What is RANSOMWARE?
Ransomware is malware that infects computer systems and limits users’ access to infected systems. The ransomware has been observed for several years and often tries to extort money from the victim by displaying on-screen alerts. Often, these alerts state that the user’s system is locked or the user’s files are encrypted. Users are told that unless they pay the ransom, the visit will not be resumed. The ransom the individual requires varies widely, but is usually between $ 200 and $ 1000 and must be paid in a virtual currency such as bitcoin.
Ransomware is typically spread via phishing emails that contain malicious attachments or downloaded for download. When a user unknowingly visits an infected website, a drive download occurs and the malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant of encrypted files, is distributed in a similar way and spreads through social media such as Web-based instant messaging applications. In addition, new methods of ransomware infection were observed. For example, a vulnerable Web server has been leveraged as an entry point into the organization’s network.
Ransomware is malware that infects computers and restricts users’ access to it until the payment of a ransom can be unlocked.
Why so effective?
The authors of ransomware instill fear and panic among victims, causing them to click on links or pay the ransom, and user systems can become infected with other malware. Ransomware shows horrifying news similar to the following:
- “Your computer is already infected with the virus. Click here to solve the problem.”
- “Your computer was once used to visit sites that contain illegal content, and to unlock your computer you have to pay a fine of $ 100.”
- “All files on your computer have been encrypted and you must pay this ransom within 72 hours to regain your data.”
Ransomware and Recent Variants
Variety of proliferation
In 2012, Symantec used data from command and control (C2) servers from 5,700 computers at one day, estimating that about 2.9% of stolen users paid ransom. The average ransom is $ 200, which means that malicious actors earn $ 33,600 a day, or $ 394,400 a month, from a C2 server. These rough estimates suggest that malware may be effective against malware.
This financial success may lead to a proliferation of ransomware variants. In 2013, more devastating and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants will not only encrypt files on infected devices but will also encrypt the contents of shared or networked drives. These variations are considered destructive because they encrypt user and organization files and make them useless until the offender receives the ransom.
Samas is another variant of disruptive ransomware that was used in 2016 to harm the network of medical institutions. Unlike Locky, Samas is spread through a vulnerable web server. After the web server is compromised, the uploaded Ransomware-Samas file is used to infect the organization’s network.
In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide.
Ransomware is malware that cybercriminals use to make a computer or computer file asking you to pay to return it to someone else. Ransomware is becoming an increasingly popular way for malware writers to blackmail money from corporations and consumers. There are families of ransomware that can get into people’s machines, but as always, these techniques have either come down to social engineering tactics or silently installed on victims’ machines using software vulnerabilities.
Ransomware malware has been linked to a variety of other bad actors, cybercriminals and now notorious criminals who knowingly use backdoor Trojans, downloaders, spammers, cryptographers, advertisers, etc. Reciprocal and reluctant businesses gain economic benefits.
Some families Ransomware like Cryptolocker can run standalone (usually via email) or as an add-on through the backdoor or download.
Since early September 2016, malware authors have sent spam aimed at different groups. Most target groups are in the United States and in the United Kingdom, but are not subject to the geographical limitations of influence and many outside of the country are being hit. Initially, e-mail targeted to home users, then small and medium-sized businesses, and now they are also serving the business.
Malware also propagates through RDP ports, which are open over the Internet and are distributed via email. Ransomware like Cryptolocker also affects the user’s files on “mapped” drives, that is, they are assigned a drive letter (for example, D :, E :, F :). This may be an external hard drive that contains a USB thumb drive or a folder on the web or in the cloud. If you have Dropbox folders mapped locally, it can also encrypt these files.
Tens of thousands of machines have been affected, but it is estimated that these criminals have sent millions of e-mails. Hopefully, the remaining recipients simply delete malware without opening them, rather than opening them up, awaiting the release of more pain.
Those who are affected have a large number of files that have been encrypted. These files are primarily popular data formats, files that you can open using programs such as Microsoft Office, Adobe programs, iTunes, or other music players or photo viewer. Malware authors use two types of encryption: the file itself is protected by 256-bit AES encryption. The key generated by the first encryption process is then protected by 2048 bit RSA encryption and the malware author reserves the key that allows the user’s computer to decrypt the private key of the file it protects.
LINKS TO OTHER TYPES OF MALWARE
Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system and requests that a ransom is paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.
Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
The decryption key can not be violently cracked or collected from the affected computer’s memory. The criminal is the only person who has a private key on the surface.
What can you do for this?
On the one hand, ransomware can be very scary – encrypted files can basically be thought of as irreparable damage. However, if you have already prepared your system, that is really too much trouble. Here are some tips to help you avoid ransomware destruction of your day:
1. Back up your data
The most important thing to beat ransomware is to regularly update your backups. You should backup all your data and documents and have a recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and speed recovery. Note that backups of network connections may also be affected by ransomware; critical backups should be isolated from the network for optimal protection.
If you are attacked by ransomware, you may lose the documentation that you started using this morning, but you can easily do it if you can recover your system to an older snapshot or clean your machine and restore other missing documents from your backups. Remember, Ransomware like Cryptolocker will also encrypt the files on the mapped drive. This includes any external drive, such as a USB thumb drive, and any network or cloud file storage to which you have assigned drive letters. So, what you need is a regular backup plan, external drive or backup service, no drive letter assigned, or a drive or backup service that was disconnected while the backup was not taking place.
Infection can be devastating to individuals or organizations and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following precautions to protect computer networks from ransomware:
- Use application whitelists to help prevent malware and unapproved programs from running. An application whitelist is one of the best security policies because it only allows specified programs to run while blocking all other programs, including malware.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring that these patches and the latest updates greatly reduce the number of entry points available to an attacker.
- Maintain the latest anti-virus software and execute before scanning all software downloaded from the internet.
- Restrict users’ ability to install and run unneeded software applications (permissions), and apply the “least privilege” principle to all systems and services. Restricting these rights may prevent malware from functioning or limit its ability to propagate over the network.
- Avoid opening macros from email attachments. If the user opens the attachment and enables the macro, the embedded code will execute the malware on the machine. For businesses or organizations, it is best to block emails from attachments of suspicious sources. For information on safely handling email attachments, see Identifying and
- Avoiding Email Scams. Follow safe practices when browsing the web. See good safety practices and protect your data for more details.
- Do focus on unsolicited web links in emails.
The next three tips are to work with Cryptolocker’s behavior – which may not always be the case, but these tips can help you improve overall security in a small way and help prevent some common malware technologies.
Show hidden file extensions
One way that Cryptolocker frequently arrives is to hide the default behavior of known file extensions by Window, in a file named “.PDF.EXE.” If you re-enable the ability to view the full file extension, finding suspicious files will be easier.
Filter EXE in email
If your gateway mail scanner can filter files by extension, you may want to reject messages sent using the .EXE file or refuse to send mail using a file with two file extensions, the last one being an executable file “*. * .EXE” file, filter talk). If you really need to exchange executables in your environment and reject emails with “.EXE” files, you can do this using a ZIP file (of course, password-protected) or through a cloud service.
Disable the file running from the AppData / LocalAppData folder
You can create rules in Windows or intrusion prevention software to prevent Cryptolocker from using a particular salient behavior of running its executable from the Application Data or Local Application Data folder. If (for some reason) legitimate software you own does not run from the usual Program Files area, but instead is the Application Data area, you need to exclude it from this rule.
Use Ransomware, like the Cryptolocker, Prevention Kit
The Cryptolocker Prevention Kit is a tool created by Third Tier that automates the development of Group Policy to disable files running from the App Data and Local App Data folders and from running the executable from the Temp directory of various extraction utilities.
Since Cryptolocker discovered new technology, the tool is updated, so you need to check regularly with software to make sure you have the latest version. If you need to create an exemption for these rules, a document explaining the process is provided.
- Disable RDP
Cryptolocker / Filecoder Malware typically uses the Remote Desktop Protocol (RDP) to access the target machine, a Windows utility that allows others to remotely access your desktop. If you do not need to use RDP, you can disable RDP to protect your computer from Filecoder and other RDP attacks. For instructions, visit the appropriate Microsoft Knowledge Base article.
- Patch or update your software
The next two tips are more general malware-related advice, and it applies equally to Cryptolocker for all malware threats. Malware authors often rely on outdated software that runs known vulnerabilities that they can use to quietly enter the system. It can significantly reduce the painful possibility of ransomware if you regularly update your software practices. Some vendors regularly issue security updates (both Microsoft and Adobe use the second Tuesday of the month), but in an emergency, there is usually an “out-of-band” or non-scheduled update. Enable automatic updates if you can, or go directly to the software vendor’s website because malware authors also like to disguise their work as software update notifications.
- Use a reputable security suite
It’s always a good idea to have both anti-malware and software firewalls to help you identify threats or suspicious behavior. Malware authors often issue new variations to try to avoid detection, so that’s why it’s important to have two layers of protection. And at this point, most malware relies on remote instructions to perform their misconduct. If you are running a new ransomware, it will go through anti-malware and it may still be blocked by the firewall when it attempts to connect to a command and control (C & C) server to receive instructions to encrypt your files.
If you find yourself in a location where ransomware files have been run without any precautionary measures, your choices are subject to more restrictions. But everything will not be lost. There are a few things that can help alleviate this damage, especially if ransomware is Cryptolocker:
- Disconnect WiFi or unplug the network immediately
If you run a file that you suspect may be ransomware, but you have not seen a ransomware screen yet, you may be able to stop communicating with the C & C server before you finish encrypting the file if you are acting too quickly. If you immediately disconnect yourself from the network (should I stress that this must be done right away?), You may mitigate this damage. It takes some time to encrypt all the files, so you may be able to stop before you have successfully tampered with all the files. This technique is by no means foolproof, you may not be lucky enough to move faster than malware, but disconnecting from the network may be better than nothing.
- Use System Restore to revert to a known state
If System Restore is enabled on your Windows computer, the system may be brought back to a known state. But again, you have to be clever with malware. Example: newer versions of Cryptolocker remove “shadow” files from System Restore, which means that these files will not exist when you try to replace a corrupted version of the malware. Every time an executable runs, Cryptolocker starts the deletion process, so you need to move quickly, which means that the executables may run without your knowledge, as part of the normal operation of your Windows system.
- Set the BIOS clock to reduce the payment
Ransomware like Cryptolocker has a payment timer, usually set at 72 hours, after which time the price of the decryption key will increase significantly. (The price may change as Bitcoin changes, initially at the time of this writing.) By setting the BIOS clock back sometime up to 72 hours, you can “beat the clock” to some degree I reluctantly gave this advice as much as possible not to pay a higher price, and we strongly advise you not to pay a ransom.Payment criminals may get your data, but there are already many decryption keys never The situation with or without the correct decryption of files, and it encourages criminal behavior! Nothing is a legitimate business practice and malware authors are under no obligation to do what they promised – they can take your money and do not provide any return because if criminals do not Delivery did not rebound.
- Report instances of fraud to the FBI at the Internet Crime Complaint Center.
Additional information for you to respond
If you are concerned about the protection of ransomware or you are targeting ransomware, seek the assistance of an expert. They will have up-to-date details on how to prevent and remedy ransomware attacks.
- For more information, see US-CERT Safety Tips on Avoiding Social Engineering and Phishing Attacks or Security Publishing on Ransomware.
- Individuals or organizations are reluctant to pay ransom because there is no guarantee that their data and document will be released.
Several articles provide more information on this threat
Finally, it is worth noting that the recent outbreak of ransomware attacks has caused a great deal of outburst of news coverage, mainly because of the tendency of malware (which is often invisible and therefore does not result in data breaches) The opposite. Ransomware, which is why it’s always been always best practice to protect yourself from losing data on a regular backup. In that case, no matter what happens, you can quickly restart your digital data with backups. I hope that if anything good goes out of this trend of ransomware, then we recognize the importance of making frequent backups on a regular basis to protect our valuable data.
- Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S. (link is external)
- Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left off (link is external)
- Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month (link is external)
- Symantec, Cryptolocker: A Thriving Menace (link is external)
- Symantec, Cryptolocker Q&A: Menace of the Year (link is external)
- Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network (link is external)
- Sophos / Naked Security, “Locky” ransomware – what you need to know (link is external)
- McAfee Labs Threat Advisory: Ransomware-Locky. March 9, 2016 (link is external)
- SamSam: The Doctor Will See You, After He Pays The Ransom