An In-Depth Look at Ransomware

July 9, 2015 | Views: 3237

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is Ransomware?

Ransomware is a generic term for a family of malware, which, once active on your systems, searches for documents and pictures then encrypts them. Once encrypted the malware leaves a note with instructions on how to pay the attacker to receive a key allowing decryption of your files. These tools encrypt not only your local files, but can also attack any network mapped drives and sometimes connected cloud storage solutions.

Some notable examples of ransomware are:

  • Reveton – One of the first examples of ransomware to hit the scene, this malware didn’t encrypt files but rather blocked internet access with a fake law enforcement warning demanding payment to restore access.

  • CryptoLocker – One of the most recognizable versions of this type of attack, it was first was reported in late 2013 and was one of the first to employ the encryption/ransom technique. Originally, it also claimed to only allow 72 hours before the decryption key was permanently deleted.

  • Cryptowall – One of the most recent variants in this family, Cryptowall first appeared in 2014. Employed more sophisticated attack methods and techniques to hide itself from anti-malware engines. Cryptowall also attempts to delete volume shadow copies of files which is a common method of recovery.

To decrypt your files, most of these tools require payment using either cash cards or bitcoins. Many operate out of TOR websites in an effort to obfuscate their identities. Payments typically range from $200 to $500, though there are many variations that require different amounts of money. Once paid, a decryption key should be sent that can be used to recover your files.

Ransomware is a growing avenue for criminal enterprise. The FBI reported in January 2015 that over 1000 cases had been reported in the United States, with estimated losses nearing 18 million. There are certainly many more who didn’t report their infections and the overall losses are probably much higher.

How does Ransomware Work?

Ransomware packages are delivered just like many other types of malware. They can enter your system through email, malicious websites, malicious packaged software, etc. There’s also been a trend of droppers – a malicious program that doesn’t have any payload of its own, but rather infects a system and then downloads a payload via command and control servers. These infect a system and may lay dormant for some time before downloading and installing the ransomware payload.

Once the software has infected the system, it begins to systematically crawl the file system, typically looking for documents (word, excel, powerpoint) and images (jpeg, gif, png). When these files are found, it then encrypts them and deletes the originals. Once a directory is completed, the notice is dropped in the form of a text file with instructions on how to send payment to decrypt the files. Each folder that’s encrypted will receive one of these instruction files.

Depending on the variant of ransomware you are infected with, they can also do a variety of other malicious activates. These activities can include, but aren’t limited to: disabling of anti-malware software, altering firewall rules, deleting backups and volume shadow copies of files, browser hijacking and Bitcoin theft.

According to reports, most victims who pay the ransom do receive the keys they paid for, and many are able to pay past a deadline and still receive keys. There’s never any guarantee when dealing with a criminal element, but ultimately these thieves require a certain level of trust to continue making money. Many have even gone as far as to set up support portals and have online staff to assist victims in paying and recovery.

How can I Protect Myself?

As with any malware defense, there are a few basic techniques that will help prevent infection. There are also some specific steps you can take for Cryptowall/Cryptolocker that will help prevent infection. Some of these steps may impact other applications on your systems, so always be sure to fully test new policies before enterprise-wide enforcement.

  • Ensure current anti-malware/anti-virus software is installed on your computers and regularly updated

  • Enable E-mail filters to inspect and block suspicious messages

  • Don’t download and run programs from unknown sources. If possible in your environment, centrally manage software installation

  • Clean up known malware infections quickly even if they appear to be less important. Many times a dropper infection can be leveraged into a ransomware attack

  • Utilize Windows local security policy or Group Policy to restrict software execution. Bleeping Computer has an excellent guide on how to implement this approach on your assets. You can review this guide here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#manual.

How can I Recover after a Successful Attack?

If you have a system that has been compromised by Ransomware, there are a few steps you can take to recover the encrypted data. Having quality backups is always the first/best prevention for this sort of attack. Here are a few other techniques for recovery outside of paying the ransom:

  • Restore from backup – If you have regular, quality backups one of the easiest solutions will be to restore your data from a current, non-encrypted, backup source.

  • Restore deleted files with file recovery software – Cryptowall encrypts files and then deletes them. Deleted files in Windows when deleted are technically still there, just not able to be seen by the file system. There are recovery tools that can find and restore these files sometimes. Worth noting, however, is that the longer the system was in use post-attack, the higher chance that those deleted files will not be recoverable.

  • Restore from Shadow Volume Copies – Depending on which variant employed, you may be able to restore from Shadow Volume Copies. This is a difficult process and not always the most reliable, but it’s an option. There is a guide on Bleeping Computer that gives a good rundown on how this restoration works: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#shadow

  • Restore from Cloud Storage – If you employ a cloud storage service, your files may be synced online and able to be restored from there. There’s a chance, however, that ransomware has encrypted those as well. In that case, typically, you can log into your cloud storage provider and restore previous versions of the files back from before they were encrypted. Contact your cloud storage support for instructions on how to accomplish this.

  • Decrypt files using online tools – Over the last year, a couple of command and control servers for ransomware have been taken down by law enforcement. When confiscated, these servers revealed the encryption and decryption keys in use by that variant of ransomware. These keys have been collected by Kaspersky and they’ve set up a site to allow you to search and see if your system has been encrypted with one of the keys. You can view this tool and check your files here: https://noransom.kaspersky.com/

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. Network shares are critical for restoring and recovery operations. As far as working directories, it just depends on how fast you discover the ransomware and take action to contain it. Thanks!

  2. Great article. I’d also like to add that CryptoLocker works by searching for shared network files and propagating in this manner.

    To mitigate against this type of attack and lower risk, create private shares for users so if they do become infected the malware won’t spread to other network shares the account has access to.

    If users need to share files, create one location and share so that if a device does become infected you have only the one file share and the user drive to worry about.

    Cybryte

    • Good point! I did not cover the network implications. Excellent suggestions for mitigation. Network share backup is also critical for recovery when something like this happens, but I’ve seen cases where the directories encrypted haven’t been discovered for weeks so backups were already stale and contained the newly encrypted files.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel