Today we’re going to touch a very sensitive and important subject for your company: ransomware. So let’s start by answering one question:
What do you fear most in today’s security landscape?
Do you fear malware that disrupts normal computer operation, data stealing attacks that retrieve email credentials or ransomware threats that encrypt your computer content and take your money?
Since they’ve become more visible, ransomware threats have become the most feared, especially by business owners, because they are difficult to detect, remove or block from encrypting sensitive content. At the same time, ransomware is so dreadful because it leaves the victim with a sense of helplessness, aside the option to follow the cyber criminals’ instructions.
But let’s start with the basics.
Ransomware (or crypto-ransomware or cryptoware) is a sophisticated piece of malicious software that incorporates advanced encryption algorithms to block system files and demands payment in return for the key that can decrypt the blocked content.In a similar way to advanced financial and data stealing malware, ransomware is able to evade detection by normal antivirus products. But this is where the similarity ends.
As soon as the ransomware gets into the system, it encrypts the content (and all the data available on other computers that are linked to the infected one through a network) and lets the victim know that money needs to be delivered in a certain timeframe. If the ransom is not paid, the encrypted content is lost for good.
For this reason, ransomware victims are under the pressure of two factors: paying the money for fear of losing their data and not being sure that doing this will actually get their data unlocked (because we are talking about cyber criminals after all).
If we study more in depth about ransomware, we will find out the few troublesome conclusions:
- there are more than 6 large ransomware families;
- crypto-ransomware uses every possible attack vector to infect a machine;
- ransomware samples use obfuscation techniques to evade detection from traditional antivirus products;
- communication with Command & Control (C&C) servers is also encrypted and difficult to detect in network traffic;
- all recent ransomware accepts payment in Bitcoins to avoid tracking from law enforcement agencies;
- creators of ransomware use traffic anonymizers – like TOR – and Bitcoin to receive ransom payments and avoid tracking devices by law enforcement agencies.
Ransomware and other advanced financial or data-stealing malware spread by any available means. They simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.Here are the most common methods used by cyber criminals to spread ransomware:
- spam email campaigns that contain malicious links or attachments
- malicious websites
- legitimate websites that have malicious code injected in their web pages
- drive-by downloads
- security exploits in the vulnerable software
How does the infection stage take place?
Although the infection process is slightly different for each ransomware version, they still have similarities in their approach:
- Initially, an email is received by the victim, which contains a malicious link or an infected attachment. Nevertheless, the infection may also originate from a malicious website that delivers a security exploit to create a breach by using a vulnerable software that’s already installed on the system.
- When the link is clicked or the attachment is downloaded and opened, a downloader is placed on the system.
- The downloader uses a list of domains or Command & Control (C&C)) servers belonging to cyber criminals to download the ransomware into the system.
- The contacted C&C server responds by sending back the requested data, in this case the ransomware.
- The ransomware starts to encrypt the entire hard disk content, personal files, and sensitive information. Everything. If there are any computers connected to the infected one by a local network, the data stored on them will be encrypted as well.
- A warning is displayed on the screen with instructions on how to pay the ransom in order to get the decryption key.
In 2012, the major ransomware known as Reveton started to spread. It was based on the Citadel Trojan, which was part of the Zeus family.
This type of ransomware has become known to display a warning from law enforcement agencies, which made people name it “police Trojan” or “police virus”
Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn.
The graphic display enforced the idea that everything is real. Elements like the computer IP address, logo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that the warning is real.
Thus, victims were confused and pressured into paying the ransom to retrieve their data.
This ransomware strain encrypts your data and displays a message which announces that your private information has been encrypted and can only be decrypted if a certain sum of money is paid in a limited period of time via a process depicted in the message. Though CryptoLocker itself can be removed by various security solutions, there isn’t any way yet to decrypt the locked files.
CryptoLocker is one of the nastiest pieces of ransomware ever created. It’s not just because it takes money from you or because it can access your private data, but once it manages to encrypt your information, there is no way for you to decrypt those files. This ransomware is so dangerous because the affected users have their private information disclosed (and taken advantage from) and they also lose the files without having any chance of recovering them.
CryptoLocker is a ransomware Trojan which can infect your system in different ways, but usually, this happens through the means of an apparently legitimate e-mail attachment, from a well-known company or institution. Because it spreads through e-mail attachments, this ransomware is known to target companies and institutions through phishing attacks.
In June 2014, Deputy Attorney General James Cole, from the US Department of Justice, declared that the large joint operation between law agencies and security companies employed:
“Traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.”
Though Zeus GameOver Trojan was one of the biggest threats to users’ cyber security in recent years, CryptoLocker has evolved into a formidable threat because of the difficulty to remove its effects and recover personal files.
As Brian Krebs mentioned in his take on CryptoLocker:
“The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption…”
CryptoLocker peaked in October 2013, when it showed an infection rate of around 150,000 computers a month!
Evgeniy Bogachev, considered the mastermind behind the large infrastructure that deployed Zeus GameOver and CryptoLocker, continues to be the number one most wanted cyber criminal on the FBI Cyber Most Wanted list.
Though the CryptoLocker infrastructure may have been temporarily shut down, it doesn’t mean that cyber criminals didn’t find other methods and tools to spread similar ransomware variants.
CryptoWall is such a variant and it has already reached its third version, CryptoWall 3.0. This shows how fast paces the evolution of ransomware really is – and it is worrisome!
At the beginning of 2015, we have been informed by FBI that ransomware is here to stay and that this time, it won’t stop to home computers, but it will spread to infect:
“Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information.”
In a similar way to CryptoLocker, CryptoWall has spread through various infection vectors since it first appeared, including browser exploit kits, drive-by downloads, and malicious email attachments.
The phishing and spam campaigns that targeted Europeans in the past years usually invited users to click malicious links or access email attachments. They did this in such a persuasive manner that thousands of users and businesses experienced major service interruptions because they could no longer access their data. Those who had not backed up their information suffered the most because their data was locked for ever, rendering it useless.
What’s new in the latest CryptoWall 4.0 variant?
Shortly, here are the main differences or improvements that this ransomware suffered:
- communication with the malicious C&C servers is vastly improved, as it includes a modified protocol that enables it to avoid being detected, even by 2nd generation enterprise firewall solutions. This lowers detection rates significantly compared to the already successful CryptoWall 3.0 attacks;
- CryptoWall 4.0 now encrypts not only the data in your files, but the file names as well. This social engineering technique confuses the victims even more. It also enhances the pressure of wanting to retrieve their data as fast as possible. Consequently, this increases the “success” ratio of how many victims see the message versus how many pay the ransom. A clear business enhancement by cyber criminals;
- CryptoWall 4.0 continues to use TOR to direct victims to the payment instructions, just like CryptoWall 3.0. This way, they can ransom their data by paying for a decryption key in a way that doesn’t compromise the anonymity of the attackers.
4. CTB LOCKER
CTB Locker is one of the latest ransomware variants of CryptoLocker, but with a completely different level of sophistication.
Let’s take a quick look at its name: what does CTB stand for?
- C comes from Curve, which refers to its persistent cryptography based on elliptic curves that encrypt the affected files with a unique RSA key;
- T comes from TOR, because the malicious server is placed in an onion-domain, which can hide the cyber criminals’ activities from law enforcement agencies;
- B comes from Bitcoin, the payment method used by victims to ransom their data, which again can hide the cyber criminals’ location.
Although it is not something new, we noticed a growing tendency for cyber criminals to design ransomware in order to sell the kits on underground forums and hidden networks, such as TOR.The interesting aspect is that future cyber criminals won’t need a really strong technical background, since the final product will be easy to use and access.
Malware analyst Kafeine has managed to access such a dark web location and post all the information advertised by attackers.
By taking a quick look at the malicious actors’ ad, we notice the following support services include:
- instructions on how to install the Bitcoin payment on the server;
- how to adjust the ransomware settings in order to target the selected victims;
- details such as the requested price and the localized language that should be used;
- recommendations on the price that you can set for the decryption key.
If you follow some life-saving rules for your personal computer and the computers used for your business operations, you can stay safe from ransomware threats. However, keep in mind that cyber criminals never cease to improve their methods and tactics, both to evade detection by traditional antivirus solutions and to find new and more effective ways to trick victims into clicking on malicious links or downloading malicious content.Here is what you need to do to keep your business and personal information safe from ransomware threats:
1. Do not keep important data only on the local device, always consider a backup location that is not directly connected to the local system, such as a cloud account and an external drive. Keep a constant backup schedule, so you don’t lose any valuable progress.
2. Do not download or click on .zip or other types of attachments received in emails from unknown senders. This is the main method of distribution for ransomware threats. Only download attachments from known email addresses and scan any suspicious-looking attachment with a trusted and reputed antivirus product.
3. Do not click links in emails from unknown senders. It could send you to malicious websites that host ransomware. If you can see the actual link (try to hover your mouse over the link), then you can test it on VirusTotal.com to see if it is dangerous or not (type it by hand – do not click on it).
4. Keep your operating system and your software up-to-date with the latest security updates. Another important method of spreading ransomware is by using security exploits in vulnerable applications. To make things easier and save time and energy, use a tool that does this job for you automatically and without disturbing your work.
5. Use a reliable antivirus product that includes an automatic update module and a real-time scanner to detect any suspect behavior. Even more, contact their Technical Support and ask them directly if their antivirus product detects the latest ransomware threats and what additional protection they can offer.
6. Since most antivirus products do not detect the latest ransomware variants, or better said, the downloaders that infiltrate the malicious content into the system, we recommend using a specialized tool against financial-stealing malware and ransomware threats that has the capability to block the infected locations before they download the encryption module into your computers and encrypt the data.
7. Increase your online protection level by adjusting your web browser security settings.
8. Never use the administrator account on any of the computers you use to run your business. Instead, use guest accounts that have access only to the need to have and need to know information. This way, you can prevent escalation of privilege and other types of infiltration into your system.
9. Do not keep the computers you use for business connected in a local network. As you saw, ransomware is capable of encrypting not only the data on the laptop where the infection succeeded but also on all the other computers that are connected to it through a local network. By keeping the computers isolated, you have a better fighting chance against this threat.
10. Teach your employees and anyone who has access to your computer(s) about these safety regulations and make it a requirement that they learn the basics of cyber security. This can be an important investment in safeguarding your company’s data and ensuring business continuity.
Though ransomware is not a new threat for the IT industry, people did not treat it as something serious until recently, when damages caused by crypto-malware have started to reach tenths of millions.
That is why, in May 2014, private security companies joined law enforcement agencies – FBI and Europol – in a massive takedown operation that dismantled the GameOver Zeus botnet and the large infrastructure that spread CryptoLocker ransomware.
This large, joint operation was a sign of alarm for everybody and a few important lessons stuck ever since:
- creating malware or ransomware threats is now a business and it should be treated as such;
- the “lonely hacker in the basement” stereotype has died the long time ago – current cyber criminals employ teams to keep their business profitable and engage in transactions to buy malware strains and optimize them for their malicious purposes;
- the present threat landscape is dominated by well-defined and funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks;
- even more, cyber criminal groups are hired by large states to target not only financial objectives but political and strategic interests.
Stay safe and don’t forget the best protection is always a back-up!