What is a Ransom Ware?

Recently, a ransom ware problem is becoming fierce increasingly. One cannot approach the computer system suddenly, or cannot open the stored photos, document files, and so on. It has started to become known in earnest since 2005, and is growing rapidly worldwide in 2013. So, what is this ransom ware?

Ransom ware is a compound word of 'ransom' and 'ware,' which requests money to computer users by taking the documents. In other words, it is a malicious program that requires users to send money for decryption, which infiltrates the users’ computers and prevent them from saving or retrieving documents, spreadsheets, and graphic files. Even if the malignant code is removed by a vaccine program, the encrypted files are not recovered to the normality. Thus, it is called the 'worst malicious code.' Hackers demand money that allows them to open files, threatening to increase the amount of money and prevent files from being recovered when the deadline expires.

The infection ways include emails, letters, advertisement, and so on. The ransom wares are very various. The reason why the ransom ware attack has spread out quickly is due to the Internet network. Unlike conventional ransom wares, "WannaCry Ransom Ware" can be infected if it is connected to the Internet without having to open any executable files. In other words, one infected computer automatically infects another computer over the network. Ransom ware, which spread sharply between May 12 and 13, infected more than 120,000 computers worldwide. According to the European Union police agency, Europol, the number of damages recorded has hit 200,000 cases in 150 countries. It is difficult to list all of the national damages, including 48 institutions including the National Health Care Services (NHS), Telefonica, the Spanish telecommunications company, Fedex, that is an American shipping company, Russia's Ministry of Internal Affairs, Nissan of Japan, Renault factory in France, Deutsche Bahn, a German national rail company, China Petroleum Natural Gas Group (CNPC), Indonesia and Japanese Hospital. People in Korea are also suffered by ransom ware, which has spread around the world.

Fifty multiplex theaters in Korea, CGV has been attacked for failing to carry out normal advertisements. Therefore, emergency evacuation images were not shown. Also, on May 20, the TOEFL test was cancelled because the WannaCry Ransom Ware infected the test laboratory PCs in real time. The Educational Testing Service (ETS) said, "The TOEFL test was cancelled due to the Ransom Ware attack on the TOEFL," adding, "Please call the test certificate agency again next week." Although the damage is virtually non-existent compared to abroad, companies often ignore the problem. Thus, companies are worried about the loss of their image. Therefore, the actual damage cases will be far larger than the number of reported cases, and the government authorities and the security industries are watching. Under the Article 48 Clause 3 of the Information and Communication Services Act, the telecommunication service providers or telecommunication information service operators should report the information to the Communications Commission or the KISA Committee immediately after the accident. So companies should not hesitate to report if they have a virus or a hacking attack. Although the issue of ransom ware is gradually disappearing, it is still too early to ignore. The technology which stopped the spread of ransom ware has been launched, but 280 kinds of mutant ransom ware have emerged up to now. Soon afterwards, mutations that followed Kill Switch also appeared. One of them keeps changing the domain that serves as Kill Switch roles and avoid any traces. The global IT security test agency ‘AV-TEST’ said on May 15 that 452 WannaCry ransom ware variants have been confirmed. Variant ransom ware is likely to change the software code and bypass detection of existing security solutions such as vaccines, and infect computers. Therefore, additional efforts are needed to further enhance the security.

What kind of ransom ware is causing serious damage to us? First, there is WannaCry. The WannaCry is asking for a bit coin (virtual money) of $500 to $600 million in terms of determining the importance of a file by hacking the Microsoft Windows operating system and recovering important files. The characteristic of this is that it is difficult to recover data before depositing money to hackers because it infects almost every file and picture. The background of WannaCry is still unknown. Early in the WannaCry outbreak, a hacker called 'Shadow Brokers,' who claimed to have stolen the hacking tool developed by the National Security Agency in the U.S. in 2016, concluded that the 'Shadow Brokers' was the most influential. However, from May 15, security companies were also considering the possibility of North Korea being involved in the ransom ware attack. Secondly, it is Cerber ransom ware. Its name comes from a dog named Cerberus, which guards the hell gate. It started spreading in March 2016 and its characteristics indicate that the user was notified of the encryption in the form of speech. Recently, it is the most damaging ransom ware, which is often distributed through Internet web sites, and encrypts various data files. In most cases, it requires a bit coin, which is currently circulating at a rate of more than 70 % of the total ransom ware. Thirdly, it is Rocky ransom ware. It was named after the Northern Norse myth, and was circulated from mid-March to January 2017. It is the most common ransom ware that has been spread as an attachment to e-mails. This ransom ware looks as if the attached file should be opened to users. Since January 2017, it is not active; however, it is representative of ransom ware which demands a large amount of ransom. Lastly, there is Sage ransom ware. It began spreading since December 2016 and is spreading throughout both e-mails and web sites. Its features change the extension of the file to “.sage” and create a file that directs what they request to users. It is known as variant ransom ware, which is known as Crylocker ransom ware. It shows a lot of instability in the early stages, but it has become more organized and automated. In particular, it is known to analyze files and ask for various amounts of money.

It is hard to keep a computer perfectly from all ransom ware. Therefore, it is essential to prevent this altogether. Then, let's look at ways to prevent this from happening. According to the National Police Agency Cyber Security Agency, important materials and business files should be uploaded to backup or to a cloud server on a regular basis. Files that are attached to e-mails should not be implemented hastily even though it is a simple document file. In particular, if the data is not requested, it shall be checked and executed. Be careful when you inadvertently press the links attached to a messenger or text message, or when you run a file that has been downloaded through torrent. Also, it is important to install an antivirus software and keep the latest version. If your PC is infected with ransom ware, the external hard or shared folders also encoded. So you should block the connection, the Internet and PC lines. It is recommended to report any ransom ware quickly to the police, and then remove the hard disk and ask for treatment via a reliable professional security firm.