What is Ransomware and 15 Easy Steps To Keep Your System Protected
Did you know what ransomware can do besides encrypting your data?
May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS). A ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe.
WannaCry leveraged a vulnerability in Windows OS, first discovered by the NSA, and then publicly revealed to the world by the Shadow Brokers.
In the first few hours, 200,000 machines were infected. Big organizations such as Renault or the NHS were struck and crippled by the attack.
Ransomware has been a growing trend for the past two years, and this is just a culmination, a grand reveal to the wider world of just how big of a threat it is. But we’ve been writing about this for a while now.
Some time ago, a delivery guy walked into our office. While we signed for the package, he realized that we work in cyber security and asked:
My entire music collection from the past 11 years got encrypted by ransomware.
How do ransomware threats spread?
Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.
Nevertheless, these are the most common infection methods used by cybercriminals
- Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
- Security exploits in vulnerable software;
- Internet traffic redirects to malicious websites;
- Legitimate websites that have malicious code injected in their web pages;
- Drive-by downloads;
- Malvertising campaigns;
- SMS messages (when targeting mobile devices);
- Self-propagation (spreading from one infected computer to another); WannaCry, for instance, used an exploit kit that scanned a user’s PC, looking for a certain vulnerability, and then launched a ransomware attack that targeted it.
- Affiliate schemes in ransomware-as-a-service. Basically, the developer behind the ransomware earns a cut of the profits each time a user pays the ransom.
Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).
These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions. The WannaCry attack is a perfect example of this since it used a wide-spread Windows vulnerability to infect a computer with basically no user interaction.
That’s why each new variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more.
Which gets us to the next important answer in our common quest to understand how your files end up encrypted.
How do ransomware infections happen?
Though the infection phase is slightly different for each ransomware version, the key stages are the following:
- Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
- If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
- The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
- The contacted C&C server responds by sending back the requested data.
- The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.
- A warning pops up on the screen with instructions on how to pay for the decryption key.
Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.
Most of them feel betrayed because they can’t seem to understand one thing:
But I have antivirus! Why didn’t it protect me from this?
Why ransomware often goes undetected by antivirus
Ransomware uses several evasion tactics that keep it hidden and allow it to:
- Not get picked up by antivirus products
- Not get discovered by cyber security researchers
- Not get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.
So here are just a few of the tactics that encryption malware employs to remain covert and maintain the anonymity of its makers and distributors:
- Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
- It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
- It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
- It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals.
- It features Fast Flux, another technique used to keep the source of the infection anonymous;
- It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
- It has polymorphic behavior which gives it the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
- It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
If you’re keen on reading more about why your antivirus has trouble detecting advanced malware, we actually created a guide on that exact topic.
The most notorious ransomware families
By now you know that there’s plenty of versions out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of.
So while newcomers may want to get a share of the cash, a handful of families have established their domination.
If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.
On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without them taking any action.
Until May 24, 2017, the infection has affected over 200,000 victims in 150 countries and it keeps spreading.
Read more in the dedicated security alert about the Wanna ransomware campaign.
As a recent development, another type of encrypting malware that tries to replicate the impact that WannaCry had. However, it improves by not including a killswitch domain, while keeping its self-replicating abilities.
Up to date details in this security alert which also anticipates addition waves of malicious encryption.
Cerber is a relatively old version encryption malware, and its usage has frequently gone up and down. However, recent updates and added features have brought it back firmly into center stage. In the first quarter of 2017, Cerber had a huge, 90% market share among all the ransomware families. For the time being, it is likely to stay on top of the food chain.
One of the newest and most daring ransomware families to date is definitely Locky.
First spotted in February 2016, this strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000.
But they weren’t the only victims. In fact, two days after we published the Locky alert, we received the following comment from one of our readers:
We were attacked tuesday by this ransomware. 150 Emails spoofed to our mailserver. 149 Mails were blocked by the Barracuda spamfilter. One slipped through and was initialised by a coworker from the saledepartment. In half an hour our fileserver, applicationserver and shared maps on local PC’s was encrypted.
After locating the PC where it all started, we took that one from the network and started to restore everything from the backup. In one hour the file server and application server was back working.
Except for one local folder with lots of data in that wasn’t on the fileserver was completely destroyed. We succeeded in fixing this as follows.
First we installed RECUVA, on this PC and tried to recover the lost map.The fact that the user kept working on it, had as result that most files were’nt recoverable because they were overwritten by cookies and temporary internetfiles. (So when noticing the LOCKY files … stop working).
Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus … but … we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files !
But as someone said before …. nothing helps to prevent it so backup, backup and backup…
Since then, Locky has had a rampant distribution across the world. Here’s its geographical distribution by April 2016.
Source: Securelist analysis
As you’ve seen, things never stop changing in cyber crime, so Locky’s descendant, Zepto, made its debut in early July 2016.
This file-encrypting malware emerged in early 2014 and its makers often tried to refer to it as CryptoLocker, in order to piggyback on its awareness.
Since then, TorrentLocker relied almost entirely on spam emails for distribution. In order to increase effectiveness, both the emails and the ransom note were targeted geographically.
Attackers noticed that attention to detail meant that they could trick more users into opening emails and clicking on malicious links, to they took it a step further. They used good grammar in their texts, which made their traps seem authentic to the unsuspecting victims.
Source: Sophos analysis
TorrentLocker creators proved that they were attentively looking at what’s going on with their targeted “audience” when they corrected a flaw in their encryption mechanism. Until that point, a decryption tool created by a malware researcher had worked.
But soon they released a new variant which featured stronger encryption and narrowed the chances for breaking it to zero.
Its abilities to harvest email addresses from the infected PC are also noteworthy. Naturally, these emails were used in subsequent spam campaigns to further distribute the TorrentLocker.
In June 2014, Deputy Attorney General James Cole, from the US Department of Justice, declared that a large joint operation between law agencies and security companies employed:
traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.
He was talking about Operation Tovar, one of the biggest take-downs in the history of cyber security, which Heimdal Security also participated in.
Operation Tovar aimed to take down the Gameover ZeuS botnet, which authorities also suspected of spreading financial malware and CryptoLocker.
As Brian Krebs mentioned in his take on CryptoLocker:
The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption…
CryptoLocker infections peaked in October 2013, when it was infecting around 150,000 computers a month!
Since then, we’ve reported sightings of CryptoLocker in numerous campaigns spoofing postal or delivery services in Northern Europe.
Though the CryptoLocker infrastructure may have been temporarily down, it doesn’t mean that cybercriminals didn’t find other methods and tools to spread similar variants.
CryptoWall is such a variant and it has already reached its third version, CryptoWall 4.0.
This number alone shows how fast this malware is being improved and used in online attacks!
In 2015, even the FBI agreed ransomware is here to stay. This time, it wouldn’t stop to home computers, but it will spread to infect:
Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information.
Until then, this prediction became reality and now we understand the severity and impact of the crypto-ransomware phenomenon.
In a similar manner to CryptoLocker, CryptoWall spreads through various infection vectors since, including browser exploit kits, drive-by downloads and malicious email attachments.
CTB Locker is one of the latest variants of CryptoLocker, but at a totally different level of sophistication.
Let’s take a quick look at its name: what do you think CTB stands for?
- C comes from Curve, which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key;
- T comes from TOR, because it uses the famous P2P network to hide the cybercriminals’ activity from law enforcement agencies;
- B comes from Bitcoin, the payment method used by victims to pay the ransom, also designed to hide the attackers’ location.
What’s also specific to CTB-locker is that includes multi-lingual capabilities, so attackers can use it to adapt their messaging to specific geographical areas.
If more people can understand what happened to their data, the bigger the payday.
CTB-Locker was one of the first ransomware strain to be sold as a service in the underground forums. Since then, this has become the norm, but two years ago it was an emerging trend.
Now, potential cyber criminals don’t really need strong technical skills, as they can purchase ready-made malware which include even dashboard where they can track their successful infections and return on investment.
In 2014, malware analyst Kafeine managed to access one of these black markets and posted all the information advertised by online criminals.
By taking a quick look at the malware creators’ ad, we can see that the following support services are included in the package:
- instructions on how to install the Bitcoin payment on the server;
- how to adjust the encryption settings in order to target the selected victims;
- details such as the requested price and the localized language that should be used;
- recommendations on the price that you can set for the decryption key.
Heimdal Security specialists noticed that CTB Locker spreads through spam campaigns, where the e-mail message appears as an urgent FAX message.
This is a sample of the e-mail content:
From: Spoofed / falsified content
Fax from RAMP Industries Ltd
Incoming fax, NB-112420319-8448
New incoming fax message from +07829 062999
[Fax server]= +07955-168045
[Fax server]: [Random ID] Content:
No.: +07434 20 65 74
Date: 2015/01/18 14:56:54 CST
For those who want to explore this strain further, I can recommend this extensive presentation.
In 2012, the major ransomware strand known as Reveton started to spread. It was based on the Citadel trojan, which was, in turn, part of the Zeus family.
Its signature feature was to display a warning from law enforcement agencies, which made people name it “police trojan” or “police virus“. Unlike the other kinds families mentioned here, Reveton was a locker, meaning that it restricted access to the computer itself, not just the files.
Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn.
The graphic display enforced the idea that everything is real. Elements like the computer IP address, logo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that everything is actually happening.
Brian Krebs published larger analysis on Reveton, indicating that security exploits have been used by cybercriminals and that:
insecure and outdated installations of Java remain by far the most popular vehicle for exploiting PCs.
Four years later, Java is the same pain in the proverbial backend.
When it first emerged, TeslaCrypt focused on a specific audience: gamers. Not all of them, but actually a segment that player a series of specific games, including Call of Duty, World of Warcraft, Minecraft and World of Tanks.
By exploiting vulnerabilities mainly in Adobe Flash (a serial culprit for ransomware infections), TeslaCrypt moves on to bigger targets, such as European companies.
Cyber security experts managed to find flaws in TeslaCrypt’s encryption algorithm twice. They created decryption tools and did their best so that the malware creators wouldn’t find out.
But, as you can guess, TeslaCrypt makers corrected the flaws and released new versions that featured stronger encryption and enhanced data leakage capabilities.
We announced TeslaCrypt 4.0 in March 2016, but only two months later, it was shut down!
To everyone’s surprise, the cyber criminals even apologized.
ESET researchers managed to get the universal master decryption key from them and built a decryptor that you can use if you happen to be a victim of TeslaCrypt.
No one knows why the guys behind TeslaCrypt quit, but we can only hope to see more of that in the cyber crime scene.
What will come next?
Although we can’t guess future encryption attacks, there is one trend that cyber criminals seem to be pursuing: attacks that are more targeted, more carefully prepared and which require a smaller infrastructure to be deployed.
We finally got to the best part, where you can learn what to do to stay protected against ransomware attacks.
15 Items to take your ransomware protection to the next level
This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data.
I’ve seen too many cries for help and too many people confused and panicking when their files get encrypted.
How I wish I could say that ransomware protection is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.
So here’s what I want you to promise me:
Locally, on the PC
- I don’t store important data only on my PC.
- I have 2 backups of my data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.
- The Dropbox/Google Drive/OneDrive/etc. application on my computer is not turned on by default. I only open them once a day, to sync my data, and close them once this is done.
- My operating system and the software I use is up to date, including the latest security updates.
- For daily use, I don’t use an administrator account on my computer. I use a guest account with limited privileges.
- I have turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.
In the browser
- I have removed the following plugins from my browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If I absolutely have to use them, I set the browser to ask me if I want to activate these plugins when needed.
- I have adjusted my browsers’ security and privacy settingsfor increased protection.
- I have removed outdated plugins and add-ons from my browsers. I only kept the ones I use on a daily basis and I keep them updated to the latest version.
- I use an ad-blocker to avoid the threat of potentially malicious ads.
- I never open spam emails or emails from unknown senders.
- I never download attachments from spam emails or suspicious emails.
- I never click links in spam emails or suspicious emails.
Anti-ransomware security tools
- I use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.
- I understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
I want you to be prepared, so you’ll never have to deal with the dreaded question of: “should I pay the ransom or not?”
My answer will always be a big, fat NO.
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you’d be further funding their greedy attacks and fueling the never-ending malicious cycle of cyber crime.
To put things into perspective, 1 out of every 4 users who paid the ransom didn’t get their data back. They lost both the information and their money.
How to get your data back without paying the ransom
There hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.
To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use.
We recommend you read about how these tools work beforehand so that you’re sure that this is the best solution for your case.