Recently, the Internet was shaken by the headlines talking about the emergence of new a ransomware virus called GandCrab. This malicious software, literally in a few seconds, subdues the infected computer and displays a message from hackers demanding ransom for unlocking encrypted files. There is no way to recover the data without the help of hackers.

Such news pieces do not surprise experts in the field of cybersecurity. There are thousands of ransomware viruses in the wild, and GandCrab is just one more example of such malware.

In general, extortion programs became known in the late 1980s, when the AIDS virus appeared. The virus hid directories, encrypted files, and demanded $200 for “license renewal.”

The biggest ransomware virus is CryptoLocker. It has infected more than a quarter of a million computers all over the world since 2013. In May 2017, another cryptovirus called WannaCry attacked 200K computers in 150 countries all of the world. The damage was estimated at $1 billion. However, such cases have not taught anyone to make regular backup copies of data, experts say.

Again, antivirus labs find thousands of different modifications of encryption viruses every day. According to Positive Technologies, last year the average share of ransomware infections rose to 12% of all computer viruses.

 

Cybercriminal evolution

Cyberextortion is actively developing around the world. This growing popularity is indirectly confirmed by researchers who study the DarkNet trends. According to the latest studies, 12% of all ads that circulate in the DarkNet, offer ransomware toolkits for sale. The average cost of the virus is only $270. Some advanced kits may cost $3K, but there are some that are even more expensive. In addition, DarkNet sellers offer stolen accounts to various servers, login details, passwords, etc. Often, villains buy out these databases and just start walking around them, encrypt everything, and then see who will pay.

The black market of “dark services” gets constantly improved. Criminals are seeking to increase their income. Recently, a special “affiliate program” from ransomware developers began to be spread on some DarkNet forums. In this scheme, the seller sends the buyer a personalized ransomware file and a link to access the web portal. This portal displays statistics about infected machines and payments made. The task of the buyer is just to spread the Trojan. When the victim pays the ransom, the seller transfers the payment to the distributor minus his share. This is how GandCrab, Princess, Tantalus, Aleta, Rapid, Lovecraft, Sphinx, Onyonlock and other ransomware infections get distributed. The GandSrab ransomware virus, which was widely distributed, brought its creators more than $700,000.

The standard scheme of infection with a ransomware virus looks like this. Users receive a spam email message, then they click it and open file attachments.

Experts note that recently ransomware virus faced a qualitative shift. Encryption viruses began to use asymmetrical encryption. For example, they use the RSA algorithm that cannot be cracked.

Experts explain that with a symmetric encryption method, the secret key can be found in the code. Asymmetric encryption algorithm involves the creation of two keys – public and private. The first key is known to everyone, and the second key (needed for decryption) only hackers have. And if it is impossible to decrypt the files, then victims will have to pay, won’t they?

 

Ransom money: to pay or not to pay?

As a rule, the ransom amount is stated and asked in Bitcoins. For example, for decrypting files locked by the Petya virus that attacked the world in 2017, the attackers demanded 100 Bitcoins, which at that time amounted to $200K.

Security experts always say that ransomware authors should never be paid, as this means sponsoring their “creative” activities. Even if you go on and pay, there is no guarantee of getting your data back. Here are the most common scenarios:

• Criminals can raise the ransom price.
• Criminals may get lost and never get in touch with you after the payment.
• Criminals may leave another hidden Trojan in the system, which will allow repeating the extortion trick later.
• It often happens that after transferring money, hackers send a decryption program which does not work. This happens precisely because hackers do not invest in the development of decryption tools, it is unprofitable.

According to IBM research, up to 70% of surveyed American companies paid the ransom to recover their data.

There are certain ways to avoid paying the ransom. If the infection has already happened, then you should try to find the necessary decryption tool on a free portal called NoMoreRansom.org, which was created for this purpose by several governments and big security companies.

Victims may find a lot of offers from different IT companies suggesting their help in deciphering data and removing the virus. But these are just usual intermediaries who contact the cybercriminals and bargain with them for a big discount. As a result, the victim will pay not 100%, but 80% of the ransom amount.

Here are some recommendations on how to stay safe and prevent cyberextortion caused by ransomware viruses:

• Download all software only from trusted sources and keep it always up-to-date.
• Do not open suspicious email attachments.
• Do not click on dubious links, even if they are sent to you by friends.
• Use reliable security software.
• Use complex passwords for all accounts.
• Make regular backup copies of important data.