Anatomy of a Ransomware Attack CryptoLocker – Part 1: CryptoWall How to Stay Safe

Profile image for rtgroups
March 16, 2017 | Views: 2275

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

ABSTRACT

Ransomware is malware that prevents you from using your files or your computer, and then extorts money from you in exchange for a promise to unlock them. This type of malware is responsible for tens of millions of dollars in extortion annually. Worse still, developing new variants is trivial, facilitating the evasion of many antivirus and intrusion detection systems. Ransomware, it’s everywhere. We had hoped that the notorious file-encrypting ransomware called CryptoLocker was defeated after law enforcement knocked out its infrastructure last year, but CryptoLocker and its close cousin CryptoWall have come back stronger than ever. We’d like to show you more about the newest kinds of ransomware, how they work, and what you as an organization or individual can do to stay safe.

 

1.      INTRODUCTION

Encrypting ransomware (a.k.a. crypto ransomware) at-tempts to extort users by holding their files hostage. Such ransomware differs from other types of malware in that its effects are reversible only via the cryptographic keys held by a remote adversary. Users can only regain access to their files through the use of anonymous payment mechanisms (e.g., Bit-coin), further frustrating efforts to take down these campaigns. While this class of malware has existed for well over a decade, its increasingly widespread use now causes tens of millions of dollars in consumer losses annually [2]. Compounding this problem, an increasing number of law enforcement agencies have also been the victim of Ransomware [4], [1], losing valuable case files and forcing these organizations to ignore their own advice and pay the attackers. As such, ransomware represents one of the most visible threats to all users.

 

Combating ransomware is difficult for a number of reasons. First, this malware is easy to obtain or create [48] and elicits immediate returns, creating lucrative opportunities for attackers. Second, the operations performed by such malware are often difficult to distinguish from those of benign software. Finally, ransomware often intentionally targets unsophisticated users who are unlikely to follow best practices such as regular data backups. Accordingly, a solution to automatically protect such users even in the face of previously unknown samples is critical.

 

1.1 RANSOMWARE BRIEF HISTORY

Ransomware and fake-antivirus have been around for many years, relying on social engineering to trick computer users into paying the cybercriminals, so their phony warnings claim, to avoid fines from police for supposed crimes, or to clean up “viruses” on their computers that don’t actually exist.

 

 

But CryptoLocker and CryptoWall – variations of the malware we sometimes call crypto-ransomware or Cryptoware – don’t bother with that sort of trickery. The attackers tell victims up-front that their files have been encrypted by the crooks. Unless you pay for the encryption key held by the attackers, the crooks destroy the private encryption key, making it impossible to recover your files.

In November 2014, Dickson County Sheriff’s Office USA opted to pay a ransom of $572 to recover files. Later the Sheriff said, “I am thankful that is all they asked for.” In a similar case, the Durham, N.H. Police Department (USA) was infected in June 2015. They recovered the files from a backup, choosing not to pay the ransom. However, they paid $3000 to a contractor for a file clean up afterward.

[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.

[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.

[3]     Anatomy of a Crypto Ransomware Attack   https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware- attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/

[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin. http://www.bizjournals.com/memphis/blog/2014/11/tennessee-sheriff-pays-ransom-to-cybercriminals-in.html, 2014.

[5]     Common type of Ransomware http://securityjar.com/types-of-ransomware-attacks/

[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.

[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.

[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.

[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.

[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.

A. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)

Share and Earn Cybytes
FacebookTwitterGoogle+LinkedInEmail
Save
+1
9
1
Use Cybytes and
Tip the Author!
Join
Share and Earn
Cybytes
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Be the Best at Whatever You Do.
We Have the Tools to Get You There.
Visit the NEW Marketplace of Over 500 Skill Enhancement Tools.
1 Comment
  1. Where is the rest of the article? usually have a point 2 after the point 1

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel