What Is Ransomware?
Ransomware is malicious software that allows a hacker to access an individual or company computer, encrypt your data resident on it and then demand some form of payment to decrypt it. This lets hackers hold your data hostage – and hence the term “ransom”. Victims can regain access to their files only by paying the ransom, or by restoring from a backup that was hopefully not on a network that was accessible to the compromised computer.
Kaspersky notes in its reports that crypto-malware attacks are impacting individuals businesses around the world and one of the major ransomware – CryptoLocker – has already affected 234,000 computers worldwide.
How Does An Attacker Deploy Ransomware?
Ransomware requires the deployment and execution of a number of different stages to be able to make a considerable profit:
(1) The attacker uses software that will encrypt files using a unique encryption key and then it will display notices to the owner of the computer that they need to send money in the form of bitcoins (mostly) to get the key that will then be used to decrypt the files.
So the attacker needs systems to distribute the malware, keep track of the hacked systems, monitor the payments involved, and processes to return the files to the original state. And this has to be done without being tracked down by legal authorities or angry victims.
(2) The attacker needs to decide on how they will get control of your machine so they can run the above code in it. They do this by choosing some vulnerability that they will exploit. Examples that have been used are known Microsoft Word, Adobe Reader or Flash vulnerabilities. They build a file that exploits the target vulnerability and then they do some serious social engineering. In order to get someone to download a file with the exploit, they put it in an email (or on a web site) that is written in such a way to make it attractive or urgent to the reader to open the file. The exploited files often pose as e-tickets, invoices, 401K notices or FBI notices. This can be the weak link in the crime — often the language, spelling and grammar are incorrect and not appropriate to business correspondence. But they are getting better writers as they become more sophisticated.
(3) The attacker then sends out many emails with either the malicious file attached or a link to a site where the file can be downloaded as a drive-by download.
If you are a recipient of such an email, you read it and then decide if are going to open the attachment or visit the link or not. This is where you have control of the next phases.
(4) If you open the attachment, and your system is vulnerable to the exploit, you are “owned”. However, your system may not be vulnerable because maybe the exploit is designed for Windows and you are running a Mac – and so the exploit and file encryption code is not compatible. In some cases, the exploit may ask the reader to make the application less secure so it can take advantage. For example, the exploit may use a Word file that asks the reader to enable macros on Word so they can see the full message. If this is done, the exploit code runs with the privilege of the Word application.
(5) If your system is vulnerable, the exploit will create a unique key for your system (it probably will callout to get a key from its command and control system with the identification of your system) and start to encrypt all files on your system. If it can reach shared drives and has write access, it may do the same to those files. Now it will display a message that the files are encrypted and explains how you can pay the ransom.
You have a few options at this point:
- Pay the ransom
- Determine if you have a backup of the files and if you can restore from the backup
If you have a restorable backup, you then have to remove the malware from your system. This will involve booting into Safe mode and using a anti-virus tool to remove the ransomware (you can find a list of tools here). In either case, it is a pain — but in the second case you have the pride that you were able to defeat the evil empire.
If you decide to pay the ransom, you will learn a lot about bitcoins and receive the key to decrypt the files. In almost all cases, the criminal will provide the key if you have paid, cause they don’t want to be badly rated for customer support.
So how do you avoid the scenario described here? The current wisdom is to:
Keep your systems patched up to the latest versions
- Keep an anti-virus program up to date
- Do regular backups to systems that are only reachable from your computer with admin privileges and passwords
- Test your restore process of backups a few times a year to confirm you can do it successfully and that the data is current
But there are still risks that you can get tricked because the criminals are building versions of the malware faster than the anti-virus can identify and then detect them. The next article will describe a simple process to help with the decision to pay a ransom or not.
Update: Two Attacks for The Price Of One: Weaponized Document Delivers Ransomware and Potential DDoS Attack
“We recently found a ransomware variant that not only holds the victim’s machine and data hostage until a ransom is paid, but also exploits the compromised machine as part of a potential DDOS attack. This means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim. Two attacks for the price of one.”
https://www.invincea.com/2016/05/two-attacks-for-the-price-of-one-weaponized-document-delivers-ransomware-and-potential-ddos-attack/
a new removal tool for removal of ransomware TeslaCryp variants (v3 or v4):
http://support.eset.com/kb6051/
Here is the latest advisory by the FBI on ransomware:
https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise
Their advice is not to pay ransoms:
“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
This is definitely an altruistic recommendation but does not solve an individual’s problem if they have lost important information.
The FBI tips are addressing organizations but apply to individuals too.
The article link below is a good example of how a ransomware exploit attacked and was able to spread in a security-aware casino. If the first victim had tried the Google drive trick, it may have been avoided.
https://threatpost.com/diary-of-a-ransomware-victim/117877/
This is an important issue. I have the following info that I use to help with ransomware and may be of help to others but I would like to hear from others that have good resources:
Updated Ransomware Database by Enigma Software to find a description of a specific ransomware variant (disclaimer: it also promotes a scanning product): https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx
Free cleanup and sometimes decrypt tools for various types of ransomware:
• Alpha: http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-accepts-itunes-gift-cards-as-payment/
• Android. Dogspectus: https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware
• Android.SimpleLocker: https://play.google.com/store/apps/details?id=com.avast.android.malwareremoval
• CoinVault & Bitcryptor: https://noransom.kaspersky.com
• Tesla: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows
• General tool: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx
• Rakhni: http://support.kaspersky.com/us/viruses/disinfection/10556
• DecryptorMax or CryptInfinite http://www.bleepingcomputer.com/forums/t/596691/decryptormaxcryptinfinite-crinf-ransomware-support-and-help-topic/
• Radamant: http://news.softpedia.com/news/radamant-ransomware-decrypted-files-can-be-retrieved-for-free-498070.shtml
• Torlocker: http://support.kaspersky.com/viruses/disinfection/11718
Another removal tool:
Also Microsoft has a generic malware removal tool that is updated frequently: https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx