A few weeks ago, a delivery guy walked into our office. As we signed for the package, he realized that we work in cyber security and asked the following question:
"My entire music collection from the past 11 years got encrypted by ransomware. Is there anything I can do about it?
They’re asking for $500 for the decryption key."
"Do you have a backup?"
He looked down and said a bitter "no.”
This scenario is unfolding right now somewhere in the world. Maybe even in your city or neighborhood. In this very moment, someone is clicking a link in a spam email or activating macros in a malicious document. In a few seconds, all their data will be encrypted and they’ll have just a few days to pay hundreds of dollars to get it back. Unless they have a backup, which most people do not have.
Ransomware creators and other cyber criminals involved in the malware economy are remorseless. They’ve automated their attacks to the point of targeting anyone and everyone.
Take this story from the New York Times:
"My mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.”
If my mother failed to pay within a week, the price would increase to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC - essentially all of her data - would be lost forever.
Prevention is absolutely the best security strategy in this case, and to help you understand what you’re up against, we’ve packed this guide with a host of information.
So What is Ransomware?
You shouldn’t feel helpless when thinking of the crushing effects of ransomware. There are many practical provisions you can take to block or limit the impact of cyber attacks on your data. And we’re about to show you just what to do.
Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files.
There are two types of ransomware in circulation:
Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
Another version pertaining to this type is the Master Boot Record (MBR) ransomware. The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya ransomware.
However, the most widespread type of ransomware is crypto-ransomware or encrypting ransomware, which we will focus on in this guide. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment.
Ransomware has some key characteristics that set it apart from other malware:
The inventory of things that ransomware can do keeps growing every day, with each new security alert broadcasted by our team or other malware researchers. As ransomware families and variants multiply, you need to understand that you need at least baseline protection to avoid data loss and other troubles.
The History of Ransomware
Encrypting ransomware is a complex and advanced cyber threat which uses all the tricks available because it makes cyber criminals a huge amount of money. We’re talking millions!
If you’re curious how it all started, it’s time to go over a quick history of ransomware. It may be difficult to imagine, but the first ransomware in history emerged in 1989 (that’s 27 years ago). It was called the AIDS Trojan, whose modus operandi seems crude nowadays. It spread via floppy disks and involved sending $189 to a post office box in Panama to pay the ransom.
How times have changed!
As cyber criminals moved from cyber vandalism to cyber crime as a business, ransomware emerged as the go-to malware to feed the money-making machine. The advent of Bitcoin and evolution of encryption algorithms favored made the context ripe for ransomware development too. This graph shows just how many types of encrypting malware researchers have discovered in the past 10 years.
And keep in mind 3 things, so you can get a sense of how big the issue really is:
As you can see, things escalated quickly and the trend continues to grow.
Top Targets for Ransomware Creators & Distributors
Cyber criminals are not just malicious hackers who want public recognition, nor are they driven by their quest for cyber mischief. They are business-oriented and seek to profit from their efforts. After testing ransomware our on home users and evaluating the impact, they moved on to bigger targets including police departments, city councils, schools and hospitals. Clearly ethics or morality have no weight in today’s money-hungry cyber crime business. “There is honor among thieves” was tossed out the window a long time ago.
That leaves us with to dig out the reasons why online criminals choose to target various types of Internet users. This may help you better understand why things happen as they do right now.
Why they target home users:
Why they target businesses:
Why they target public institutions:
No Platform is Immune
In terms of platforms and devices, ransomware doesn’t discriminate either. We have ransomware tailor-made for personal computers (too many types to count, but more on that in “The most notorious ransomware families” section), mobile devices (with Android as the main victim and a staggering growth) and servers. And when it comes to servers, the attack is downright vicious.
“Some groups do this by infiltrating the target server and patching the software so that the stored data is in an encrypted format where only the cyber criminals have the key to decrypt the data. The premise of this attack is to silently encrypt all data held on a critical server, along with all of the backups of the data. This process may take some time, depending on the organization, so it requires patience for the cyber criminals to carry it out successfully. Once a suitable number of backups are encrypted, the cybercriminals remove the decryption key and then make their ransom demands known, which could be in the order of tens of thousands of dollars."
Source: The evolution of ransomware by Symantec
This prompted the FBI and many other institutions and security vendors in the industry to urge users, companies and other decision-makers to prepare against this threat and set up strong cyber protection layers.
Attacks on critical infrastructure (electricity, water, etc.) could be next, and even the thought of that can make anyone shudder.
How do ransomware threats spread?
Ransomware and any other advanced piece of financial or data stealing malware spreads by any available means. Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.
Nevertheless, these are the most common methods used by cybercriminals to spread ransomware:
Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).
These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions.That’s why each new ransomware variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more.
And here is how infections happen...
How Infections Happen
Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system. If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC. The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system. The contacted C&C server responds by sending back the requested data, in our case, the ransomware. The ransomware starts to encrypt the entire hard disk content, personal files and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected in the local network. A warning pops up on the screen with instructions on how to pay for the decryption key.
Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at a ransom note in disbelief. Most of them feel betrayed, because they can’t seem to understand one thing:
"But I have antivirus! Why didn’t it protect me from this?”
Be that as it may, ransomware often goes undetected by antivirus and the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.
So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors:
The Most Notorious Ransomware Families:
By now you know that there’s plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.
In 2012, the major ransomware strand known as Reveton started to spread. It was based on the Citadel trojan, which was, in turn, part of the Zeus family. This type of ransomware has become known to display a warning from law enforcement agencies, which made people name it “police trojan” or “police virus“. This was a type of locker ransomware, not an encrypting one. Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn .The graphic display enforced the idea that everything is real. Elements like the computer IP address, logo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that everything is actually happening.
Brian Krebs published larger analysis on Reveton, indicated that security exploits have been used by cybercriminals and that:
"insecure and outdated installations of Java remain by far the most popular vehicle for exploiting PCs."
In June 2014, Deputy Attorney General James Cole, from the US Department of Justice, declared that a large joint operation between law agencies and security companies employed:
"traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses."
He was talking about Operation Tovar, one of the biggest take-downs in the history of cyber security, which Heimdal Security also participated in. Operation Tovar aimed to take down the Gameover ZeuS botnet, which authorities also suspected of spreading financial malware and CryptoLocker ransomware. As Brian Krebs mentioned in his take on this ransomware family:
"The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption…"
CryptoLocker infections peaked in October 2013, when it was infecting around 150,000 computers a month! Since then, there have been sightings of CryptoLocker in numerous campaigns spoofing postal or delivery services in northern Europe.
Though the CryptoLocker infrastructure may have been temporarily down, it doesn’t mean that cybercriminals didn’t find other methods and tools to spread similar ransomware variants. CryptoWall is such a variant and it has already reached its third version, CryptoWall 4.0. This number alone shows how fast this malware is being improved and used in online attacks!
In 2015, even the FBI agreed that ransomware is here to stay. This time, it wouldn’t stop to home computers, but it will spread to infect:
"Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information."
Until then, this prediction became reality and now we understand the severity and impact of the crypto-ransomware phenomenon. In the similar manner to CryptoLocker, CryptoWall spreads through various infection vectors since, including browser exploit kits, drive-by downloads and malicious email attachments.
CTB Locker is one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication.
Let’s take a quick look at its name: what do you think CTB stands for?
C comes from Curve, which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key;
T comes from TOR, because it uses the famous P2P network to hide the cybercriminals’ activity from law enforcement agencies;
B comes from Bitcoin, the payment method used by victims to pay the ransom, also designed to hide the attackers’ location.
What’s also specific to CTB-locker is that is includes multi-lingual capabilities, so attackers can use it to adapt their messaging to specific geographical areas. If more people can understand what happened to their data, the bigger the payday.
CTB-Locker was one of the first ransomware strains to be sold as a service in the underground forums. Since then, this has become almost the norm, but two years ago it was an emerging trend. Now, potential cyber criminals don’t really need strong technical skills, as they can purchase ready-made malware which include even dashboard where they can track their successful infections and return on investment.
In 2014, malware analyst Kafeine managed to access one of these black markets and posted all the information advertised by online criminals. By taking a quick look at the malware creators’ ad, we can see that the following support services are included into the package:
This is a sample of the e-mail content:
From: Spoofed / falsified content Subject:Fax from RAMP Industries Ltd Incoming fax, NB-112420319-8448New incoming fax message from +07829 062999[Fax server]= +07955-168045[Fax server]: [Random ID] Content: No.: +07434 20 65 74Date: 2015/01/18 14:56:54 CST
This file-encrypting ransomware emerged in early 2014 and its makers often tried to refer to it as CryptoLocker, in order to piggyback on its awareness. Since then, TorrentLocker relied almost entirely on spam emails for distribution. In order to increase effectiveness, both the emails and the ransom note were targeted geographically. Attackers noticed that attention to detail meant that they could trick more users into opening emails and clicking on malicious links, to they took it a step further. They used good grammar in their texts, which made their traps seem authentic to the unsuspecting victims.
TorrentLocker creators proved that they were attentively looking at what’s going on with their targeted “audience” when they corrected a flaw in their encryption mechanism. Until that point, a decryption tool created by a malware researcher had worked. But soon they released a new variant which featured stronger encryption and narrowed the chances for breaking it to zero. Its abilities to harvest email addresses from the infected PC are also noteworthy. Naturally, these emails were used in subsequent spam campaigns to further distribute the ransomware.
First spotted in February 2016, this ransomware strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000. Since then, Locky has a rampant distribution across the world. Its descendant, Zepto, made its debut the same year.
We cannot guess what future ransomware names will be, but we can expect to see one trend among cyber criminals: more target attacks with more advance preparation and those that need smaller infrastructure for deployment. So let’s take a look at what you can do to safeguard yourself against these attacks.
Locally on a PC:
Anti-ransomware security tools:
Should You Ever Pay the Ransom? NO!
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you’d be further funding their greedy attacks and fueling the never-ending malicious cycle of cyber crime.
How to get your data back without paying the ransom:
There hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack. It is a never-ending battle though, which is why we urge you to focus on prevention and having multiple backups for your data.
Ransomware brought extortion to a global scale, and it’s up to all of us, users, business-owners and decision-makers, to disrupt it.
We now know that:
We also know that we’re not powerless and there’s a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them.
Stay safe and don’t forget the best protection is always a backup!
Contact Scott Oleson, Senior VCIO/IT Director
firstname.lastname@example.org Tel: 303.390.3600