This article is part of the TechXchange: Cybersecurity
What you’ll learn
- Similarities between COVID-19 and ransomware.
- Differences between COVID-19 and ransomware.
- Why common terms can be bad for the discussion.
Lately I’ve been talking with people about the COVID-19 epidemic and ransomware. This has usually been in separate conversations, but I noticed that lots of the terminology and misunderstandings were common, hence this discussion. In particular, the concept of computer viruses arises with the ransomware discussion. There’s also the discussion of bad outcomes from both and their ubiquitous nature these days.
One reason I bring this up is that even those with an interest or background in one of these areas often have misconceptions about the other. Likewise, the amount of misinformation is significant in both cases, which affects how people react to them. This includes their recommendations to others as well as what they do with respect to prevention.
Description
Let’s start by defining COVID-19 and ransomware, as well as discussing the description and differences of biological and computer viruses. Too many people assume that the difference between biological and computer viruses is a matter of the host, which isn’t the case, although there are many similarities.
First, COVID-19 is a biological virus. It’s spread by biological means. It infects via airborne particles and mutates on its own. The infection can be debilitating and it can kill. It’s not owned by anyone.
Ransomware is criminal extortion. The threat is due to a third party holding computer resources as hostage. Control of these resources is normally acquired via computer security attacks that include, but not exclusively, using computer viruses.
I should probably write a “What’s the Difference about Computer and Biological Viruses” article. However, enough versions of that exist on the internet to the point where it would probably be redundant. Still, many people equate these with the only difference being that computer viruses attack computers. So, let’s delve into some of the differences for our discussion here.
A biological virus multiplies and has the possibility of mutating each time. A virus will attack its host even if the host is isolated (this makes more sense when we talk about computer viruses next). A virus normally doesn’t take part in spreading the virus. A biological virus will continue to attack its host until the virus is controlled or eliminated or the host dies.
Ransomware has two main components. Software running on a compromised system(s) and software running on one or more machines controlled by captor/attacker. The attacker may or may not have contact with the software on the compromised systems. Oftentimes, a compromised system can be unlocked using a code provided by the attacker after a ransom is paid. The code is sent via an anonymous email or posted on a public site preventing someone from tracking down the attacker.
Purpose
The COVID-19 virus’ purpose is the same as any biological entity—to thrive even at the expense of its hosts. It doesn’t care about the strife it causes or the publicity it garners. It mutates randomly.
The purpose of ransomware is to cause havoc and to gain power or money. A ransomware attack can target random systems or specific systems depending on how a system is compromised. The attack vectors in a ransomware episode vary, but attackers continue to refine these systematically.
Acquisition
A virus requires a host that already has the virus. The COVID-19 virus is normally spread through airborne particles that contain the virus when people are within a meter of each other without any barriers such as masks. Poor ventilation and large groups of people can increase the spread. It’s possible to try to infect someone, though COVID-19 is more likely to be spread by accident rather than intentionally.
This is where ransomware differs significantly from a biological virus: There are many different attack vectors and attack methods of which a computer virus is only one method. And all of the attacks are engineered by humans. The idea of self-mutation is a science-fiction myth at this time. The term mutation with respect to a computer virus refers to a method of changing or mutating its appearance to prevent detection rather than changing the functionality or operation of the computer virus.
Essentially, a ransomware attack is designed to place some software in a computer system that will in turn cause problems. The attack can be via a computer virus that’s just a program running on a system. The computer virus typically has one or more ways of replicating itself and a payload. The payload is the part that tends to cause damage to a system.
A computer virus uses its connections to try to spread itself to other systems. This can be indirect, such as putting the virus into a word-processing document that’s then delivered to another machine by a USB key.
These days, the delivery mechanism is via the network or internet. It can be done passively, as with the USB key, where the virus is contained in another file. The virus doesn’t spread until the file is opened or executed, depending on the file. A virus also can actively spread usually by copying an infected file to another host. This could be accomplished via a file server, website, or email.
A Trojan Horse computer virus is a variant that tries to appear as another program or it may be an infected version of the actual program. In addition, attackers could use programs designed to find defects in a system or its network connections. Malware is a type of software that’s designed to perform this type of attack. The term zero-day vulnerability refers to a defect that hasn’t been fixed and is unknown to most people, meaning a vulnerability may exist in a program and be unknown to anyone until it “is discovered.”
An attack on a system can be via standalone virus programs or by applications that try to provide a connection from the attacker to a system. This “hole” allows the attacker to run applications and/or manipulate files on the system.
Creating this type of hole is another way to compromise a system. So far, we have talked about computer-to-computer communication, but there’s a human aspect to this type of attack. It’s called a “social engineering” attack, where a person is tricked into providing information to gain access to a system.
Such an attack is usually just a password, although it can more sophisticated. For example, a 2-factor authentication (2FA) scheme could be compromised, with an attacker calling a person and saying that they will receive 2FA token that they should give to the attacker to verify the person’s identity. In this case, the attacker initiated the 2FA transaction and just needs the code to complete it. This typically allows the attacker entry and the ability to lock the person out from their account.
As you can see, the way a biological virus will spread is significantly simpler than for a ransomware attack or even a simple computer virus.
Infection Impact
COVID-19 and ransomware infections can be deadly. However, ransomware is typically associated with money or a ransom.
COVID-19 infections can cause no symptoms, minimal symptoms, long-term symptoms, or even death. The latter is a small fraction of the total population of those infected. However, when the number of infections is large, then the number of deaths is significant. The potential number of people who are susceptible to the virus is essentially the population of the world, which is why we have an epidemic.
If you can image hundreds of different COVID-19 variants or, worse, different deadly viruses, in the wild, then you have the kind of environment we have with ransomware. Luckily, ransomware has a much smaller target. Nonetheless, different types of ransomware attacks take place, which is the problem with ransomware these days. Likewise, the number of targets is growing as we consider billions of IoT devices coming online.
The impact of an infection varies significantly when it comes to ransomware. Some attacks try to capture small amounts of money from a large number of people by taking control of a PC and demanding payment to return control of the system. In this type of attack, the ransomware software encrypts important data on the system and requires the user to obtain a key to unlock and decrypt the data. The key is obtained from the attacker using any number of different mechanisms.
Lately, ransomware attacks are going after bigger payoffs, like the $5 million dollar ransom for the Colonial Pipeline. This type of attack is a bit different, although the ways to gain control are essentially identical. The difference is that a large number of common systems are compromised, often after compromising a controlling system or account. The attacker then encrypts data or puts in place difficult-to-find software that can do things like shut down a pipeline. The number and type of systems may be more diverse compared to human anatomy that COVID-19 needs to attack.
The amount of people affected by a ransomware attack can be greater than a biological virus because of the relations between the various systems involved. An oil pipeline only moves oil for one company, but that eventually flows into many individuals’ cars or homes. A pipeline shutdown affects everyone who must deal with or needs the oil.
While ransomware typically involves money and prevents access to systems, it can have deadly consequences as well depending on what’s related to the ransomed systems. For example, it can have a deadly impact on hospitals. Transportation systems are another. All have many computers involved in their control.
Recovery
Your recovery will vary, assuming you don’t die from catching COVID-19. As noted, some have no symptoms while others do, and long-term recovery is a problem for many. Of course, I hope anyone who has survived an infection recovers fully. Unfortunately, many will continue to have problems related to the infection.
Also, getting a virus shot for COVID-19 is something that can be done after a period of recovery. Getting COVID-19 a second time is a possibility that a shot will help mitigate.
Recovering from a ransomware attack is another matter. Recovery of data or control of a system is usually what’s promised by the attacker. If data was the only thing ransomed, then copying it to a new system after making sure the data isn’t infected can be a good idea. Wiping the infected system may make it usable again if the wipe clears out the attacking software. However, this assumes that problem software can be found and is part of the wiped section. These days, computer virus infections can hide in hard-drive controller software, boot firmware, and other hard-to-clear memories.
Recovering a system when control alone is returned to a user is a more complex problem, since the software that performed the attack is still in place. Eliminating it can be a difficult matter. Wiping the systems will be as problematic as data recovery.
The challenge will be based on the complexity of the systems involved. It can be significant in the case of a hospital or oil pipeline and will depend on the number of subsystems in the mix. Likewise, determining what systems and software need to be replaced can be a major headache, so the cost of a ransomware attack isn’t just the cost of the ransom.
Prevention
A vaccine is the best way to prevent catching a biological virus. A number of COVID-19 vaccines are available. They reduce the possibility of catching the virus and all are effective at preventing serious illness if someone catches the virus. Those who aren’t vaccinated could risk serious illness or death, even though some will have only mild or no symptoms.
The antivirus shots are safe and effective even against the newer “delta variant” that’s proving to be even more contagious than the original virus. It’s also proving deadly in some cases for younger people, including children.
Masks also have proven very effective and masks plus antivirus shots are even more effective. Unfortunately too many are discounting both.
Preventing ransomware attacks is harder than preventing the spread of COVID-19. It’s harder because there are multiple ransomware attacks and they continue to grow. Likewise, the software from the operating system to cloud applications are prone to problems. An attacker only needs a single problem to gain access to a system, but the level of access is key. I used a DOS system in the past that had no security. Current computers have varying levels of hardware and software security. Unfortunately, some of the newest systems implement about as much security that was on the decades-old DOS system.
I always groan when I hear the commercials about how an internet service provider (ISP) is delivering “protection” against ransomware and viruses. It’s true that many of the preventive measures are helpful, but the number of zero-day vulnerabilities is so massive that such as claim is best a selling tool rather than a practical security solution.
The discussion of computer security, security-in-depth, and so on is lengthy and will continue as long as we have computers. Unlike the COVID-19 vaccines, there’s no single vaccine for computers. It takes many different tools and procedures because preventing ransomware attacks actually prevents all of the different possible attacks. This is why security-in-depth is so important, but that’s another story.
I suspect that our regular readers knew most of what I presented here. But if you picked up any new insights, then it was worth the effort.