Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.The ransomware may also encrypt the computer's Master File Table (MFT) or the entire hard drive.Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.
The WanaCrypt0r 2.0 bug, for instance, wants $300 to be paid in Bitcoins to unlock the affected computers. However, paying the ransom is no guarantee for getting the files will be restored and might just open up new attacks.
'WannaCry' has disrupted networks in over 150 countries, including Russia and the UK and is being termed as one of the most widespread cyber attacks in the history.`WannaCry' is infecting computers running the older versions of Microsoft Windows operating systems, locking access to files on the computer. The cyber criminals have demanded a fee of about USD 300 in crypto-currencies like Bitcoin for unlocking the device.
Also Read: Ransomware: RBI asks banks to follow CERT-In instructions on WannaCry attack
Reports suggest that over two lakh systems globally could have been infected by the malicious software.
With global security reports counting India amongst the worst affected countries, public and private agencies have been working overtime to firewall their systems from any possible attack.
Impact of a ransomware attack
Any malware attack can have serious implications in the highly digitised worlds we live in. In the WannaCry attack it is reported that many surgeries had to be put off, x-rays cancelled and ambulances called back. For many years it has been feared than an attack of this nature can bring public utilities or transport systems to a halt. And that is why a lot of stress is being laid on security of these properties across the world. If a service like an urban metro rail is target, you can rest assured that the ransom will be way above $300.
Threat to India
Experts said India is vulnerable as a large number of computers in the country run the Microsoft's older operating systems like XP, and have not been updated yet.
Moreover, with rampant piracy in the country, higher usage of unlicensed software could make the situation worse, they warned.
How to respond to attack
As with other forms of malware, security software might not detect a ransomware payload, or, especially in the case of encrypting payloads, only after encryption is under way or complete, particularly if a new version unknown to the protective software is distributed. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would stop further damage to data, without salvaging any already lost.
Alternately, new categories of security software, specifically deception technology, can detect ransomware without using a signature-based approach. Deception technology utilizes fake SMB shares which surround real IT assets. These fake SMB data shares deceive ransomware, tie the ransomware up encrypting these false SMB data shares, alert and notify cyber security teams which can then shut down the attack and return the organization to normal operations. There are multiple vendors that support this capability with multiple announcements in 2016.
Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. Keeping "offline" backups of data stored in locations inaccessible to the infected computer, such as external storage drives, prevents them from being accessed by the ransomware, thus accelerating data restoration.
There are a number of tools intended specifically to decrypt files locked by ransomware, although successful recovery may not be possible. If the same encryption key is used for all files, decryption tools use files for which there are both uncorrupted backups and encrypted copies (a known-plaintext attack in the jargon of cryptanalysis); recovery of the key, if it is possible, may take several days.
