This article has been written by Barnali Ghosh pursuing a Remote freelancing and profile building program from Skill Arbitrage.
This article has been edited and published by Shashwat Kaushik.
Table of Contents
Introduction
The term “ransom” is not unknown to even the layman. Now what do you understand by the word “ransom”? In general, it means an amount of money that is paid to the kidnapper or captor for the release of a captive. Now this gives you a brief idea of what ransomware could mean in the world of computers. We could begin by giving a brief definition of ransomware. In reality, it is malware that is designed by any individual or organisation to get access to important files or documents that are of importance to the owner of them. The captor cracks into these codes and holds them captive. In return for these important documents or files, the captor will demand money or ransom and get them released. This, in fact, is the easiest and cheapest way to regain access to these files.
Ransomware has indeed picked up very fast in times when data theft and other malpractices are prevalent in this world. This is an easy route to some fast money by perpetrators. Its impact is huge considering the fact that it can cause some pronounced and conspicuous damage to organisations and public services sectors if attacked.
Characteristics of ransomware
There are some characteristic features of ransomware that will immediately mark them out from other malware prevalent in the market. If these features are known, then it will be easy to prevent ransomware attacks that cause tremendous upheavals and furores in an organisation. Here are some features that you might look out for.
- Unbreakable encryption- Once a file or document has been attacked by ransomware, you will automatically see that your expert will not be able to decrypt the files. Once you notice such a thing has happened to your files, you know you have landed in a mess that might involve some potential damage in terms of loss of data and hence finances.
- Encryption of all types of files- Ransomware does not check to see what file is to be attacked. In fact, it has the ability to attack all kinds of files, be they documents, videos, pictures, audio or any type of file that might be loaded on the PC.
- Scramble every file name- If all the file names are scrambled, it will possibly not be easy to know which file has been infected. This method can be used to mislead the owner of the data and make the captive cough up money even more forcefully. The victim will not want every file on his PC to be corrupted or stolen. Thus, the victim is forced to pay the money.
- Added extensions to files- The attacker adds different strains of ransomware to each file. This makes rescuing the files of the victim from his end difficult and almost impossible.
- Prior intimation- The malware lets you know that your software has been corrupted and attacked for ransom. This is done by utilising certain images or messages displayed on the screen.
- Ransom payment in Bitcoins- There is no reason why ransom money is demanded in Bitcoins. Bitcoin transactions are anonymous, which means the identity of the captor cannot and will not be disclosed. However, it is wise to remember that if the government wants, they can definitely track the corrupt person or organisation because they have all the information, even with Bitcoins and their transactions. So the captor should not be fooled into thinking they can be totally destroyed. If matters are escalated to the right level and in the right direction, there are chances they may get sorted out and perpetrators apprehended.
- Time-limited ransom payment- This restriction on the time limit acts as a damper for the victim. They are put under tremendous pressure by having to cough up the money within the time limit, failing which the ransom amount goes on increasing and data is destroyed and lost forever.
- Complex evasion techniques- The evaders use techniques that are unique and untraditional. This is done so that victims are totally unaware of the invasion methods, which therefore leave them unprepared for the event.
- The virus is allowed to spread to other PCs- To create pressure on the victim, the virus is allowed to spread to other PCs in the entire system.
- Data is extracted- The data from the affected computers can easily be extracted by the criminals and sent to another server that is under the total control of the captor. All the important information is extracted and taken away.
Ransomware intentions and reasons behind them
There are many types of malware, as you already know. Their sole intention is to destroy the files and documents of the users. However, the intention of ransomware is unlike that of other malware. Their end objective is the extortion of money from the victim. But why would they like to do this? We will now walk through some of their intentions to extort money.
- Steal data- It is wise on the part of the victim to clearly understand that just by paying the ransom money, your data is not safe and secure. They may also steal some of your important data before emptying your pocket and putting that data to good use, as they think is best.
- Sell data- It is understood that they are not going to safely keep that data in their storage systems. They will also sell some of that data for a good sum of money to the victim’s competitors, thereby earning good money both ways. The real gain is that of the hacker.
- Desecration of data- Another evil intention of ransomware is to defile the data by altering all the essential information, thereby causing colossal amounts of damage to the victim. This has mostly been the case so far with ransomware.
Other than the above-mentioned factors, there are many other reasons why vandals like to use ransomware. You could think of them as gaining access to the financial details of the business house, getting personal financial details about the victim, extracting personal data that is vulnerable by nature, retrieving customer or staff details and hacking into customer bases.
Apart from these, there are some other reasons why ransomware can be put to use. They are also used to get client details & lists, guess into the IT structure & services of the company, get hold of some intellectual property, make some social or political agenda known, spy on a competitor’s data and make intellectual changes that might have a severe impact on the company.
Methods of delivery
The delivery of ransomware is as sophisticated as it can get today. They are using the most modern methods of delivery. Let us now try to get to the bottom of these methods.
Remote desktop protocol (RDP)
RDP or remote desktop protocol, is a communication method that allows IT administrators access to the system. Some ports remain exposed and hackers attack those uncovered ports. They do it by scouring the web, generally by sending a request through port 3389. Just as the exposed ports are traced, the job of the vandals becomes easy. They log in with all the essential credentials as admins and get their jobs done.
Email phishing
It becomes quite alarming and immediately alarm bells start to ring when you know that approximately 97.25% of phishing emails contain some form of ransomware. Thus, it is sagacious to remember that this is one of the coolest ways of delivering ransomware. The hackers send emails that look normal, wherein the receiver does not suspect anything and very naturally opens ZIP files, Excel, Word or even PDF attachments. No sooner are they opened, the ransom takes a grip over the whole thing by encrypting important files and documents. Sometimes even links are sent that can cause all the damage required. Once all these are done, the user is diverted to affected URLs that can start the attack.
Pirated software
There is a lot of software that users should be careful of. Some of these are infected with adware that has hidden ransomware in them. There are certain websites that have pirated software, which is extremely unfortified and risks the perils of drive-by downloads and malvertising. A point to be noted is that pirated software does not receive official updates from the original developers. Thus, it becomes easy for the vandals to go about their jobs of destroying files and attacking with ransomware.
Removable media
This is another way of force-pushing and introducing malware into a system. It is done by means of removable media like flash drives and memory sticks. They begin their work once the system is connected by the user. An entire organisation can be infected if the victim is using the organisation’s network. However, if the system has an advanced and modern antivirus, the malware is immediately detected and removed.
Drive-by downloads
This is an extremely useful means of attacking with ransomware. It is done by pitching the malware onto a legitimate website at the point of its weakness and vulnerability. Once the weak point is identified, the ransomware is then hidden within it. It is also activated by deflecting visitors to this page, through whom they are doing their malicious work. However, this can also be prevented by doing away with unnecessary browser plugins and blocking out advertisements using ad-blockers.
These comprise the most common methods of ransomware delivery by cybercriminals today.
Prevention and mitigation of ransomware
When you, as a user, know that ransomware always poses a large threat to your system security, you should also be aware that there are means to limit and mitigate it. Now, what are the means by which you can mitigate ransomware attacks? Here, we will walk through those mechanisms briefly.
- Backup maintenance- Backup is one of the most important aspects of recovering from a ransomware attack. You will have to adequately protect the backup files and store them offline. This is done so that attackers are out of reach of these coveted files. Cloud service usage is another good way to cushion and dampen the efforts of cybercriminals.
- Port settings- If possible, RDP port 3389 and SMB port 445 should not be left open. Even if they must be left open at all, they should be connected to only trustworthy people and no one else. All unused RDP ports should be secured and checked from time to time.
- Update systems- The organisation’s entire operating system should be systematically updated from time to time. This allows the experts and authorities concerned to look out for malware and ransomware. There appears to be no security lapse as such.
- Implement plans and policies- There should be suitable plans and policies that should look after preventive measures and measures to tackle situations in case of ransomware attacks. Notify partners and clients to look out for suspicious emails and notifications. Train employees and all people attached to your company to avoid such untoward instances that can jeopardise the smooth functioning of a company.
- Toughen up security- Security should be beefed up and systems systematically configured. Make sure of configuration settings that are impregnable and immune to cyberattacks.
- IDS system- Promulgate the Intrusion Detection System or IDS, that can instantly detect malware. It has the capability to raise alarms when they see ill practices in the company’s systems.
With such preventive measures, a company or system can surely mitigate the risk of being attacked by ransomware.
Legal implications of ransomware attacks
Paying money to perpetrators against demands for ransomware attacks is not illegal in the US. However, cyber security experts advise against it. As it is legal by the laws of the land and you feel your company or valuable data is under severe threat of damage, you can pay it without having to face any legal implications later. Here, it must be remembered that the victim stands a high chance that they might again be held for ransom. So it is better to stand up by first taking precautionary measures that can, in the first place, keep them at bay.
Again, as per the advisory of the US Department of the Treasury, the company may face future hassles for giving in to ransom demands by cybercriminals. But it remains to be analysed carefully in this matter. Even the FBI recommends not paying it. Law enforcement agencies also stand against ransoms. Instead, they say help can be taken if such a situation arises.
Legislations to protect against ransomware attacks in India
The Indian government has implemented several laws to protect against ransomware attacks, ensuring the safety and security of individuals and organisations. These laws provide a comprehensive framework to combat ransomware threats effectively. Let’s delve into the details of each legislation:
Information Technology Act, 2000 (IT Act)
The IT Act serves as the primary legislation governing cybercrimes in India. Section 66F of the IT Act specifically addresses the offence of “computer-related extortion,” which includes ransomware attacks. It defines ransomware as malicious software that encrypts data or locks the system of a victim and demands a ransom for its release. The punishment for ransomware attacks under the IT Act ranges from imprisonment for a term of three years to seven years and a fine of up to Rs. 1 crore.
The Indian Penal Code (IPC)
The Indian Penal Code (IPC), a comprehensive legal framework governing criminal offences in India, also encompasses provisions related to ransomware attacks. Here’s how the IPC addresses ransomware:
Section 384 (Extortion)
- Section 384 of the IPC defines extortion as the act of intentionally putting a person in fear of injury in order to induce them to part with property or to do or omit an act.
- In the context of ransomware attacks, where cybercriminals encrypt a victim’s data and demand payment in exchange for the decryption key, the act of extortion is evident.
- Ransomware attackers threaten victims with the loss of access to their critical data unless the ransom is paid, thereby creating a sense of fear and compulsion.
Applicability of Section 384
- The IPC’s Section 384 can be applied in cases where ransomware attackers demand money or other valuable considerations in exchange for unlocking or decrypting the victim’s encrypted data.
- The section encompasses both offline and online forms of extortion, including ransomware attacks carried out through digital means.
Punishment for extortion
- Under Section 384 of the IPC, the punishment for extortion can extend to imprisonment for a term of up to seven years and a fine.
- The severity of the punishment reflects the seriousness of the offence and the potential harm caused to victims of ransomware attacks.
National Policy on Cyber Security, 2013 (NPCS)
The NPCS provides a comprehensive framework for cybersecurity in India, including measures to combat ransomware attacks. It emphasises the importance of preventive measures, such as regular software updates, strong passwords, and network security measures, to minimise the risk of ransomware infections.
Cybersecurity Framework for the Indian Banking Sector, 2018
This framework, issued by the Reserve Bank of India (RBI), provides specific guidelines for banks and financial institutions to protect against cyber threats, including ransomware attacks. It mandates banks to implement robust cybersecurity measures, such as multi-factor authentication, encryption, and regular security audits, to safeguard customer data and financial transactions.
Personal Data Protection Bill, 2019 (PDP Bill)
The PDP Bill, which is currently under consideration by the Indian Parliament, includes provisions related to the protection of personal data from cybercrimes, including ransomware attacks. It requires organisations to implement appropriate security measures to protect personal data from unauthorised access, disclosure, or misuse, including measures to prevent ransomware infections.
Ransomware Task Force (RTF)
The Government of India has established the RTF, which is a specialised unit within the National Cyber Security Coordinator (NCSC) organisation. The RTF serves as a central point of contact for victims of ransomware attacks and provides assistance with investigation, recovery, and prevention efforts.
These laws, along with other cybersecurity initiatives and regulations, provide a comprehensive approach to protecting against ransomware attacks in India. By implementing these measures, individuals, organisations, and government agencies can significantly reduce the risk of ransomware infections and mitigate their impact.
Challenges in implementing the legislations
While the legislations provides a comprehensive framework for protection against ransomware attacks, there are several challenges associated with its implementation. These challenges include:
- Lack of awareness: Many organisations, especially small and medium-sized enterprises (SMEs), lack awareness about the risks of ransomware attacks and the importance of implementing cybersecurity measures. Raising awareness and educating organisations about these issues is crucial for effective implementation of the legislation.
- Resource constraints: SMEs and startups often face resource constraints that make it challenging for them to implement robust cybersecurity measures. Providing financial assistance or access to affordable cybersecurity solutions can help address this issue.
- Evolving nature of ransomware: Ransomware attacks are constantly evolving, with attackers developing new and sophisticated techniques. Keeping up with these evolving threats requires continuous monitoring, threat intelligence sharing, and regular updates to cybersecurity measures.
Few notable ransomware attacks
2021 saw a rise of 144% in ransomware demands. This amounted to approximately more than USD 6 million for victims. You can understand how immense this system is and the urgent need to take precautions against it. Now we will walk through some of the biggest such attacks in history. If you look at the below-mentioned list, you will see things clearly for yourself:
- WannaCry has net losses of $4 billion.
- TeslaCrypt has net losses that are yet unknown.
- NotPetya has a net loss of $10 billion.
- Sodinokibi had a net loss of $ 6 million until 2018.
- Colonial Pipeline ransomware attack with a net loss of $ 4.4 billion.
- Kronos has a net loss that is yet unknown.
- Impressa has a net loss of 50 terabytes of data.
- Costa Rican government with a net loss of $ 30 million /day.
- Swissport has net losses that are yet unknown.
Conclusion
This list is enough to give you a clear picture of the scenario and what should be done to prevent such attacks. Hence, if you have gone through this, you are now much more aware of ransomware attacks. The article will help you to avoid ransomware attacks by helping you to understand their characteristics, which in turn will help in detecting them immediately. Once you know of the ill intentions of cybercriminals and their methods of delivery, you will also know just how to mitigate them after going through the write up. Anyone who is fully aware of ransomware attacks will by now know what the legal implications are and what they might lead to.
References
- https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/
- https://www.linkedin.com/pulse/characteristics-ransomware-mike-forney
- https://www.nibusinessinfo.co.uk/content/reasons-behind-cyber-attacks
- https://www.xcitium.com/blog/ransomware/what-is-the-purpose-of-ransomware/
- https://www.extnoc.com/blog/how-is-ransomware-delivered/
- https://www.cisecurity.org/insights/blog/7-steps-to-help-prevent-limit-the-impact-of-ransomware
- https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to
- https://www.getastra.com/blog/security-audit/biggest-ransomware-attacks/