Beware of Ransomware – part 2
By Andra Zaharia and Aurelian Neagu
Ransomware is one of the greatest cyber threats in 2017. As such you need to know why it goes undetected by your antivirus software and how you can protect yourself against it. Unlike having an annoying email sent out to all your contacts, ransomware will destroy all your data unless you pay hundreds of dollars.
Ransomware uses evasion tactics to go about undetected. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar. It also makes sure that it doesn't get picked up by antivirus products, doesn't get discovered by cyber security researchers, and doesn't get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do. So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors.
Communication with Command and Control servers is encrypted and difficult to detect in network traffic.
It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments.
It uses anti-sandboxing mechanisms so that antivirus won't pick it up.
It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored).
It features Fast Flux, another technique used to keep the source of the infection anonymous.
It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold.
It has polymorphic behaviour that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware's function.
It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
The ransomware mafia
By now you know that there's plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it's because they resemble in some aspects. Given below is a summery on some of the well-known ransomware families.
Reveton – began in 2012. It displays a warning from law enforcement agencies of the victim's country. It is a locker type ransomware and it informs the victim that his/her computer has been used for illegal activities. Attacks a user's insecure and outdated installations of Java.
CryptoLocker – Peaked in infections in 2013. Spoofs postal or delivery service campaigns mainly in Northern Europe. Removing the malware is easy but a victim's data will remain scrambled with virtually unbreakable encryption.
CryptoWall – A variant of CryptoLocker. It is rapidly improved and has already reached its third version, CryptoWall 4.0. Crypto wall has helped the crypto-ransomware phenomenon shift from home computers to that of businesses, financial institutions, government agencies, academic institutions, and other organizations. Similar to CryptoLocker, CryptoWall spreads through various infection vectors including browser exploit kits, drive-by downloads and malicious email attachments.
CTB Locker – It's one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication. CTB stands for Curve (which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key) TOR (because it uses the famous P2P network to hide the cybercriminals' activity from law enforcement agencies) Bitcoin (the payment method used by victims to pay the ransom, also designed to hide the attackers' location). It includes multi-lingual capabilities that adapt the attacker's message to suit the victim's national language. One of the first ransomware strains sold as a service in the underground forums.
TorrentLocker – Emerged in early 2014. Its makers often tried to refer to it as CryptoLocker. It relies on spam emails for distribution. Both the emails and the ransom note were targeted geographically. They made sure to use good grammar to trick users into opening emails and clicking on malicious links. Its creators pay close attention to strengthen its malware so that no decryption methods work for too long. Harvests email addresses from infected computers and spreads the spam emails to those emails as well.
TeslaCrypt – initially focused on a segment of gamers who play some games including Call of Duty, World of Warcraft, Minecraft and World of Tanks. Exploited Adobe Flash vulnarabilities and moved on to infect big targets such as European companies.
TeslaCrypt 4.0 came out in in March 2016, but two months later, the ransomware shut down. Surprisingly the cyber criminals even apologized. A decryptor exists in case anyone gets infected with TeslaCrypt ransomware.
Locky – One of the newest and most daring ransomware families. First spotted in February 2016 by extorting a hospital in Hollywood for $17,000. One infected computer connected to a server can shut down the entire server. Locky's descendant, Zepto, debuted in July 2016.
How to be safe
This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data. I've seen too many cries for help and too many people confused and panicking about a ransomware attack.
How I wish I could say that ransomware is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.
On the PC
Don't store important data only on the PC. Have TWO backups of data: on an external hard drive and in the cloud storage system. Makesure your cloud storage application is not turned on by default in the computer. Only open them once a day to sync your data, and close them once this is done.
Make sure your operating system and the software you use is up to date, including the latest security updates. For additional security, don't use an administrator account on your computer, instead use a guest account with limited privileges. Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint and so on.
In the browser
Remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, set the browser to ask you if you want to activate these plugins when needed. Adjust your browsers' security and privacy settings for increased protection.
Remove out-dated plugins and add-ons from your browsers. Only keep the ones you use on a daily basis and keep them updated to the latest version. Use an ad blocker to avoid the threat of potentially malicious ads.
Never open spam emails or emails from unknown senders. Never download attachments from spam emails or suspicious emails. Never click links in spam emails or suspicious emails.
Anti-ransomware security tools
Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner. Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
I want you to be prepared, so you'll never have to deal with the dreaded question of: "should I pay the ransom or not?" My answer will always be a big, fat NO.
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you'd be further funding their greedy attacks and fuelling the never-ending malicious cycle of cybercrime.
Don't fund criminals
There are hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.
To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use. We recommend you read about how these tools works beforehand, so that you're sure that this is the best solution for your case.
Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It's a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data. Ransomware brought extortion to a global scale, and it's up to all of us, users, business-owners and decision-makers, to disrupt it.
We now know that creating malware or ransomware threats is now a business and it should be treated as such. The "lonely hacker in the basement" stereotype died long time ago. The present threat landscape is dominated by well-defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks.
Even more, cyber-criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.
We also know that we're not powerless and there are a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them. Stay safe and don't forget the best protection is always a backup! Software updates are a key anti-ransomware security layer!
- Peace Air goes to HRC, SC next week 2487
- Rajapakshe damns Int’l Community 2480
- ‘Drum and Dance’ with Kandy GHS OGA 2465
- 77th National Day of Pakistan in Sri Lanka 2467
- Right royal gesture 2468
- Rare discovery in Tissamaharama 2477
- SLFP MP laments crossovers 2627
- Held with electronic cigarette 2485
- More Luxury Cars for Ministers 2505
- MR wishes Ranil ‘Happy B’Day’ 2481
- New domestic airline 2471
- Medvedev- Sirisena have broad talks 2466
- Helicopter maintenance centre in SL 2469
- 3 soldiers arrested, brigadier probed 2475
- MPs warned against misconduct 2467
- Protests, fisticuffs and fast unto death 2499
- Are tourism authorities wearing blinkers? 2492
- A time of gifts 2475
- Nationalists and globalists 2468
- Rationalists vs charlatans Never-ending battle 2468
- Right of access to legal assistance 2468
- Hamilton bosses season's first practice 2469
- Brazil thrash Uruguay 2463
- Federer, Nishikori missing from Monte Carlo line-up 2467
- Messi fires Argentina over Chile 2466
- Tough skipper says South Africa 'not good enough' 2466
- Mahanama takes honours on first day 2473
- FA CUP Venue changed to Kelaniya 2466
- Bitter-rivals clash in Royal Complex today Pressure mounts on Pathana 2470
- 43rd ‘Battle of the Saints’ Joe-Pete one dayer today 2464
- Former national players secure power 2488
- COMPOUNDED MISERY 3545
- Forefathers of Tamils of SL were original inhabitants of this Country 3604
- Jaffna Prepares for Chronic Kidney Disease 3387
- A Blueprint for Disintegration 3389
- Refugee returnee safety still in doubt? 3348
- Tamils lived in N/E before Buddhistic era – Wigneswaran 3577
- Going Up Sir Arthur’s way 3524
- Island nation in Indian Ocean A big draw for US, China 3533
- SLN revives Kachchatheevu St. Anthony’s church feast 3713
- Police mark their 153rd Heroes Day 3697
- We await President’s response – Gemunu 3211
- LTTE atrocities also have to be investigated 3775
- Exporters to EU must be educated on Brexit – GM ECCSL Srinath 3279
- Speaker refused our request 3277
- Dinesh only UPFA’s Deputy Leader 3277
- Voters must exercise caution when electing MPs – Harshana Rajakaruna 2568
- Tomorrow’s cities: Are your shoes giving away data? 2468
- Trouble on the ranch Threats to trade deals worry US cattle farmers 2467
- What creativity in marketing looks like today 2468
- Hameedia launches ‘Andum Mesaya’ to celebrate Avurudu 2468
- Bankers are no longer the enemy 2472
- Reform immigration laws to attract more FDI 3273
- Shares record new 53-week low 3270
- Money printing up Rs 8.31B 3374
- Dhammika Perera appointed as Lanka Walltiles Chairman 3272
- Emerging cities provide significant opportunities 3260
- German hotelier to establish SL’s first Marina in Marawila 3346
- SL-CHINA FTA RAISES CONCERN 3263
- Google advertising row spreads to US brands 3268
- Facebook tests an enhanced local search and discovery feature offering business suggestions 3266
- Asian markets hold their breath ahead of critical vote in U.S. 3260
- The crisis in Parliament: Twilight of a functioning democracy 3480
- Mispriced Risk of Infectious Diseases 2419
- Limelight on Sri Lanka again 2423
- Musicalized Version of Nostalgia 5440
- The Many Faces of Galle 6300
- Footpaths Towards Deconstruction - Part 13 5462
- Fiesta for Theatre lovers 5916
- Viramaya 2017 – Phenomenal success 5447
- Sri Lankan movie at Geneva film festival 5501
- Teutolab Fun, Frolic and Chemistry 5461
- Aural culture 5275
- To be or not to be 1312
- Kids get cooking 1311
- Mindfulness for successful living 1328
- The age of nastiness 1312
- 20 years of singing celebrated 1308
- How do we prevent rape and abuse? 1313
- Batteries to firebombs 1310
- The mundane yet entertaining 1301
- It’s bigger and better 1307
- Jimin 1313
- A brilliant match 1991
- Battle of the Maroons 1900