Beware of Ransomware – part 2
By Andra Zaharia and Aurelian Neagu
Ransomware is one of the greatest cyber threats in 2017. As such you need to know why it goes undetected by your antivirus software and how you can protect yourself against it. Unlike having an annoying email sent out to all your contacts, ransomware will destroy all your data unless you pay hundreds of dollars.
Ransomware uses evasion tactics to go about undetected. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar. It also makes sure that it doesn't get picked up by antivirus products, doesn't get discovered by cyber security researchers, and doesn't get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do. So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors.
Communication with Command and Control servers is encrypted and difficult to detect in network traffic.
It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments.
It uses anti-sandboxing mechanisms so that antivirus won't pick it up.
It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored).
It features Fast Flux, another technique used to keep the source of the infection anonymous.
It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold.
It has polymorphic behaviour that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware's function.
It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
The ransomware mafia
By now you know that there's plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it's because they resemble in some aspects. Given below is a summery on some of the well-known ransomware families.
Reveton – began in 2012. It displays a warning from law enforcement agencies of the victim's country. It is a locker type ransomware and it informs the victim that his/her computer has been used for illegal activities. Attacks a user's insecure and outdated installations of Java.
CryptoLocker – Peaked in infections in 2013. Spoofs postal or delivery service campaigns mainly in Northern Europe. Removing the malware is easy but a victim's data will remain scrambled with virtually unbreakable encryption.
CryptoWall – A variant of CryptoLocker. It is rapidly improved and has already reached its third version, CryptoWall 4.0. Crypto wall has helped the crypto-ransomware phenomenon shift from home computers to that of businesses, financial institutions, government agencies, academic institutions, and other organizations. Similar to CryptoLocker, CryptoWall spreads through various infection vectors including browser exploit kits, drive-by downloads and malicious email attachments.
CTB Locker – It's one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication. CTB stands for Curve (which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key) TOR (because it uses the famous P2P network to hide the cybercriminals' activity from law enforcement agencies) Bitcoin (the payment method used by victims to pay the ransom, also designed to hide the attackers' location). It includes multi-lingual capabilities that adapt the attacker's message to suit the victim's national language. One of the first ransomware strains sold as a service in the underground forums.
TorrentLocker – Emerged in early 2014. Its makers often tried to refer to it as CryptoLocker. It relies on spam emails for distribution. Both the emails and the ransom note were targeted geographically. They made sure to use good grammar to trick users into opening emails and clicking on malicious links. Its creators pay close attention to strengthen its malware so that no decryption methods work for too long. Harvests email addresses from infected computers and spreads the spam emails to those emails as well.
TeslaCrypt – initially focused on a segment of gamers who play some games including Call of Duty, World of Warcraft, Minecraft and World of Tanks. Exploited Adobe Flash vulnarabilities and moved on to infect big targets such as European companies.
TeslaCrypt 4.0 came out in in March 2016, but two months later, the ransomware shut down. Surprisingly the cyber criminals even apologized. A decryptor exists in case anyone gets infected with TeslaCrypt ransomware.
Locky – One of the newest and most daring ransomware families. First spotted in February 2016 by extorting a hospital in Hollywood for $17,000. One infected computer connected to a server can shut down the entire server. Locky's descendant, Zepto, debuted in July 2016.
How to be safe
This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data. I've seen too many cries for help and too many people confused and panicking about a ransomware attack.
How I wish I could say that ransomware is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.
On the PC
Don't store important data only on the PC. Have TWO backups of data: on an external hard drive and in the cloud storage system. Makesure your cloud storage application is not turned on by default in the computer. Only open them once a day to sync your data, and close them once this is done.
Make sure your operating system and the software you use is up to date, including the latest security updates. For additional security, don't use an administrator account on your computer, instead use a guest account with limited privileges. Turn off macros in the Microsoft Office suite – Word, Excel, PowerPoint and so on.
In the browser
Remove the following plugins from your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, set the browser to ask you if you want to activate these plugins when needed. Adjust your browsers' security and privacy settings for increased protection.
Remove out-dated plugins and add-ons from your browsers. Only keep the ones you use on a daily basis and keep them updated to the latest version. Use an ad blocker to avoid the threat of potentially malicious ads.
Never open spam emails or emails from unknown senders. Never download attachments from spam emails or suspicious emails. Never click links in spam emails or suspicious emails.
Anti-ransomware security tools
Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner. Understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.
I want you to be prepared, so you'll never have to deal with the dreaded question of: "should I pay the ransom or not?" My answer will always be a big, fat NO.
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you'd be further funding their greedy attacks and fuelling the never-ending malicious cycle of cybercrime.
Don't fund criminals
There are hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.
To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use. We recommend you read about how these tools works beforehand, so that you're sure that this is the best solution for your case.
Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It's a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data. Ransomware brought extortion to a global scale, and it's up to all of us, users, business-owners and decision-makers, to disrupt it.
We now know that creating malware or ransomware threats is now a business and it should be treated as such. The "lonely hacker in the basement" stereotype died long time ago. The present threat landscape is dominated by well-defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks.
Even more, cyber-criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.
We also know that we're not powerless and there are a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them. Stay safe and don't forget the best protection is always a backup! Software updates are a key anti-ransomware security layer!
- Army Major, 2 soldiers remanded 2250
- Foreign investors withdrew Rs 100B 2560
- Govt. extends deadline for more competition – Kabir 2618
- China mulls maritime regulation 2248
- Vasu challenges Govt 3311
- New laws to punish offenders 3378
- Wimal seeks permission 3330
- JO women plan protest 3287
- COPE to grill five more 3290
- Prez orders Rs 10,000 per family 3265
- Delimitation report still problematic – JVP 3308
- JO to meet at MR’s residence 3303
- JO vows to block ratification 3275
- Prez to lead SLFP polls campaign 3282
- Contaminated milk dumped into reservoir 3270
- FR case against PM dismissed 3490
- Gota grilled over gold statue 3300
- Rs 25,000 fine for dumping dogs 3276
- Prez will intervene in SAITM issue – Dilan 3265
- Lankan fishing boat found abandoned in Indian waters 3262
- Workshops and Balkans again 3390
- Protests in ‘Chaos’ Signs of life 3401
- Whither higher education in Sri Lanka? 3394
- Let children collect funds for school development 3374
- The ‘Uncle’ syndrome 3384
- How Prabhakaran killed his opponents 4285
- Soldiers fight Sailors for semi-spot 1272
- Malinga charts course to Champions Trophy 1273
- Sumanasinghe passes 1,000 runs mark 1270
- Sri Lanka and Pakistan set to qualify for WC 1273
- Havies march on to semis 1269
- Trinity awards cricket and rugby players 1272
- Rice at a price 1313
- Step in the right direction 1237
- Decriminalize homosexuality 1236
- Ruffling judicial feathers 1230
- SAITM still tossed on a stormy sea 1423
- Where are we headed? 1229
- I believe in cooperative politics – Karuna 1821
- I like to talk to diehard Sinhala chauvinists – Wigneswaran 1897
- Justices should be subject to judicial audits 3702
- Traders have imported rice under local branding– Duminda Dissanayake 3591
- CTSU to protest SAITM ruling-on the streets 3823
- ‘Unity Government’ A golden opportunity... 3386
- GoSL’s interest cost comes down by Rs 1.3B 58
- The Club HNB opens its doors to their esteemed Clients 1264
- LOLC Group clinches NBE Award 2016 1259
- LankaClear bags Silver at NBE Awards 1262
- A brief description of the National Business Excellency awards 1262
- Pan Asia Bank shines at National Business Excellence Awards with two coveted awards 1261
- Digital Transformation: A Conversation with Alberto Granados 1263
- A MUCH-MALIGNED WORD AMONG BANKRUPT POLITICIANS 1276
- Crysbro provides drinking water to war heroes 1262
- Abans innovative LG Dual Cool Air Conditioners 1261
- GSP+ To sustain economy or to Mutate society? 2986
- Fully fledged Media Commission by June – DGI 3028
- Way for True Conciliation! 4194
- Malayalam film - “Orazhcha” (A week) 2328
- Sri Lanka’s Finest Talent – but Who Cares? 2330
- The mesmerizing mystery of Mozart’s music – Mass in C major KV317 (Coronation) 2330
- A Showstopping Performance 2387
- House for Rent 2326
- Footpaths Towards Deconstruction - part 9 2315
- Junsu 1123
- The fate of our woods 1124
- Celebrate ‘A month of love’ 1124
- Five new branch openings 1124
- THINC Sri Lanka Networking Conference 2017 1134
- ‘Our Shop’ for staff welfare 1124
- A musical kaleidoscope 891
- Challenging the hospitality industry 890
- Sci-fi action from start to finish 893
- Helping children in need 891
- An action soaked 886
- Health is wealth 890