Ransomware is currently one of the fastest growing forms of malicious computer activity. In this post we will try to explain what ransomware is, the variants in circulation, and how you can defend yourself against them.

What is Ransomware?

Ransomware is a form of malware (malicious software) that infects computer systems and usually restricts users access to the infected systems. Various forms of ransomware have been observed over the years with most attempting to obtain money from the victims with on-screen alerts.

A typical alert may state that the user has been locked out of their system or their files encrypted, and in order to restore their access, a ransom fee is demanded.

The amount can vary significantly, for a typical home user, £150-£300 and for a corporate client, tens of thousands. In a lot of cases, the decryption key is only supplied once the ransom is received in the form of virtual currency such as Bitcoin or iTunes gift cards.

How effective is it?

Attacks are a mix of software and social engineering and sometimes it is the computer operator who enables the malicious software to be installed. Authors of ransomware inject fear into their victims resulting in users paying a ransom, or encouraging the clicking of other links potentially resulting in additional malware infections.

On occasions, the user will receive a phone call from someone pretending to be an engineer who then asks the user to access a web page which subsequently installs the ransomware.

Once infected, the computer will present alerts similar to these:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.” This technique has proven very effective therefore the practice has become more popular and sophisticated.

Variants

The financial success of these malicious attacks has been a significant factor in the growth of ransomware variants and authors. In 2013 variants such as Cryptorbit and CryptoLocker which not only encrypted the files on the infected device but also the contents of shared or networked drives. These variants are considered the most destructive as they can infect users and organisation’s files rendering them useless until the ransom fee has been paid.

In 2016 the Locky variant was observed infecting devices belonging to healthcare facilities and hospitals. Locky is known to infect systems through the use of spam emails and malicious email attachments such as Microsoft office docs or compressed files such as .rar or .zip. These attachments contain forms of Javascript or macros (macros can be included in office documents) files to download the infected Locky files. Other high profile targets include control circuits in power stations and manufacturing plants.

Common variants of ransomware currently in circulation

CryptoLocker

CryptoLocker is usually distributed via spam or exploit kits. Once the malware is run, it will install itself in the Windows User Profiles folder and begin encrypting files across local drives and network shares. It will always encrypt files using specific extensions such as, Microsoft Office, OpenDocument, image files and AutoCAD files. Once the encryption is complete, an alert will be displayed to the user informing them that their files have been encrypted and a ransom is required before they can be decrypted.

CryptoWall

CryptoWall has evolved over time making use of public key encryption in even more secure ways. As with a lot of the ransomware variants it removes the windows shadow copies of your files to prevent you from restoring them easily. Once the malware is opened, the CryptoWall binaries copies itself in to the Microsoft tmp folder and begins to encrypt files. As with all ransomware once the encryption has been completed it will display an alert to the user notifying them of the situation.

Locky

Locky is a fairly new variant of ransomware but it's approach is similar to others. The malware is spread through spam emails, usually in the form of an email masked as an invoice. When the user opens the file, they will notice that the invoice is scrambled, in order to display the contents they are asked to enable macros. Once macros are enabled, Locky begins encrypting files using AES encryption. A Bitcoin ransom is demanded once the encryption process is complete.

TeslaCrypt

TeslaCrypt is another new variant of ransomware, once again this variant uses the AES encryption method to encrypt files. It is commonly distributed through the Angler exploit kit specifically targeting Adobe vulnerabilities. Once a vulnerability has been exploited, TeslaCrypt will install itself in the Microsoft tmp folder. Once TeslaCrypt has achieved it's goal, it will alert the user and present them with various methods to pay the ransom, some of these include Bitcoin and PaySafeCard.

KeRanger

The KeRanger ransomware has only recently been discovered via a popular BitTorrent client. At this point, KeRanger is not widely distributed but it worth detailing this one as it is known as the first fully functioning ransomware specifically designed to lock Mac OS X applications.

How is it spread?

There are many methods in which ransomware can find its way onto your device, the most popular being phishing email where the user is tricked into downloading an attachment or clicking on a link which results in the malware/ransomware being planted into the victim's device. Another common method is software packages known as exploit kits. The packages are designed to identify vulnerabilities and exploit them to install ransomware. With this type of attack, hackers install code on legitimate websites that redirect users to a malicious site. Once on the malicious site the users browser is hacked with an exploit, dropping the ransomware onto their machine. This is commonly known as a drive-by attack as it rarely needs any additional actions from the end user before it begins infecting the system.

What impact can Ransomware have?

Both home users and businesses have fallen victim to infected systems as a result of Ransomware, below are some of the impacts:

  • Disruption to day to day and business critical operations
  • Incurring financial losses in order to restore access to systems and files
  • Temporary or permanent loss of sensitive or personal data
  • Impact on your organisations reputation Paying the ransom fee can not always guarantee you will have your access restored or files decrypted, what it can guarantee is that the individuals behind these malicious attacks will be paid and potentially now have your bank details. In some cases, once the ransom is received the infected files are decrypted but this does not mean the ransomware itself has been removed from your system leaving you open to another attack in the future.

If your system is infected with Ransomware it is highly possible that you are also infected with some other variant of malware. The Cryptolocker typically infects a user once they have clicked on a malicious attachment from an email. This attachment also contains Upatre, a downloader which will infect the end user with GameOverZeus. GameOverZeus is a variant of the Zeus Trojan which intent is to obtain banking information and other sensitive data. Once GameOverZeus has infected a user's system, Upatre will then proceed to download CryptoLocker. The final stage will be CryptoLocker encrypting your files and requesting a ransom to decrypt them.

What is the solution to Ransomware?

As it is difficult to decrypt files without the private key used to encrypt them, the most effective solution to a ransomware attack is to recover the data from a backup. In some cases, the ransomware may be poorly constructed allowing the more advanced user to break this. Users and organisations need to ensure that they backup all of their data and backup regularly. As mentioned already, ransomware can find its way into your network shares and infect your files so it is strongly advised that the backups are stored somewhere secure and off the network.

There are other ways that you can mitigate the risk of becoming a victim to ransomware, a few of these of detailed below:

  • User training - ensure that users are educated to the risks of ransomware and are cautious with any links and attachments they may receive through email communication.
  • Software patches - Make sure you always keep your software up to date with the latest patches
  • Up to date anti-virus - Make sure that your anti-virus is always up to date with the latest version of definitions.

We would not encourage anyone victims of ransomware to pay the ransom fee, as mentioned you can not always guarantee that your files will be decrypted and the malware removed from your device.

Assuming you are infected by ransomware and you're backups won't do the job, it's worth looking out for decryption tools to fix your files. Be careful here, there could be malicious software purporting to save the day, but a lot is hosted by AVG companies and should be trustworthy. Also note that as AVG and security companies find ways to break the encryption on some of these tools, so the ransomware authors improve their software making those tools no longer work. See here for an example.

The profitability of ransomware attacks is attracting more and more hackers into the business. The 2016 Symantec Internet Security Threat Report indicated a 35% growth in crypto-style attacks during the year 2015 and have categorised it as an extremely profitable attack.

Ransomware - not the only security threat to demand a ransom

It is not just the use of malware that attackers will use to extort money from their victims, Distributed Denial of Service (DDoS is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources) attacks have been launched against organisations with ransoms demanded in order for the attacks to cease. Similar to ransomware, alerts are sent to the user informing them of the attack with some cases stating that the current attack is only a trial before the full force attack is launched.

Posted by Reece Godfray on 29/07/2016