Beware of Ransomware – part 2
By Andra Zaharia and Aurelian Neagu
Ransomware is one of the greatest cyber threats in 2017. As such you need to know why it goes undetected by your antivirus software and how you can protect yourself against it. Unlike having an annoying email sent out to all your contacts, ransomware will destroy all your data unless you pay hundreds of dollars.
Ransomware uses evasion tactics to go about undetected. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar. It also makes sure that it doesn't get picked up by antivirus products, doesn't get discovered by cyber security researchers, and doesn't get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do. So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors.
Communication with Command and Control servers is encrypted and difficult to detect in network traffic.
It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments.
It uses anti-sandboxing mechanisms so that antivirus won't pick it up.
It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored).
It features Fast Flux, another technique used to keep the source of the infection anonymous.
It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold.
It has polymorphic behaviour that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware's function.
It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
The ransomware mafia
By now you know that there's plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it's because they resemble in some aspects. Given below is a summery on some of the well-known ransomware families.
Reveton – began in 2012. It displays a warning from law enforcement agencies of the victim's country. It is a locker type ransomware and it informs the victim that his/her computer has been used for illegal activities. Attacks a user's insecure and outdated installations of Java.
CryptoLocker – Peaked in infections in 2013. Spoofs postal or delivery service campaigns mainly in Northern Europe. Removing the malware is easy but a victim's data will remain scrambled with virtually unbreakable encryption.
CryptoWall – A variant of CryptoLocker. It is rapidly improved and has already reached its third version, CryptoWall 4.0. Crypto wall has helped the crypto-ransomware phenomenon shift from home computers to that of businesses, financial institutions, government agencies, academic institutions, and other organizations. Similar to CryptoLocker, CryptoWall spreads through various infection vectors including browser exploit kits, drive-by downloads and malicious email attachments.
CTB Locker – It's one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication. CTB stands for Curve (which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key) TOR (because it uses the famous P2P network to hide the cybercriminals' activity from law enforcement agencies) Bitcoin (the payment method used by victims to pay the ransom, also designed to hide the attackers' location). It includes multi-lingual capabilities that adapt the attacker's message to suit the victim's national language. One of the first ransomware strains sold as a service in the underground forums.
TorrentLocker – Emerged in early 2014. Its makers often tried to refer to it as CryptoLocker. It relies on spam emails for distribution. Both the emails and the ransom note were targeted geographically. They made sure to use good grammar to trick users into opening emails and clicking on malicious links. Its creators pay close attention to strengthen its malware so that no decryption methods work for too long. Harvests email addresses from infected computers and spreads the spam emails to those emails as well.
TeslaCrypt – initially focused on a segment of gamers who play some games including Call of Duty, World of Warcraft, Minecraft and World of Tanks. Exploited Adobe Flash vulnarabilities and moved on to infect big targets such as European companies.
TeslaCrypt 4.0 came out in in March 2016, but two months later, the ransomware shut down. Surprisingly the cyber criminals even apologized. A decryptor exists in case anyone gets infected with TeslaCrypt ransomware.
Locky – One of the newest and most daring ransomware families. First spotted in February 2016 by extorting a hospital in Hollywood for $17,000. One infected computer connected to a server can shut down the entire server. Locky's descendant, Zepto, debuted in July 2016.
How to be safe
This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data. I've seen too many cries for help and too many people confused and panicking about a ransomware attack.
How I wish I could say that ransomware is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.
On the PC
Don't store important data only on the PC. Have TWO backups of data: on an external hard drive and in the cloud storage system. Makesure your cloud storage application is not turned on by default in the computer. Only open them once a day to sync your data, and close them once this is done.
Make sure your operating system and the software you use is up to date, including the latest security updates. For additional security, don't use an administrator account on your computer, instead use a guest account with limited privileges. Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint and so on.
In the browser
Remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, set the browser to ask you if you want to activate these plugins when needed. Adjust your browsers' security and privacy settings for increased protection.
Remove out-dated plugins and add-ons from your browsers. Only keep the ones you use on a daily basis and keep them updated to the latest version. Use an ad blocker to avoid the threat of potentially malicious ads.
Never open spam emails or emails from unknown senders. Never download attachments from spam emails or suspicious emails. Never click links in spam emails or suspicious emails.
Anti-ransomware security tools
Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner. Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
I want you to be prepared, so you'll never have to deal with the dreaded question of: "should I pay the ransom or not?" My answer will always be a big, fat NO.
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you'd be further funding their greedy attacks and fuelling the never-ending malicious cycle of cybercrime.
Don't fund criminals
There are hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.
To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use. We recommend you read about how these tools works beforehand, so that you're sure that this is the best solution for your case.
Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It's a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data. Ransomware brought extortion to a global scale, and it's up to all of us, users, business-owners and decision-makers, to disrupt it.
We now know that creating malware or ransomware threats is now a business and it should be treated as such. The "lonely hacker in the basement" stereotype died long time ago. The present threat landscape is dominated by well-defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks.
Even more, cyber-criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.
We also know that we're not powerless and there are a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them. Stay safe and don't forget the best protection is always a backup! Software updates are a key anti-ransomware security layer!
- China to provide 90 water bowsers worth Rs 1b 2098
- Wag the Dog 2124
- A brief look at FARC’s origins in Colombia 2065
- ‘Panama Papers’ bags Pulitzer 2076
- SAITM will cooperate with Govt 2088
- dead man was near fashion mall 2120
- Japanese MPs back Lanka’s development 2088
- CB Bond earnings whitewashed – JVP 2099
- Talks to extend Lanka’s Continental Shelf 2088
- Ex-DIG and son re-remanded 2100
- Government can be sent home 2633
- GMOA flogging SAITM for Mahinda– Rajitha 2098
- Ranil invites Japan to invest in S. Asia 2084
- Somali Pirates’ Captives Back Home 2087
- Customs in Rs 8 M bust 2090
- Redefining Rape 2124
- The march of folly Our mad Cabinet system 1723
- First adventures in Europe 1808
- Inspiration for writers 1805
- Sri Lanka’s sustainable development dream 1865
- Sinhala and Tamil New Year with Easter 1944
- Filipino Oconer wins overall title 1726
- Unsporty conduct by Joes 1760
- Bertie Wijesinghe, pre-Test era Sri Lankan cricketer, dies aged 96 1744
- CEAT revs up for 2017 1728
- Palace shock Arsenal 1724
- Argentina fire coach Bauza 1734
- BCCI postpones SGM to 18 April 1725
- Murray returns from injury 1721
- New mum Azarenka to return to WTA 1713
- Galle win by 188 runs 1710
- Keeping Cool 1732
- Do the right thing and do it now! 1732
- Ravi Jayewardene Pious son of a political giant 2303
- In the heart of the old country 2149
- Sarath Weerasekera’s Geneva adventure 1944
- No moral right to play with public funds 1886
- No need for fine if route permits are issued in fair, just manner 1763
- UDA incurs Rs 330M Loss 1716
- DOUSING A MEGA SHIP FIRE 1549
- Health authorities in denial? 2012
- Minorities’ frustration a powder keg – VIDURA 2070
- Administrative powers a must for the Plantation Tamils –Radhakrishnan 1324
- Rajapaksa sought advice from McGuinness– Indika Perera 2419
- I will lead SLFP to victory in future elections – President 1839
- Hang the ‘traitors’– RTD. REAR ADMIRAL WEERASEKARA 2137
- We oppose Nationalism and Federalism – Samarasinghe 2939
- SilkAir launches direct flights to Colombo 1760
- Rupee falls on thin volumes 1725
- SriLankan, Japan Airlines add new routes 1747
- Colombo Port box volume up 5.6-pct in Jan 1727
- Private sector to transform into main domestic growth engine 1747
- Oil eases from 5-week top, rising US production weighs 1718
- Tight fiscal and monetary policies constrain SL’s growth 1734
- Shell admits dealing with money launderer 1734
- Toshiba may sell chip business to Foxconn for $27bn 1722
- Asian shares pressured by geopolitical risks; Nikkei down 0.25% 1725
- SLIM launches Certificate in Digital Marketing 1730
- Microsoft Hosts Second ‘Device Day’ in Sri Lanka 1725
- Emirates named Best Airline in the World 1724
- Turkish Airlines and social media assist Somalia 1725
- Brain cell therapy ‘promising’ for Parkinson’s disease 1727
- Trump pushed into bombing Syria 1771
- Thailand discovers Power of Women Travellers 1735
- Economics of gambling 1598
- Trans National Aural Identity 3298
- Queen Anula The Shadow of Cleopatra 3320
- Poetry and its possibilities Part 2 3345
- The Enigma of Labyrinths 3447
- From Couture to Kutir 3317
- Hybrid Sources 4721
- Offering Riddles & Enigmas 4797
- Poetry and its possibilities 4805
- With a festive bang! 948
- Easter Fun 946
- Arrogance and crowing is the way of the doomed 965
- Avurudu on the streets 980
- Tick control 948
- Sunny Sunday on the beach 959
- It’s time to save the world 1027
- From viewer to YouTuber! 1019
- Expert skincare and makeup 1035
- Avurudu at Induruwa 1002
- Exo 1025
- Remembering our fallen heroes 2107