Ransomware

Short bio

Ransom malware or ransomware is a threat that prevents users from accessing their system or personal files and demands ransom payment in order to regain access.

History

Origin

Early ransomware variants were first developed in the late 1980s. The first ransomware, known as PC Cyborg or AIDS would encrypt all files in the C: directory after 90 reboots. PC Cyborg would demand the user renew their license by sending $189 via snail mail to PC Cyborg Corp. The encryption used was simple enough to reverse and therefore posed little threat to computer savvy users and companies.

With very few variants popping up over the next 10 years, a true ransomware threat would not be seen until 2004 with GpCode, another ransom variant that utilized weak RSA encryption to hold personal files ransom.

Locker ransomware

In 2007, WinLock heralded the rise of a new type of ransomware that did not bother encrypting files but rather locked the user out of their desktop. This type of malware would take over the victim screen and show pornographic images, demanding payment via a paid SMS.

The same tactics were used repeatedly for the next five years, with ransom types that locked the browser, would overwrite the Master Boot Record (MBR) so the system could not boot correctly, and be incorporated into other types of malware such as rootkits and RATs as a final option to extract money from the victim.

Ultimately harmless to an experienced computer user and easy to remove, ransomware would not receive worldwide attention until in 2012 with the launch of Reveton.

Law enforcement ransomware

With the development of the ransom family Reveton, victims would be locked out of their desktop and be shown an official looking lock page that included credentials for law enforcement agencies such as the FBI and Interpol. These attacks utilized similar technical methods of locking as previous ransomware types however it took the psychological attack to the next level.

The ransomware would claim that the user had committed a crime, such as computer hacking, allowing their computer to get infected, downloading illegal files, or even being involved with child pornography.  Average users did not know what to make of this and believed they were truly under investigation from law enforcement. Most of these screens required a fine be paid, usually with a pre-paid card such as UKash or PaySafeCard. Depending on the family utilizing this tactic, the ransom varied between $100 to $3000.

The social engineering tactic, now referred to as implied guilt, basically makes the user question their own innocence and rather than being called out on an activity they aren’t proud of, they will pay the ransom to make it all go away.

As the media began to notice Reveton and other copycat families using the same tactics, the creators began utilizing more technical methods of trying to extract money from users. This included providing personal information such as IP addresses and locations as well as turning on the user’s webcam and even playing a sound file that would read the charges to the user.

One of the final versions of this form of ransomware would actually show child pornography to the user on the ransom screen, an act that not only technically forced the user to break the law but also shame them into paying the ransom regardless if they believed the threat was real or a scam. A user might not want to call a friend or take their computer to a repair shop if there is a big screen that claims they have been looking at child pornography and then points it out.

New families using the same scam didn’t make it very long as most of the world knew about the malware and how to get rid of it.  It would be another two years before one of the biggest threats to all users would appear, utilizing an old method in a new way.

Cryptolocker

The next big version of ransomware to arise was Cryptolocker, a type of ransomware that utilized encrypting files as ransom (similar to those of 10 years earlier). The biggest threat with Cryptolocker was that it used RSA-2045, military grade encryption. It also stored the key required to decrypt the files on a remote server and demanded payment for access to it. This meant that unless the user was able to capture that key while the malware encrypted their files, it was virtually impossible to get their files back without paying the criminals.

Cryptolocker was spread through phishing emails and drive-by exploit attacks, becoming a serious problem for the computer security world as the only true way to thwart its attack was to utilize proactive protection rather than reactive. This malware served as the primary reasoning behind a proactive, layered security approach and changed the face of the industry.

The malware demanded payment of at least $300, which varied depending on if the victim was an average user or a business.  Usually it accepted payments through cryptocurrency like BitCoin though some variants will utilize the traditional pay card method.

Common infection method

Associated families

  • PC Cyborg
  • GpCode
  • Reveton
  • Cryptolocker
  • CryptoWall

Remediation

The number one rule is to never pay the ransom. All that does is encourage the cybercriminals to launch additional attacks at either you or someone else.

Legacy ransomware may only lock the browser or the desktop screen, downloading and installing an anti-malware product such as Malwarebytes Anti-Malware and running a scan in Safe Mode should remove the threat.

Most modern ransomware will attempt to encrypt personal files on the system, if you notice your system slowing down for seemingly no reason, shut it down and disconnect it from the Internet. If once you boot up again the malware is still active, it will not be able to send or receive instructions from the command and control server, therefore without a key or way to extract payment, the malware may stay idle.  At that point, download and install Malwarebytes Anti-Malware and run a full scan.

Aftermath

If you have already been attacked by ransomware and managed to remove it, update your operating system, all Internet-facing applications like Java, Flash, and your browser. Install multiple security layers such as Microsoft Security Essentials in addition to Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit. Finally, find a protected cloud backup provider that fits in your price range, by periodically backing up your important files, even in the event that another event happens, you will be able to restore your files.

Avoidance

Over the last half decade, ransomware has been primarily distributed through drive-by exploits and malicious emails. By keeping an antivirus and anti-malware solution installed and running real-time protection, most malware that manages to get through other defenses will be blocked.

In addition, utilizing Malwarebytes Anti-Exploit will detect and prevent malware from even entering the system via drive-by exploit.

Finally, since most attacks take advantage of vulnerabilities in the system and the user, updating all software as soon as possible is key to maintaining a safe system. In addition, being prudent with security and always questioning a suspicious email can help you thwart a simple yet effective attack strategy.

Screenshots