Ransomware is malware that makes its way, usually covertly, onto a user’s computer and then restricts access to files. Its first appearance was in 1989 with the AIDS Trojan, a virus that used a boot count to hide directories and encrypt files. The last couple of years have seen a dramatic increase in ransomware, as attackers constantly find new ways to victimize computer users, especially in India — the third most targeted nation in Asia.
No one knows exactly how many forms of ransomware exist. In 2013 security software vendor McAfee announced that they had collected more than 250,000 variants. Regardless of how many ransomware variants exist, they all share a common goal — to extort victims into paying money to unlock their digital assets.
Most of the time, victims have no clue that their machine has been infected by ransomware until the moment they receive an on-screen alert asking for money in order to gain access to their important files. Most ransoms average between $200 and $300 U.S., and payment is usually via online virtual money like Bitcoin. Payment of the ransom will cause the crooks send a key to unencrypt the files. Sadly, most victims pay the ransom.
During its first decade, ransomware consisted of fairly simple programs. It has since become more common and much more aggressive, not only encrypting data, but also destroying it. Failure to pay can have widespread and lasting negative impacts on an organization up to and including the loss of their most important data and files.
One ransomware variant getting the limelight lately is CryptoWall, one of the most pervasive malwares on the internet. Its latest variant, CryptoWall 3, is particularly nasty as it encrypts victims’ personal e-mail, spreadsheets and files leaving the victim little choice to but to pay the ransom. According to a study by the Cyber Threat Alliance, CryptoWall 3, was responsible for more than 406,000 attempted infections and $325 million in damages during a 10-month period in 2015.
Strangely, the cyber criminals are fairly professional and straightforward in their demands and, ironically, dependable when it comes to sending you the decryption key. It makes sense that they would do so — after all, as enterprising types they recognize the need to please their “customers.” If they didn’t follow through with the key, word would spread quickly and no one would pay future ransoms. In a way, Adam Smith might be proud of how market forces hold up — even in the criminal underworld.
The ransom demand is easy to follow. There is typically an infuriatingly straightforward notice telling you that your files have been encrypted, along with instructions on how to pay the ransom. These notices also usually have a countdown clock showing how much time you have to pay before your files are gone forever. Classy kidnappers even offer a discount for prompt payment. Below is an actual example of a ransom demand.
Make no mistake, ransomware is truly damaging. In 2012, when the new CryptoLocker came on the scene, I was on my lab computer working with an IPS detection system. The lab was set up in such a way that the firewall was temporarily switched off. I was working with one email which I thought legitimate as it was from DHL and I was coincidently expecting a delivery.
Without a second thought, I opened the mail and clicked on the link — it made my browser crash. The next thing I knew, I was unable to open the browser so I attempted to use a different browser.
I was still not aware of what was going on under the hood since it was my lab computer. It wasn’t until the following day that I found myself completely locked out from most of my files and documents. Fortunately, I was able to safe-boot the machine and restore it to the point before infection. Eventually I got rid of the ransomware by doing a fresh install of my PC.
Over time, CryptoLocker has evolved to spread through email attachments, ads, and exploit kits. Exploiting browser components like Java and Flash players are the most prolific methods. The process is amazingly simple: When a PC is infected, CryptoLocker will load into the memory, unpack its code to process like explorer.exe, which is in suspended state. It then executes its code into the process’s address space and performs a series of steps like:
- Deleting all system shadow volume copies so that user cannot recover files after the encryption.
- The original binary code is copied to a different place of the system, including the startup so that it loads each time the system runs.
- It also opens new processes under svchost.exe and runs under user privileges.
- It communicates with the attacker’s proxy server to identify itself as well as to get the public keys. As soon as it gets the keys unique to the infected machines it displays a popup alert usually opened in a browser to the user.
Ransomware is a threat to schools, home computers, financial institutions, and government agencies. It targets database files, CAD files, and as many as 70 other file extensions including: doc, img, cad, tex, swf, sql, rtf, RAW, ppt, and src. To date, CryptoWall alone is reported to have encrypted almost 5.25 billion files.
Rescuing your files without paying the ransom is virtually impossible. You cannot decrypt your locked files because the actual encryption is in AES and the public key is uploaded to attacker’s server, without access to the private key you are out of luck.
The best way to stay safe is prevention. Here are some tips to help keep ransomware at bay:
- Use a reputable antivirus and firewall to protect your computer from any unwanted ransomware and avoid downloading any security solutions or patches from untrusted websites.
- At least once a week, back up your data. I suggest you back up data to a remote location since ransomware deletes the Windows shadow file copy to restore the encrypted file.
- Keep your system and all the software with it up-to-date via the latest patches from the original vendor.
- Run your system in “least privilege mode” and don’t allow users other than the administrator to make changes to the system. This limits ransomware’s ability to run under system privileges.
- Use strong email filters and never open any attachments or links directly from the email itself. Try sandboxing any suspicious files before opening them.
- Stay up-to-date on attacks so that you will recognize any spam emails that might be enticing for employees to click on.
- Avoid running any macros and disabling active-x within Microsoft application. This limits the abilities of ransomware to function further in the system.
- Block any binaries from running within the %APPDATA% and %TEMP% paths.
Ransomware is extremely difficult to deal with, not only for a normal user, but also for anti-malware giants. Paying the ransom isn’t a guarantee that the original attacker, or a new one, won’t strike again. Educating ourselves on recognizing the way ransomware proliferates and taking measures to nullify attacks is the only way to defend against having your files kidnapped.
Certifications like CEH, GIAC, and CREA are there for taking if you want to be expert in this subject matter. As a certified individual you can protect your own system and those of government agencies, hospitals, banks and others who are on the bullseye for ransomware.