Ransomware Attack - What I Learned As A Developer

Most of you have received messages on your phone or heard it around regarding the latest cyber-attack hitting world wide web with the name of a “Ransomware Attack” or "WannaCry". But why am I writing this blog or sharing the information with you? The goal is to highlight the learning I have gained from this attack and how it can be useful. So what is this Ransomware and how can you get affected from it?

Ransomware

It is a type of malware (malware - a piece of computer code write to perform destructive things like destroy PC/Mobile or to gain unauthorized access, sensitive information) that encrypts the files on Victim's computer and the only way to decrypt them is by paying ransom to the hackers and obtain the decryption key, hence the name Ransomware.

There are two ways by which ransomware attacks the victim,

  • Encrypting Files
    In this scenario, the files in victim’s computer get encrypted and the only way to decrypt and access them is by paying the money to hackers to obtain the key.

  • Locking the Machine
    In this scenario, the victim's operating system gets locked and make it impossible to access the desktop or any other files in the system. This is more dangerous as the malware hits the Master Boot Record (MBR) which is the section of a PC's hard drive that enables the operating system to boot up.

Technical Implementation of Ransomware

Ransomware is built on the following algorithm/use cases,

  • It should be capable of encrypting any type of file.
  • It's encryption should be impossible to break.
  • It should scramble affected file names so that the victim gets confused about the files affected.
  • It should change the extension of the file to stop traceability of the actual file.
  • It should display a message for the ransom on the victim’s computer.
  • It should accept the ransom only in Bitcoin.

Why Ransomware is Successful

  1. As soon as the ransomware hits the victim's computer, a clock is activated which has a very short duration to deposit the ransom and get the decryption key. This tick-tock functionality affects psychologically the victim's mind and forces him to pay.

  2. The ransom money should only be collected in the form of bitcoin. Bitcoin, in simple terms is virtual currency independent of any central or government bank . This approach makes ransomware more efficient and difficult to trace back the source.

  3. Due to the evolution of encryption algorithms, more advanced algorithms are used to develop ransomware and make it almost impossible to crack.

  4. 70 percent of the victims end up paying the ransom money rather  than registering a complaint about it.

What I Learned

The malware is just a piece of code written by someone (intentionally for illegal purposes) but the effort behind writing this code is phenomenal. Some of the things they did before writing the code:

Research About the End User

They did thorough research on where to target this malware, and what category of users will get affected. What efforts will they perform to disable the malware. What are the hurdles that occur during the launch of this malware. Moreover, they add a psychological element in the malware to terrify the user. As soon as a user gets affected by this malware, a message displayed on the machine about the ransomware attack with a ticking clock to pay the ransom in 5 or 6 days, otherwise lose access to your files permanently.

Full Proof Return on Investment (ROI)

This is more appreciable. Why? Let’s take an example of a victim. A doctor gets affected by the malware and suddenly all the files on his system were locked. He cannot access anything. A ransom message displayed about paying the ransom to obtain the decryption key. The biggest challenge for hackers here is how to obtain the ransom? If they allow wire transfer/ cash, they will be abducted soon as banking organizations/Govt. departments will trace the money source within a day or so. What hackers did is they allow the ransom only in the form of Bitcoin. Bitcoin is independent of any banking organization and it is difficult to trace the source.

Code Quality

The malware needs to be updated regularly with latest encryption algorithms otherwise it is of no use. Within hours, decryption tools will come into the market and push the “kill switch” on malware. The hackers need to be ahead of the others on their code base and encryption strategies.

Flaws on Destination Machines

One of the major reasons for the effectiveness of this malware is they find a flaw (Remote Code Execution) in Windows OS which lets the hackers execute this malware without notifying the victims. The only foolproof way to stay protected from this malware is to back up important documents/files and put them in a hard disk/computer with no internet connectivity.

So, next time I’m developing an application or writing a piece of code, apart from the Unit Testing and Code Coverage scenarios, I’ll look into these above points for a successful delivery. BTW, stay safe from this malware and don’t open any suspicious attachments. Keep coding

Next Recommended Reading Learn ASP.NET MVC 4