Ransomware: Evolution, Mitigation and Prevention

Overview of RansomwareRansomware is malware that locks your computer or prevents you from accessing your data using private key encryption until you pay a ransom. That ransom is usually paid in Bitcoin. Data based extortion has been around since about 2005 but the development of ransom encryption software and Bitcoins have greatly facilitated the scheme (Zetter, 2015).While ransomware attacks on personal computers are the stories that generally make the news, ransomware have also been developed to attack mobile phones by changing the PIN number of the device and then requiring a ransom to obtain the new PIN (Zetter, 2015). Ransomware is big business. The computer security firm Symantec conservatively estimates that ransomware extorts hundreds of millions from victims each year. Symantec also notes that paying the ransom is no guarantee that the decryption key will be provided and, in many cases, it is not (Zetter, 2015).Ransomware can be divided into two basic types. The most common is crypto ransomware, which encrypts files and data. The second type is locker ransomware. This version locks the computer or other device, preventing the victims from using it (Savage, Coogan, & Lau, 2015). Locker ransomware only locks the device; the data stored on the device is typically untouched. As a result, if the malware is removed, the data is untouched. Even if the malware cannot be easily removed, the data can often be recovered by moving the storage device, typically a hard drive, to another functioning computer. This makes locker ransomware much less effective in extorting ransom payments (Savage, Coogan, & Lau, 2015).Crypto ransomware, on the other hand, encrypts the data, so even if the malware is removed from the device or the storage media is moved to another device, the data is not accessible. Typically, crypto ransomware does not target critical system files, enabling the device to continue to function in spite of being infected-after all, the device could be needed to pay the ransom (Savage, Coogan, & Lau, 2015).In late 90's and up until 2005, online payment methods were not so readily available. Victims were instructed to pay ransoms via SMS text messages or by mailing pre-paid cards. Another common payment method was having the victim call a premium rate telephone number that earned money for the attacker (Zetter, 2015).All of these payment methods were risky, since a determined investigator could trace them back to the attacker. Ransomware really took off when in 2008 Bitcoin came into use. Bitcoin is electronic currency that is much harder to trace and thus helped anonymize the transactions. That made it difficult or even impossible to track the attacker by following the payment (Rosenberg, 2015). While Bitcoins have the advantage of being difficult to impossible to trace, they do have risks. The two major risks are massive exchange rate swings and hacking of major Bitcoin exchanges (Savage, 2015).In general, crypto ransomware prefers Bitcoin, while locker ransomware prefers payment voucher systems. That makes sense: the infected computer remains fully functional after a crypto ransomware infection, so the user is free to use the computer to purchase Bitcoins. With locker ransomware, the computer is locked and, therefore, unusable, making the purchase of Bitcoins more difficult. It is therefore easier for the victim to buy payment vouchers locally and enter a payment code (Savage, 2015).Ultimately, the criminals need to convert the ransomware they receive into cash they can spend. The methods used to laundry the ransom depend on the type of ransomware. Locking ransomware, which tend to use payment voucher systems, use online betting services in a variety of legal jurisdictions that accept the voucher codes as payment. The money is then transferred to prepaid debit cards and "money mules" are used to withdraw cash (Savage, Coogan, & Lau, 2015). Payments in Bitcoin can be used directly due to the privacy of cryptocurrency. …