Posted on by TECCS Computer Repairs & IT Services

What is ransomware?

Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files.

There are two types of ransomware in circulation:

  1. Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
  2. Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
  3. Another version pertaining to this type is the Master Boot Record (MBR) ransomware. The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya ransomware.

However, the most widespread type of ransomware is crypto-ransomware or encrypting ransomware, which in this guide. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment.

Ransomware has some key characteristics that set it apart from other malware:

  • It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
  • It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
  • It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
  • It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
  • It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
  • It requests payment in Bitcoins, because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
  • Usually, the ransom payments has a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
  • It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
  • It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
  • It can spread to other PCs connected in a local network, creating further damage;
  • It frequently features data exfiltration capabilities, which means that ransomware can extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals;
  • It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.

The inventory of things that ransomware can do keeps growing every day, with each new security alert broadcasted by our team or other malware researchers.

As ransomware families and variants multiply, you need to understand that you need at least baseline protection to avoid data loss and other troubles.

Encrypting ransomware is a complex and advanced cyber threat which uses all the tricks available because it makes cyber criminals a huge amount of money. We’re talking millions!

If you’re curious how it all started, it’s time to go over:

A quick history of ransomware

It may be difficult to imagine, but the first ransomware in history emerged in 1989 (that’s 27 years ago). It was called the AIDS Trojan, whose modus operandi seems crude nowadays. It spread via floppy disks and involved sending $189 to a post office box in Panama to pay the ransom.

How times have changed!

As cyber criminals moved from cyber vandalism to cyber crime as a business, ransomware emerged as the go-to malware to feed the money-making machine.

The advent of Bitcoin and evolution of encryption algorithms favored made the context ripe for ransomware development too.

 

Top targets for ransomware creators and distributors

That’s why, after testing ransomware on home users and evaluating the impact, they moved onto bigger targets: police departments, city councils and even schools and, worse, hospitals!

Clearly, ethics or morality have no weight in today’s money-hungry cyber crime business. “There is honor among thieves” was tossed out the window a long time ago.

That leaves us with to dig out the reasons why online criminals choose to target various types of Internet users. This may help you better understand why things happen as they do right now.

Why ransomware creators and distributors target home users:

  • Because they don’t have data backups;
  • Because they have little or no cyber security education, which means they’ll click on almost anything;
  • Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers;
  • Because they lack even baseline cyber protection;
  • Because they don’t keep their software up to date (even if specialists always nag them to);
  • Because they fail to invest in need-to-have cyber security solutions;
  • Because they often rely on luck to keep them safe online (I can’t tell you how many times I’ve heard “it can’t happen to me”);
  • Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware;
  • Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).

Why ransomware creators and distributors target businesses:

  • Because that’s where the money is;
  • Because attackers know that ransomware can cause major business disruptions, which will increase their chances of getting paid;
  • Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
  • Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
  • Because ransomware can affect not only computers, but also servers and cloud-based file-sharing systems, going deep into a business’s core;
  • Because cyber criminals know that business would rather not report ransomware attacks for fears of legal or reputation-related consequences;
  • Because small businesses are often unprepared to deal with advanced cyber attacks (which ransomware is) and have a lax BYOD (bring your own device) policy.

 

Why ransomware creators and distributors target public institutions:

  • Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;
  • Because these institutions ofttimes lack appropriate cyber defenses that can protect them against ransomware;
  • Because the staff is not trained to spot and avoid cyber attacks (ransomware often leverages the human factor weakness to trigger the infection);
  • Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;
  • Because ransomware has a big impact on conducting usual activities, causing huge disruptions;
  • Because successfully attacking public institutions feeds the cyber criminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target)

 

How do ransomware threats spread?

Ransomware and any other advanced piece of financial or data stealing malware spreads by any available means.

Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.

Nevertheless, these are the most common methods used by cybercriminals to spread ransomware:

  • Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
  • Security exploits in vulnerable software;
  • Internet traffic redirects to malicious websites;
  • Legitimate websites that have malicious code injected in their web pages;
  • Drive-by downloads;
  • Malvertising campaigns;
  • SMS messages (which apply to ransomware that targets mobile devices);
  • Botnets;
  • Self-propagation (spreading from one infected computer to another);
  • Affiliate schemes in ransomware-as-a-service (earning a share of the profits by helping further spread ransomware).

Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).

These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions.

That’s why each new ransomware variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more.

 

Which gets us to the next important answer in our common quest to understand ransomware attacks.

How do ransomware infections happen?

Though the infection phase is slightly different for each ransomware version, the key stages are the following:

 

  1. Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
  2. If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
  3. The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
  4. The contacted C&C server responds by sending back the requested data, in our case, the ransomware.
  5. The ransomware starts to encrypt the entire hard disk content, personal files and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected in the local network.
  6. A warning pops up on the screen with instructions on how to pay for the decryption key.

 

Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.

Most of them feel betrayed, because they can’t seem to understand one thing.

 

Why ransomware often goes undetected by antivirus

I’ve mentioned the evasion tactics that ransomware uses more than once. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar and:

  • Not get picked up by antivirus products
  • Not get discovered by cyber security researchers
  • Not get observed by law enforcement agencies and their own malware researchers.

The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.

So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors:

  1. Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
  2. It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
  3. It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
  4. It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored);
  5. It features Fast Flux, another technique used to keep the source of the infection anonymous;
  6. It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
  7. It has polymorphic behavior that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
  8. It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer it at its most vulnerable moment and take advantage of that to strike fast and effectively.

 

The most notorious ransomware families

By now you know that there’s plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of.

So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination.

If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.
We finally got to the best part, where you can learn what to do to stay protected against appalling ransomware attacks.

15 Items to Check if You Want To Keep Your System Safe From Ransomware

This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data.

I’ve seen too many cries for help and too many people confused and panicking about a ransomware attack.

How I wish I could say that ransomware is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.

So here’s what I want you to promise me:

Locally, on the PC

1. I don’t store important data only on my PC.

2. I have 2 backups of my data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.

3. The Dropbox/Google Drive/OneDrive/etc. application on my computer are not turned on by default. I only open them once a day, to sync my data, and close them once this is done.

4. My operating system and the software I use is up to date, including the latest security updates.

5. For daily use, I don’t use an administrator account on my computer. I use a guest account with limited privileges.

6. I have turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.
In the browser

7. I have removed the following plugins from my browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If I absolutely have to use them, I set the browser to ask me if I want to activate these plugins when needed.

8. I have adjusted my browsers’ security and privacy settings for increased protection.

9. I have removed outdated plugins and add-ons from my browsers. I only kept the ones I use on a daily basis and I keep them updated to the latest version.

10. I use an ad blocker to avoid the threat of potentially malicious ads.

Online behavior

11. I never open spam emails or emails from unknown senders.

12. I never download attachments from spam emails or suspicious emails.

13. I never click links in spam emails or suspicious emails.

Anti-ransomware security tools

14. I use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.

15. I understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.

 

 I want you to be prepared, so you’ll never have to deal with the dreaded question of: “should I pay the ransom or not?”

My answer will always be a big, fat NO.

Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you’d be further funding their greedy attacks and fueling the neverending malicious cycle of cyber crime.

 

Conclusion

Ransomware brought extortion to a global scale, and it’s up to all of us, users, business-owners and decision-makers, to disrupt it.

We now know that:

  • creating malware or ransomware threats is now a business and it should be treated as such;
  • the “lonely hacker in the basement” stereotype died long time ago;
  • the present threat landscape is dominated by well defined and well funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks;
  • even more, cyber criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.

We also know that we’re not powerless and there’s a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them.

Stay safe and don’t forget the best protection is always a backup!

 

 

This guide is written by https://heimdalsecurity.com/blog/what-is-ransomware-protection/ and has been adapted for use by TECCS Computer Repairs.