1 Understanding Ransomware and Strategies to Defeat it Understanding Ransomware and Strategies to Defeat it W Mc 2Understanding Ransomware and Strategies to Defeat it WHITE PAPER Table of Contents 3 Ransomware History 4 Timeline of Some Noteworthy Ransomware Familes 5 CryptoLocker CopyCats 5 The World of Digital Currency Payments 6 Why Ransomware Has Such Strong Growth 6 Massive Ransomware Growth 7 Ransomware Authors Appeal to Affiliates 8 Telemetry Tracks Revenues 9 From a Few Come Many 10 Primer: How Ransomware Works 12 The Latest in Ransomware Tricks 13 Predictions from McAfee Labs 13 McAfee Malware Operations 15 Primer: Ransomware Remediation Strategies Holly wood Presby terian employees were forced to move back to paper and transmit information to doctors and others by fax machine while the IT team and outside consultants rushed to restore the network. Eventually, hospital officials decided that “the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decr yption key,” Stefanek explained. “In the best interest of restoring normal operations, we did this.” No one wants to be par t of a stor y like this. What exactly is ransomware? Where did it come from? Why is it so per vasive? How can we help secure our computing resources today? Ransomware History It may surprise you to know that ransomware has been around for quite a long time. The first asymmetric ransomware prototypes were developed in the mid- 1990s. The idea of using public-key cr yptography for computer attacks was introduced in 1996 by Adam L. Young and Moti Yung in the 1996 Proceedings of the IEEE Symposium on Security and Privacy. In the abstract, Young and Yung said their prototype was meant to show how cr yptography could be “used to mount extor tion-based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cr yptography typically prevents.” Young and Yung presented a proof-of-concept cr yptovirus for the Apple Macintosh SE/30 using RSA and TEA asymmetric block ciphers. WHITE PAPER Understanding Ransomware and Strategies to Defeat it 3 Understanding Ransomware and Strategies to Defeat it McAfee ® Labs Held Hostage in Holly wood: In February 2016 the Holly wood Presby terian Medical Center, in Los Angeles, paid a ransom of about US$17,000 to hackers who infiltrated and disabled its computer network with ransomware. The hospital paid the ransom of 40 Bitcoins (currently worth about $16,664) after a “network infiltration” began on February 5, when employees reported being unable to access the hospital’s network and electronic medical records system. “ The malware locked access to certain computer systems and prevented us from sharing communications electronically,” said hospital CEO Allen Stefanek. “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; If you do not know your enemies but do know yourself, you will win one and lose one; If you do not know your enemies nor yourself, you will be imperiled in every single battle.” —Sun Tzu, The Ar t of War Connect With Us 4Understanding Ransomware and Strategies to Defeat it WHITE PAPER What does “asymmetric” mean and why does that matter? The defining characteristic of public-key cr yptography is the use of an encr yption key by one par ty to perform either encr yption or decr yption and the use of another key in the counterpar t operation. In symmetric-key algorithms, there is a single key used and shared between receiver and sender, thus the key used by the receiver and sender is “symmetric” because it is the same. The use of multiple keys in asymmetric public- key cr yptography allows ransomware to encr ypt items on a system with a public key while never exposing the private key, thus keeping it secret. For ransomware, this is essential for “mangling” data files without exposing any thing that someone could use to figure out how to undo the encr yption