Beware of Ransomware – part 2

  👤  2362 readers have read this article !
By 2017-02-12

By Andra Zaharia and Aurelian Neagu

Ransomware is one of the greatest cyber threats in 2017. As such you need to know why it goes undetected by your antivirus software and how you can protect yourself against it. Unlike having an annoying email sent out to all your contacts, ransomware will destroy all your data unless you pay hundreds of dollars.

Easily undetected

Ransomware uses evasion tactics to go about undetected. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar. It also makes sure that it doesn't get picked up by antivirus products, doesn't get discovered by cyber security researchers, and doesn't get observed by law enforcement agencies and their own malware researchers.

The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do. So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors.

Communication with Command and Control servers is encrypted and difficult to detect in network traffic.

It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments.

It uses anti-sandboxing mechanisms so that antivirus won't pick it up.

It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored).

It features Fast Flux, another technique used to keep the source of the infection anonymous.

It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold.

It has polymorphic behaviour that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware's function.

It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.

The ransomware mafia

By now you know that there's plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it's because they resemble in some aspects. Given below is a summery on some of the well-known ransomware families.

Reveton – began in 2012. It displays a warning from law enforcement agencies of the victim's country. It is a locker type ransomware and it informs the victim that his/her computer has been used for illegal activities. Attacks a user's insecure and outdated installations of Java.

CryptoLocker – Peaked in infections in 2013. Spoofs postal or delivery service campaigns mainly in Northern Europe. Removing the malware is easy but a victim's data will remain scrambled with virtually unbreakable encryption.

CryptoWall – A variant of CryptoLocker. It is rapidly improved and has already reached its third version, CryptoWall 4.0. Crypto wall has helped the crypto-ransomware phenomenon shift from home computers to that of businesses, financial institutions, government agencies, academic institutions, and other organizations. Similar to CryptoLocker, CryptoWall spreads through various infection vectors including browser exploit kits, drive-by downloads and malicious email attachments.

CTB Locker – It's one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication. CTB stands for Curve (which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key) TOR (because it uses the famous P2P network to hide the cybercriminals' activity from law enforcement agencies) Bitcoin (the payment method used by victims to pay the ransom, also designed to hide the attackers' location). It includes multi-lingual capabilities that adapt the attacker's message to suit the victim's national language. One of the first ransomware strains sold as a service in the underground forums.

TorrentLocker – Emerged in early 2014. Its makers often tried to refer to it as CryptoLocker. It relies on spam emails for distribution. Both the emails and the ransom note were targeted geographically. They made sure to use good grammar to trick users into opening emails and clicking on malicious links. Its creators pay close attention to strengthen its malware so that no decryption methods work for too long. Harvests email addresses from infected computers and spreads the spam emails to those emails as well.

TeslaCrypt – initially focused on a segment of gamers who play some games including Call of Duty, World of Warcraft, Minecraft and World of Tanks. Exploited Adobe Flash vulnarabilities and moved on to infect big targets such as European companies.

TeslaCrypt 4.0 came out in in March 2016, but two months later, the ransomware shut down. Surprisingly the cyber criminals even apologized. A decryptor exists in case anyone gets infected with TeslaCrypt ransomware.

Locky – One of the newest and most daring ransomware families. First spotted in February 2016 by extorting a hospital in Hollywood for $17,000. One infected computer connected to a server can shut down the entire server. Locky's descendant, Zepto, debuted in July 2016.

How to be safe

This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data. I've seen too many cries for help and too many people confused and panicking about a ransomware attack.

How I wish I could say that ransomware is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.

On the PC

Don't store important data only on the PC. Have TWO backups of data: on an external hard drive and in the cloud storage system. Makesure your cloud storage application is not turned on by default in the computer. Only open them once a day to sync your data, and close them once this is done.

Make sure your operating system and the software you use is up to date, including the latest security updates. For additional security, don't use an administrator account on your computer, instead use a guest account with limited privileges. Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint and so on.

In the browser

Remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, set the browser to ask you if you want to activate these plugins when needed. Adjust your browsers' security and privacy settings for increased protection.

Remove out-dated plugins and add-ons from your browsers. Only keep the ones you use on a daily basis and keep them updated to the latest version. Use an ad blocker to avoid the threat of potentially malicious ads.

Online behaviour

Never open spam emails or emails from unknown senders. Never download attachments from spam emails or suspicious emails. Never click links in spam emails or suspicious emails.

Anti-ransomware security tools

Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner. Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.

I want you to be prepared, so you'll never have to deal with the dreaded question of: "should I pay the ransom or not?" My answer will always be a big, fat NO.

Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you'd be further funding their greedy attacks and fuelling the never-ending malicious cycle of cybercrime.

Don't fund criminals

There are hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.

To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use. We recommend you read about how these tools works beforehand, so that you're sure that this is the best solution for your case.

Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It's a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data. Ransomware brought extortion to a global scale, and it's up to all of us, users, business-owners and decision-makers, to disrupt it.

We now know that creating malware or ransomware threats is now a business and it should be treated as such. The "lonely hacker in the basement" stereotype died long time ago. The present threat landscape is dominated by well-defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks.

Even more, cyber-criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.

We also know that we're not powerless and there are a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them. Stay safe and don't forget the best protection is always a backup! Software updates are a key anti-ransomware security layer!





Read More


Read More


Read More


Read More


Read More



Read More


Read More


Read More