvertently slow down computers, clog networks, and conflict with other applications.

Vandals — Mindless damage, annoying

These cause mindless damage without any real purpose other than simply to cause damage. Just like a real-life vandal. They might delete files, corrupt systems, crash systems, or any other thing that the author finds amusing by annoying other people.

Thieves — Stealthy and dangerous

Like the name suggests, they steal files and data. It could be anything from your personal photos, corporate documents, credit card numbers, or passwords. Whatever the author thought might be valuable. In some cases, they can be specifically targeted at a corporation, country, or military. They tend to operate in stealth so they can steal as much as possible without you knowing.

Extortionists — Blackmail and sinister

Unlike the stealth thieves, these viruses make themselves clearly known. They do something that creates a point of leverage over you then ask for money (usually) to go away. Just like blackmail in the real world. They might steal your personal photos and threaten to release them publicly (assuming they have something more interesting in them than snapshots of your dog). The most common variety encrypts your files and data, and then demands money to decrypt it for you.

Leaches — Using your resources for themselves

Like thieves these ones operate in stealth, they don’t want you to know they are there. They use your computer (or Wifi router, security camera, game console etc) to run an application that requires a huge amount of resource. By spreading to thousands or millions of devices they can use a vast amount of computing power for free. Typically, they run applications that attack a specific computer system (called a Distributed Denial of Service attack — I’ll explain that in a moment) or more recently they mine for cryptocurrencies (I’ll explain that too).

Saboteurs — Deliberate, Targeted damage

Cyber-terrorism is the new commercial and military front-line. The perfect example of this is the Not-Petya attack. This was a targeted attack by a foreign nation (according to the latest thinking) on another nation's utilities, in particular their electricity grid. What at first appeared to be a profit orientated ransomware attack was actually a poorly disguised destructive sabotage. The authors of the attack had no interest in the ransom, the attack was targeted at disrupting the nation’s utilities. Unfortunately the virus spread beyond its intended victim and had wide-scale impact across the globe.

Ransomware — the Word

What does this have to do with Ransomware? Well, firstly let’s clarify the word ransomware. Is it a noun, is it a verb, is it a plane, no it’s a super-word. Think about Google, it’s a noun, it’s a proper noun, and it’s also a verb (“I googled it”, “Google the answer”, “Lets google it”).

“Ransomware” has been used in the same way, originally it was a noun that referred to the virus software used by extortionists. Then it became a noun that referred to the generic use of virus software to extort people, so the act of extortion by virus became known as a “ransomware attack”. Now it’s on the verge of being used as a verb, but not quite, because “I’ve been ransomwared” just sounds ridiculous (mind you so did “I googled you” a few years ago).

Ransomware is a type of Extortion Virus

Life used to be simple, you got a virus, it did something annoying, you got your resident in-family geek to clean it up, and you were all good. Then the concept of ransomware occurred, what if a virus could be used for financial gain? What if people that had an infected computer could pay the virus author to make the virus go away? That’s quite a viable business model. You could spend hundreds on anti-virus software that would often slow down your computer worse than a virus, and when you got infected anyway because you didn’t renew your anti-virus subscription you then had to pay a technician to fix your computer. Or you could just pay a few dollars to the virus author and have them make it go away. With that, ransomware was born.

In real life people get kidnapped, and to get them back the kidnappers demand a ransom. In the digital world files and data get kidnapped, and to get them back a ransom is demanded. Unlike the real world in which the kidnap victim is physically taken somewhere, in the digital world the files are left where they are, but they are encrypted so that they are useless. That’s much easier than moving a huge amount of data around the internet, just leave it where it is and encrypt it. Then demand a payment from the victim to decrypt the files.

This is what ransomware does, it’s a virus that encrypts files on your computer, and then demands money from you to decrypt the files so you can use them again.

Note — as with all things there are slight variations on this, some ransomware viruses do actually steal the files and move them elsewhere and then demand money to give them back, others copy your files and demand money not to release them publicly (which if they contain sensitive information or embarrassing content would be bad).

Who is behind it?

Ransomware attacks aren’t typically the work of a bored teenager in their mum’s basement. They are the work of organised crime on a large scale. I say typically because the ability to run a ransomware attack is now something that you can purchase from the Internet. Yes, you can buy a Ransomware-as-a-Service attack. So an individual could be the beneficiary of an attack, but they would have a whole team of people behind them providing the service. I’ll talk about Ransomware-as-a-Service more below.

How does Ransomware Work?

Although I’m passionate about focusing on “what does it do?” rather than “how does it work?” there is value in quickly explaining how ransomware works, as understanding it will help you avoid getting attacked.

Step One — Getting Infected

First and foremost, ransomware is a virus, so do everything you’ve been taught to avoid getting a virus (computer virus that is, wearing a woolly scarf and washing your hands won’t help much here). Don’t open strange looking email attachments, don’t stick USB sticks into your computer that you found on the street, don’t download “free” software, and don’t pirate movies and songs. Make sure you have an up to date virus protection application (on Windows 10 the one that comes with it is normally fine, it’s called Windows Defender, just make sure it’s turned on). Make sure you keep your computer software updated by installing patches and updates.

If you do all of that the chances of you getting ransomwared (still sounds silly doesn’t it) are limited.

Step 2 — Encryption

If for some reason your computer does get ransomwared, this is what happens. The virus infects your computer (let’s assume it was from that fake invoice you opened from an unknown person in your email). It then quietly goes about encrypting your files, you probably won’t notice this happening. Once it has encrypted enough files it will announce itself and demand a ransom.

Step 3 — The Ransom Note

Normally a very obvious message will appear telling you that you have been attacked, and if you want your files back you must pay money to someone within a set timeframe, if you don’t your files will be permanently lost. This is where truth becomes stranger than fiction.

Customer Service and Experience is Key

Here’s the strange part, the key to getting people to pay the ransom is to make it the easiest and quickest thing to do. That means getting the customer experience right. If you can just click a button, put in some details, pay a modest amount, and presto your files are back then wouldn’t that be much easier than trying to fix it yourself? Yes, but only if it’s obvious what you need to do, only if the process is clear, only if the system works quickly and smoothly.

This is no different than any other online transaction, a poor customer experience will drive customers away from a shopping site just as quickly as it would drive victims away from paying the ransom.

Most ransomware comes with a service desk, yes you can call the people that are extorting you and ask for help paying the ransom and unlocking your files. After all, they want to make sure that you give them a good reference. If you get ransomwared and have a good experience paying the ransom and getting your files back quickly and easily, then when someone you know gets ransomwared you’ll be more likely to tell them to just pay the ransom. Its business, nasty business, but business.

Step 4 — Pay the Ransom

Smart ransomware doesn’t ask for a credit card or bank account. Those things are traceable, it would be like a kidnapper giving you their address so you could post them a cheque. That doesn’t happen, they always ask for unmarked bills in a brown paper bag to be left under a bridge at midnight. In much the same way, ransomware will ask for payment to be made by untraceable electronic currency, usually BitCoin. You will most likely be given instructions on how to go purchase some BitCoins with your credit card, if you get stuck you can always call the service desk and they’ll help you out. Then you click through the screens, pay the BitCoins and all going well you’ll get the keys to unlock your files.

Step 5 — Unlocking your Files

Some ransomware will do this for you, once you’ve paid the money it will decrypt your files and delete itself. Some will send you another application to run which will decrypt the files, and some will take your money and run. Hopefully as the market matures it will be the first option that becomes the default. But never forget that you are dealing with criminals that are extorting money from you, so trust isn’t something you can count on.

Remember, that while its doing all this, it’s also spreading, it is a virus so it’s not going to just sit still while you think about paying the ransom. It is most likely actively spreading from your computer during this entire process.

What should you do if you get Ransomwared?

Sorry, that’s not something I’m going to provide advice on. Ransomware comes in too many shapes and sizes to safely say “if you get attacked do xxxx”. Some attacks may be simple to overcome so you could recover your files without paying the ransom, some could be incredibly complex and sophisticated, in which case you may choose to pay the ransom as the quickest way out. I can’t advise you on that.

The best plan is to not get attacked in the first place. Here are some tips:

1. Don’t open strange email attachments.
2. Don’t download pirated software or movies.
3. Keep your software patched and up to date.
4. Don’t use unknown USB sticks.
5. Use protection, Windows Defender is a good start, or buy a dedicated anti-virus application.
6. Backup your files and keep an off-line copy.

Some slightly more Techy Stuff

Hopefully by now you understand what ransomware is, it’s a virus, its used to extort money from you, and it usually works by encrypting your files until you pay to have then decrypted. That’s really all you need to know.

If you want to know more about some related topics, here is some other information that I touched upon above and promised to explain:

Ransomware as a Service

A successful ransomware attack requires numerous components, not just the ransomware virus itself. There’s the virus, the severs to host the encryption keys, the service desk for victims to call, the financial transactions to move the BitCoins around, the self-service software to enable victims to decrypt files, and the team of security experts to hide the entire operation from authorities. This puts a ransomware attack well beyond the capabilities of your average individual, or even a very talented hacker.

Enter the Ransomware-as-a-Service providers. These now provide a full range of services to people wanting to run a ransomware attack. If you run an organised crime syndicate and want to get into digital exploitation, then it’s just a matter of purchasing some or all of these ransomware capabilities as a service. You can outsource the entire thing and they’ll just send you a commission check, or you can just have them provide the virus software and take it from there. In a strange way you have to admire the entrepreneurial aspect of this, despite the fact it’s done for all the wrong reasons and is very much a bad thing.

Unfortunately it’s this level of accessibility that will make ransomware attacks more common, and as ransomware-as-a-service becomes a profitable business model we will see ever increasing sophistication of attacks.

All Devices are Vulnerable

When we think about computer viruses we tend to think about our normal computers, our Windows laptop, our Mac, our office PC etc. We’ve grown up knowing that these should have anti-virus software and we should have passwords set on them, and they shouldn’t be the default password. But viruses are now starting to target other devices that we don’t really expect to be infected. Think about what you might have in your house, a router, a WiFi access point, a game console, a smart TV, maybe even a security camera. All of these things are computers and all of them are targets for attack.

Because we don’t really think about these as being a risk we often leave the passwords as default. It makes an easy target for a virus to scan the internet for broadband routers that have the default password, they can then access the router and use them as a platform to launch a DDoS attack or leach for a cryptocurrency.

DDoS (Distributed Denial of Service)

This has nothing to do with ransomware but as I mentioned it earlier its worth explaining briefly. A DDoS attack is where a vast number of computers infected with a virus is used to overload a system. For example, if 10,000,000 infected computers all started trying to do a search on Amazon.com at the same time it could cause outages or performance problems, making it look like Amazon.com was broken. This can get more serious if used to target something that is time critical, such as taking down the tax department at the end of the tax year, or an online election system, or a share market trading platform.

Leaching for Cryptocurrencies

This isn’t something that can be explained in a quick paragraph, but let’s try anyway. Cryptocurrencies are digital money, the most well-known is called BitCoin. They can be used to buy real things just like real money. To earn cryptocurrency people digitally “mine” for it, this means running complex calculations that consume huge amounts of computing resource. If you tried to do this on your home PC it might take you a whole year to mine one BitCoin, apart from the time that takes, the economics don’t work as your electricity bill from running your PC for a year would cost more than the BitCoin you earned.

This creates a market where people try to steal computing resources to mine for BitCoins on other people’s computers. If you could put a virus on 100,000 computers that stole 10% of their computing power, you would have the equivalent of 10,000 computers mining for you, for free. That might produce as much as 10,000 BitCoins in a year, an amount that is more than sufficient to motivate some nefarious virus writing activity.

Why did the WannaCry ransomware target the UK Healthcare system?

It didn’t. It targeted a bug in Windows software, this bug was fixed by Microsoft a few months prior to the attack and if you had kept your computer up to date you wouldn’t have been attacked. Unfortunately, public healthcare doesn’t tend to be flush with cash to spend on keeping computer systems up to date, what cash they do have goes to keeping people alive. So it was just coincidence that WannaCry targeted a specific bug, and that the UK healthcare service hadn’t updated their computers to fix the bug. This made them vulnerable and hence they were hit hard.

Summary

To wrap it all up, ransomware is a type of computer virus. It is used to exploit people into paying money. Usually this means the ransomware scrambles (encrypts) your files and asks you to pay money to get them descrambled. Depending on the sophistication of the virus there may be no way to get around this, so the best plan of action is to avoid getting infected, and have good backups of your files in case you do get infected.