Ransomware stops you from using your PC. It holds your PC or files for “ransom”. This page describes what ransomware is and what it does, and provides advice on how to prevent and recover from Ransomware infections. May 12th, 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS). A Ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe. wanna cry leveraged a vulnerability in Windows OS, first discovered by the NSA, and then publicly revealed to the world by the Shadow Brokers. In the first few hours, 200,000 machines were infected. Big organizations such as Renault or the NHS were struck and crippled by the attack. Ransomware has been a growing trend for the past two years, and this is just a culmination, a grand reveal to the wider world of just how big of a threat it is. But we’ve been writing about this for a while now.
There are two types of Ransomware in circulation
- Encryptors, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
- Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
- Some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families.
Crypto- Ransomware, as encryptors are usually known, are the most widespread ones, and also the subject of this article. The cybersecurity community agrees that this is the most prominent and worrisome cyber threat of the moment.
What does Ransomware do?
There are different types of Ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC. They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or health care provider. Ransomware can:
- Prevent you from accessing Windows.
- Encrypt files so you can’t use them.
- Stop certain apps from running (like your web browser).
Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys. There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Ransomware has some key characteristics that set it apart from other malware:
- It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cybersecurity researchers – more on that later);
- It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
- It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
- It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
- It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
- It requests payment in Bitcoins because this crypto-currency cannot be tracked by cybersecurity researchers or law enforcement agencies;
- Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
- It uses a complex set of evasion techniques to go undetected by traditional anti-virus (more on this in the “Why ransomware often goes undetected by antivirus” section);
- It often recruits the infected PCs into botnets, so cybercriminals can expand their infrastructure and fuel future attacks;
- It can spread to other PCs connected to a local network, creating further damage;
- It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cybercriminals; encrypting files isn’t always the endgame.
- It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.
Their feature list keeps growing every day, with each new security alert broadcasted by our team or other malware researchers. As families and variants multiply, you need to understand that you need at least baseline protection to avoid data loss and other troubles. Encrypting Ransomware is a complex and advanced cyber threat which uses all the tricks available because it makes cybercriminals a huge amount of money. We’re talking millions! If you’re curious how it all started, it’s time to go over:
As you can see for yourself, things escalated quickly and the trend continues to grow. Cybercriminals are not just malicious hackers who want public recognition and are driven by their quest for cyber mischief. They’re business-oriented and seek to cash out on their efforts. Ransomware is here to stay. The current conditions are a perfect storm which makes it the easiest and viable source of money for any malicious hacker out there:
- Ransomware-as-a-service, where malware creators sell its services in exchange for a cut in the profits.
- Anonymous payment methods, such as Bitcoin, that allow cybercriminals to obtain ransom money knowing their identity can’t be easily revealed.
- It’s impossible to make a completely secure software program. Each and every program has its weaknesses, and these can be exploited to deliver ransomware, as was the case with WannaCry.
- The number of infections would drastically shrink if all users were vigilant. But most people aren’t, and they end up clicking infected links and other malicious sources.
Top targets for Ransomware creators and distributors
Cybercriminals soon realized that companies and organizations were far more profitable than users, so they went after the bigger targets: police departments, city councils and even schools and, worse, hospitals! To give you some perspective, nearly 70% of infected businesses opted to pay the ransom and recover their files. More than half of these businesses had to pay a ransom worth $10,000 to $40,000 dollars in order to recover their data. But for now, let’s find out how online criminals target various types of Internet users. This may help you better understand why things happen as they do right now.
Why ransomware creators and distributors target home users:
- Because they don’t have data backups;
- Because they have little or no cybersecurity education, which means they’ll click on almost anything;
- Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers;
- Because they lack even baseline cyber protection;
- Because they don’t keep their software up to date (even if specialists always nag them to);
- Because they fail to invest in need-to-have cyber security solutions;
- Because they often rely on luck to keep them safe online (I can’t tell you how many times I’ve heard “it can’t happen to me”);
- Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware;
- Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).
Why ransomware creators and distributors target businesses:
- Because that’s where the money is;
- Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid;
- Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
- Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
- Because ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core;
- Because cybercriminals know that business would rather not report an infection for fear or legal consequences and brand damage.
- Because small businesses are often unprepared to deal with advanced cyber attacks and have a relaxed BYOD (bring your own device) policy.
Why ransomware creators and distributors target public institutions:
- Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cybercriminals can sell;
- Because budget cuts and mismanagement frequently impact the cybersecurity departments.
- Because the staff is not trained to spot and avoid cyber attacks (malware frequently uses social engineering tactics to exploit human naivety and psychological weaknesses);
- Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;
- Because a successful infection has a big impact on conducting usual activities, causing huge disruptions;
- Because successfully attacking public institutions feeds the cybercriminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target).
How do ransomware infections happen?
- Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
- If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
- The downloader uses a list of domains or C&C servers controlled by cybercriminals to download the ransomware program on the system.
- The contacted C&C server responds by sending back the requested data.
- The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.
- A warning pops up on the screen with instructions on how to pay for the decryption key.
Why ransomware often goes undetected by antivirus
Ransomware uses several evasion tactics that keep it hidden and allow it to:
- Not get picked up by antivirus products
- Not get discovered by cybersecurity researchers
- Not get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.
So here are just a few of the tactics that encryption malware employs to remain covert and maintain the anonymity of its makers and distributors:
- Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
- It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
- It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
- It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cybercriminals.
- It features Fast Flux, another technique used to keep the source of the infection anonymous;
- It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
- It has polymorphic behavior which gives it the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
- It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
15 Items to take your ransomware protection to the next level
Locally, on the PC
- I don’t store important data only on my PC.
- backups your data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.
- The Dropbox/Google Drive/OneDrive/etc. application on my computer is not turned on by default. I only open them once a day, to sync my data, and close them once this is done.
- My operating system and the software I use is up to date, including the latest security updates.
- For daily use, I don’t use an administrator account on my computer. I use a guest account with limited privileges.
- I have turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc. In the browser
- I have removed the following plugins from my browsers: Adobe Flash, Adobe Reader, Java, and Silverlight. If I absolutely have to use them, I set the browser to ask me if I want to activate these plugins when needed.
- I have adjusted my browsers’ security and privacy settings for increased protection.
- I have removed outdated plugins and add-ons from my browsers. I only kept the ones I use on a daily basis and I keep them updated to the latest version.
- I use an ad-blocker to avoid the threat of potentially malicious ads.
- I never open spam emails or emails from unknown senders.
- I never download attachments from spam emails or suspicious emails.
- I never click links in spam emails or suspicious emails.
Anti-ransomware security tools
- I use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.
- I understand the importance of having a traffic-filtering solution that can provide proactive anti-ransomware protection.