The Rise Of Ransomware

Ransomware is a type of malware that prevents or limits users from accessing their systems – this type of malware forces the victims to pay the ransom through online payment methods like Bitcoin, in order to regain access to their systems and maybe prevent their data from being published publicly. Some ransomware encrypts files (called CryptoLocker), others can use TOR to hide C&C communications (called CTB Locker) or stop certain applications from running (like the web browser).

Payment costs will vary; 1 Bitcoin for single users is common, for business examples of payment demands have reached 40 Bitcoins and more – at least in examples that have been published. E.g. LA hospital extorted for 40 Bitcoin ($17K Details). Bitdefender study reveals that US internet users are willing to pay $350 to recover their personal data. As this attack vector is yielding results for the malware creators,  FBI estimate $150 million a year and rising, because of the monetary value this threat is expected to escalate severely. Ransomware has been called ‘scareware’ by some because of fear or intimidation the victims can experience – will  access be regained to data again, or will it be dumped online for all to browse through. The possible damage to business is obvious, and if you are a business leader; don’t waste any-time to consult with your security professionals to ensure ransomware mitigation is in place. I am equally concerned for home users, as young family members can easily be targeted by phishing scams, that may infect their host and spread throughout the network – its a hard choice, pay a ransom to unlock your home computers and keep your families privacy or not.

Ransomware – A History

• 2005-2006: Russia – (TROJ_CRYZIP – Windows) zipped certain files on the operating system and created a note to inform users how to retrieve their files in exchange for $300.
• 2011: SMS – (TROJ_RANSOM.QOWA) users with infected systems were presented with premium SMS number graphic on their device, until paid.
• 2012: Europe/US/Canada – (TROJ_RANSOM.BOV) undisclosed amount of ransomware infections; commonly materialising as display notifications by local police agency( Reveton – Police Ransomware or Police Trojan) instead of an anonymous ransom note. Reveton malware developed from displaying the local police authority to the victim and payment methods, to audio instructions in the victim’s native language and fake digital certifications. The malware in such cases had re-written the Master Boot Record of the operating system thus preventing the operating system from booting. Other ‘water hole’ attacks also became popular e.g. French websites that were infected with ransomware infected visiting users.
• 2013: CrytoLocker – emerged to not only lock the system but also encrypt valued directory, files, data residing on the infected systems. Using AES + RSA encryption (industry standard) to encrypt user files and hard-stop time payment deadline for users. The malware delivered via a spam campaign uses an AES key to encrypt the files – the AES key used for decryption is written in the files encrypted by the malware. The key however, is encrypted with RSA public key embedded in the malware, which means that a private key is needed to decrypt it – sadly this only available upon payment. The spammed messages containing malicious attachments belong to TROJ_UPATRE, a malware family noted for having small file size and simple downloading function – it grabs a ZBOT variant which then downloads the CryptoLocker malware. This original version mutated to a ‘worm’ variant by the end of 2013, spreading via removal drives (e.g. USB flashdrives) and pretending to be an active agent in peer-to-peer (P2P) file sharing sites. Another variant (TROJ_CRYPTRBIT.H) also landed, encrypting databases, web, Office, video, images, scripts, text and other non-binary files – it also deleted backup files to prevent restoration of encrypted files.
• TrendMicro have classified 45 different encryption ransom-malware variants targeting various systems and users, from mobile, home and enterprise systems…(TrendMicro-Additional-Info).
• Crowti (Cryptowall) and FakeBsod are currently the two most prevalent ransomware families – detected on more than 850,000 Microsoft Systems between June & November 2015.
• 2016: RaaS – Ransomware as a Service – Ransom32. Using AES encryption with 128-bit key to lock files and extort Bitcoins from unsuspecting users. The malware gives the victims four days for the unlocking key payment and then increase over time. This malware only affects Windows systems, but the escalation is the fact that the product can be purchased whole from the sellers and the price is a percentage of the spoils and a small initial purchasing fee. This makes the problem of ransomware even more important, because this means more instances can be created and used by inexperienced hackers.

Ransomware Protection

• Use reputable anti-virus software and a firewall : Firewall !, it may sound like a business architecture solution but our home routers provide this function but what type are you currently using. It’s the homes first line of defence (Shieldups free software – test your firewalls configuration GRC ShieldsUP!), having an outdated home router could open the network to a multitude of threat vectors, from bot nets, shellshock to simple malware injections; where as investing in a modern router will better manage your home bandwidth to stream your media smoothly to the many devices that connect your family to the social networks. Additionally with the wave of IOT devices coming online, best to connect such devices to a guest or isolated network, in that they can reach the world wide web but not interact with devices on the main network. Some anti-virus solutions have reported positive results in sand-boxing certain ransomware attacks – but it goes with out saying best to have an AV than not.
• Back up Often: Golden rule for backups is 3:2:1 ; at least three total copies of your data, two can be local but on different mediums, and at least one copy off site – an example would be, a cloud solution like ‘box’, a local network drive and a different partition on the system.. If your solution works then at any given time, a user could wipe their computer, re-install and recover – its a good practice to wipe and re-install anyway – annually, or a system before buying a new one, one can be pleasantly surprised by the new life injected by a fresh system install.
• Enable popup blockers: Popups are a prime tactic used by the bad guys and girls, so best to avoid accidentally clicking on an infected popup. If one does appear, click the X in the right-hand corner and not within the frame as these are generally the activation area.
• Disable E-mails with Executable Attachments: Many ransomware emails use attachments with executables, simply disabling e-mails with executables will prevent users from automatically downloading the executable files – some providers enable this by default e.g. gmail. Also look for emails with ‘double file extensions’; another trick used is to attach data in a zip file, this may contain the malware or redirect the user to a site that does.
• Be Vigilante — Don’t click on links within emails, avoid suspicious websites – use the force ! my bad; follow your instincts, if it too good to be true – then don’t. Phishing scams have proven to be most productive for malware infections and its hard to be 100% focused all of the time, checking for an important email in the wee hours. Our curious nature is generally awake before our cautious nature.
• Apply software patches as soon as they become available. Exploit kits rely on vulnerabilities on the host/client to execute the malware. This usually involves vulnerabilities in Java, Shockwave, Flash, and Adobe Reader. With Windows Update, many systems are now automatically configured to get updates – Flash has only been recently added to auto-update; having these up-to-date will prevent exploit kits from being successful. 0-day exploits are relatively rare with ransomware exploits. (Browser checker – Qualys)
• Bookmark trusted websites and access these websites via bookmarks e.g. an email that would indicate an interesting post from linkedin – use the trusted saved linkedin URL link in your browser rather than the email link.
• Disconnect from the network / internet: If you do receive a ransomware note, disconnect the device from the network – unplug the network cable, disable the local WiFi or change the WiFi password. Our goal is to stop the malware from connecting to its command and control network, to start the encryption process, to upload the unlocking key or valued data. It will be easier to revert to a backup knowing they have no data to leverage over you. Some ransomware infections have waited a number of days before encrypting data, they use this time to establish communications and scan the infected systems for anti-virus they may inhibit their objective. Never (BYOD) your infected device to work, your intentions maybe honourable – best to disconnect and shut-down, then reach out for help.
• Generally large scale ransomware rely on either exploit kits or spam engines. In both cases, for the malware to execute it usually resides in various temporary directories in Windows (%AppData%). It is possible to disable the ability to execute binaries in these directories via Group Policy or Security Policy which means when a user double-clicks on name.exe, the malware will not run. This is accomplished with Software Restriction Policies and an example can be followed here.
• Disable Remote Desktop Protocol: Most ransomware including the CryptoLocker malware, tries to gain access to victim machines via Remote Desktop Protocol (RDP), this is a Windows utility that permits access to your desktop remotely – so if its not in use, disable it(disabled by default on most Windows OS)

Interesting Developments –

• All ransomware families need a mechanism to ensure/prevent the victim’s machine is not encrypted with multiple keys. Ransomware exploits provide support for victims, guides to getting Bitcoins and how to unlock after payment has been verified – they have concerns the victims believe they will regain full access once the contract has been fulfilled. Because they have incorporated a safety feature to prevent key complexity issues – typically the public keys used are stored in the Registry or other artifacts, so subsequent infections or executions of the malware will only use the original keys. There have been attempts to create vaccines that abuse this need of the attackers to otherwise inoculate victim machines – developments in this area are on going.
• Deadline ransomware infections can be extended by setting the BIOS clock back to a time before the deadline hour window is up – some users have used this to haggle for a cheaper price!!

Ransomware prevention & removal tools

• HitmanPro.Alert – free Ransomware Protection & Browser Intrusion Detection Tool.
• CryptoPrevent
• BitDefender
• AntiRansomware
• CryptoLocker Tripwire
• Anvi Rescue Disk – for Windows, will help assist in ransomware removal.
• HitmainPro.Kickstart will help remove Ransomware.
• Trend Micro AntiRansomware Tool will help remove Ransomware.
• CryptoMonitor – another free ransomware protection and prevention tool.

Additional Information :

SANS ISC – Tips for Stopping Ransomware

TrendMicro Ransomware – Biggest threats in 2016

Microsoft Malware Protection Center

Norton by Symantec

Overall in 2015, Trojan-Ransom was detected on 753,684 computers – Ransomware is thus becoming more and more of a problem.

April 7th 2016

By David Lynch IBM, ethical hacker