Beware of Ransomware – part 2
By Andra Zaharia and Aurelian Neagu
Ransomware is one of the greatest cyber threats in 2017. As such you need to know why it goes undetected by your antivirus software and how you can protect yourself against it. Unlike having an annoying email sent out to all your contacts, ransomware will destroy all your data unless you pay hundreds of dollars.
Ransomware uses evasion tactics to go about undetected. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar. It also makes sure that it doesn't get picked up by antivirus products, doesn't get discovered by cyber security researchers, and doesn't get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do. So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors.
Communication with Command and Control servers is encrypted and difficult to detect in network traffic.
It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments.
It uses anti-sandboxing mechanisms so that antivirus won't pick it up.
It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored).
It features Fast Flux, another technique used to keep the source of the infection anonymous.
It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold.
It has polymorphic behaviour that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware's function.
It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
The ransomware mafia
By now you know that there's plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it's because they resemble in some aspects. Given below is a summery on some of the well-known ransomware families.
Reveton – began in 2012. It displays a warning from law enforcement agencies of the victim's country. It is a locker type ransomware and it informs the victim that his/her computer has been used for illegal activities. Attacks a user's insecure and outdated installations of Java.
CryptoLocker – Peaked in infections in 2013. Spoofs postal or delivery service campaigns mainly in Northern Europe. Removing the malware is easy but a victim's data will remain scrambled with virtually unbreakable encryption.
CryptoWall – A variant of CryptoLocker. It is rapidly improved and has already reached its third version, CryptoWall 4.0. Crypto wall has helped the crypto-ransomware phenomenon shift from home computers to that of businesses, financial institutions, government agencies, academic institutions, and other organizations. Similar to CryptoLocker, CryptoWall spreads through various infection vectors including browser exploit kits, drive-by downloads and malicious email attachments.
CTB Locker – It's one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication. CTB stands for Curve (which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key) TOR (because it uses the famous P2P network to hide the cybercriminals' activity from law enforcement agencies) Bitcoin (the payment method used by victims to pay the ransom, also designed to hide the attackers' location). It includes multi-lingual capabilities that adapt the attacker's message to suit the victim's national language. One of the first ransomware strains sold as a service in the underground forums.
TorrentLocker – Emerged in early 2014. Its makers often tried to refer to it as CryptoLocker. It relies on spam emails for distribution. Both the emails and the ransom note were targeted geographically. They made sure to use good grammar to trick users into opening emails and clicking on malicious links. Its creators pay close attention to strengthen its malware so that no decryption methods work for too long. Harvests email addresses from infected computers and spreads the spam emails to those emails as well.
TeslaCrypt – initially focused on a segment of gamers who play some games including Call of Duty, World of Warcraft, Minecraft and World of Tanks. Exploited Adobe Flash vulnarabilities and moved on to infect big targets such as European companies.
TeslaCrypt 4.0 came out in in March 2016, but two months later, the ransomware shut down. Surprisingly the cyber criminals even apologized. A decryptor exists in case anyone gets infected with TeslaCrypt ransomware.
Locky – One of the newest and most daring ransomware families. First spotted in February 2016 by extorting a hospital in Hollywood for $17,000. One infected computer connected to a server can shut down the entire server. Locky's descendant, Zepto, debuted in July 2016.
How to be safe
This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data. I've seen too many cries for help and too many people confused and panicking about a ransomware attack.
How I wish I could say that ransomware is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.
On the PC
Don't store important data only on the PC. Have TWO backups of data: on an external hard drive and in the cloud storage system. Makesure your cloud storage application is not turned on by default in the computer. Only open them once a day to sync your data, and close them once this is done.
Make sure your operating system and the software you use is up to date, including the latest security updates. For additional security, don't use an administrator account on your computer, instead use a guest account with limited privileges. Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint and so on.
In the browser
Remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, set the browser to ask you if you want to activate these plugins when needed. Adjust your browsers' security and privacy settings for increased protection.
Remove out-dated plugins and add-ons from your browsers. Only keep the ones you use on a daily basis and keep them updated to the latest version. Use an ad blocker to avoid the threat of potentially malicious ads.
Never open spam emails or emails from unknown senders. Never download attachments from spam emails or suspicious emails. Never click links in spam emails or suspicious emails.
Anti-ransomware security tools
Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner. Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
I want you to be prepared, so you'll never have to deal with the dreaded question of: "should I pay the ransom or not?" My answer will always be a big, fat NO.
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you'd be further funding their greedy attacks and fuelling the never-ending malicious cycle of cybercrime.
Don't fund criminals
There are hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.
To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use. We recommend you read about how these tools works beforehand, so that you're sure that this is the best solution for your case.
Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It's a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data. Ransomware brought extortion to a global scale, and it's up to all of us, users, business-owners and decision-makers, to disrupt it.
We now know that creating malware or ransomware threats is now a business and it should be treated as such. The "lonely hacker in the basement" stereotype died long time ago. The present threat landscape is dominated by well-defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks.
Even more, cyber-criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.
We also know that we're not powerless and there are a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them. Stay safe and don't forget the best protection is always a backup! Software updates are a key anti-ransomware security layer!
- China to provide 90 water bowsers worth Rs 1b 2498
- Wag the Dog 2448
- A brief look at FARC’s origins in Colombia 2397
- ‘Panama Papers’ bags Pulitzer 2429
- SAITM will cooperate with Govt 2458
- dead man was near fashion mall 2464
- Japanese MPs back Lanka’s development 2452
- CB Bond earnings whitewashed – JVP 2445
- Talks to extend Lanka’s Continental Shelf 2453
- Ex-DIG and son re-remanded 2461
- Government can be sent home 3015
- GMOA flogging SAITM for Mahinda– Rajitha 2468
- Ranil invites Japan to invest in S. Asia 2412
- Somali Pirates’ Captives Back Home 2431
- Customs in Rs 8 M bust 2440
- Redefining Rape 2890
- The march of folly Our mad Cabinet system 2061
- First adventures in Europe 2159
- Inspiration for writers 2148
- Sri Lanka’s sustainable development dream 2952
- Sinhala and Tamil New Year with Easter 2333
- Filipino Oconer wins overall title 2082
- Unsporty conduct by Joes 2131
- Bertie Wijesinghe, pre-Test era Sri Lankan cricketer, dies aged 96 2081
- CEAT revs up for 2017 2113
- Palace shock Arsenal 2063
- Argentina fire coach Bauza 2068
- BCCI postpones SGM to 18 April 2039
- Murray returns from injury 2052
- New mum Azarenka to return to WTA 2018
- Galle win by 188 runs 2022
- Keeping Cool 2070
- Do the right thing and do it now! 2078
- Ravi Jayewardene Pious son of a political giant 2678
- In the heart of the old country 2490
- Sarath Weerasekera’s Geneva adventure 2330
- No moral right to play with public funds 2276
- No need for fine if route permits are issued in fair, just manner 3196
- UDA incurs Rs 330M Loss 2120
- DOUSING A MEGA SHIP FIRE 1938
- Health authorities in denial? 2448
- Minorities’ frustration a powder keg – VIDURA 2423
- Administrative powers a must for the Plantation Tamils –Radhakrishnan 1692
- Rajapaksa sought advice from McGuinness– Indika Perera 2847
- I will lead SLFP to victory in future elections – President 2223
- Hang the ‘traitors’– RTD. REAR ADMIRAL WEERASEKARA 2682
- We oppose Nationalism and Federalism – Samarasinghe 3267
- SilkAir launches direct flights to Colombo 2156
- Rupee falls on thin volumes 2094
- SriLankan, Japan Airlines add new routes 2073
- Colombo Port box volume up 5.6-pct in Jan 2100
- Private sector to transform into main domestic growth engine 2094
- Oil eases from 5-week top, rising US production weighs 2061
- Tight fiscal and monetary policies constrain SL’s growth 2091
- Shell admits dealing with money launderer 2068
- Toshiba may sell chip business to Foxconn for $27bn 2078
- Asian shares pressured by geopolitical risks; Nikkei down 0.25% 2055
- SLIM launches Certificate in Digital Marketing 2065
- Microsoft Hosts Second ‘Device Day’ in Sri Lanka 2064
- Emirates named Best Airline in the World 2031
- Turkish Airlines and social media assist Somalia 2066
- Brain cell therapy ‘promising’ for Parkinson’s disease 2062
- Trump pushed into bombing Syria 2125
- Thailand discovers Power of Women Travellers 2105
- Economics of gambling 2044
- Trans National Aural Identity 3656
- Queen Anula The Shadow of Cleopatra 3750
- Poetry and its possibilities Part 2 3729
- The Enigma of Labyrinths 3808
- From Couture to Kutir 3725
- Hybrid Sources 5099
- Offering Riddles & Enigmas 5137
- Poetry and its possibilities 5282
- With a festive bang! 1316
- Easter Fun 1312
- Arrogance and crowing is the way of the doomed 1347
- Avurudu on the streets 1363
- Tick control 1445
- Sunny Sunday on the beach 1318
- It’s time to save the world 1353
- From viewer to YouTuber! 1406
- Expert skincare and makeup 1398
- Avurudu at Induruwa 1384
- Exo 1420
- Remembering our fallen heroes 2506