PSA: Ransomware and Cryptolocker – What is it? How it works and steps we can take to avoid being hacked/scammed.

What is Ransomware:

Ransomware is a type of malware that severely restricts access to a computer, device, or file(s) until a ransom is paid by the user. Unfortunately, many recent Ransomware extortionists have been requesting Bitcoin rather than cash, given its ability to be transferred easily internationally without sharing personal details. Ransomware is a criminal money making scheme which may be installed through deceptive links in an email message, instant messages or website. It has the ability to lock a computer screen or encrypt important  files with a password. Cryptolocker uses a public and private key system where the public key is used to encrypt and the private key is used to decrypt.

Cryptolocker is a well-known ransomware which has been very effective at extracting bitcoin from people/businesses around the world, over 50% of people who are exposed to the malware pay the bitcoin ransom for their files – primarily because either they do not have a working backup of those files or the cost of replacing the data far outweighs the ransom.

 

It is worth noting that the method of payment used by Cryptolocker and other ransomware is bitcoin (due to its efficiency and other reasons) – Bitcoin is NOT ransomware technology. Bitt has experienced angry and confused  callers muttering the word “Bitcoin”, while not understanding that they are infected with malware and the payment requested is IN bitcoin.


History of Ransomware:

The first ransomware cases were reported in Russia in 2005. Since then, the scams have spread throughout the world, with new types still successfully targeting victims. In September 2013, CryptoLocker surfaced and targeted versions of Windows. It has successfully infected hundreds of thousands of personal computers and business systems. Victims unknowingly opened emails impersonating customer support services from FedEx, UPS, DHS and other companies. Once activated, the malware’s onscreen timer demanded an average payment of $300 – $1,000 in within 72 hours. Some versions affected local files and removable media.

How Ransomware Spreads:

The method of infection varies for most viruses, but ransomware is typically packaged with installation files masquerading as official software updates. They are advertised as updates for Adobe Acrobat, Java, and Flash Player. If you’ve opened underground websites such as torrent sites, you’ve probably come across some of the ads used to distribute malware. Typically, a popup opens telling you that you need to update Adobe Acrobat.

Here are some other delivery methods used by this malware:

  • Social Engineering
  • Email attachments
  • Shortened malicious URLs
  • Malvertising attacks
  • Exploit kits
  • Drive by downloads
  • Other more technical vectors

The modus operandi of ransomware has evolved beyond this basic attack profile of targeting larger organizations or attacking PCs one at a time. Criminals have developed new ransomware
families that can spread within an organization to encrypt multiple PCs. This can even happen by hosting ransomware on a compromised application server rather than by sending attachments.

As defenses have evolved, more advanced ransomware is increasingly engineered to operate in a standalone or stealth capacity, for example hiding its activity by not contacting a C2 (command and control) or even working entirely from memory without the need to save files to disk.

Crypto malware encrypts any data file that the victim has access to since it generally runs in the context of the user that invokes the executable and does not need administrative rights. It can lock and control virtually any file on your computer. It will typically scan and encrypt whatever data files it finds on computers connected in the same network with a drive letter including removable drives, network shares, and even DropBox mappings… If there is a drive letter on your computer it will scan for data files and encrypt them. Some crypto malware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other crypto malware utilizes a white list and will encrypt all files unless it has certain excluded extensions or is located at a certain area on the system.

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on how thorough the malware creator, what algorithm the creator utilized for encryption and discovery of any flaws. It was possible to decrypt files encrypted with early versions of ransomware but newer variants e.g. Cryptolocker use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom.

Some of the more popular crypto malware ransomware use RSA encryption, AES Encryption or a combination such as ECC (Elliptic Curve Cryptography) to encrypt data.

 

How you can take steps to protect yourself:

  • When reading your emails, never click on an embedded link in the message unless you know the destination (you can usually find this out by hovering your mouse over the link). E-mail has become a common way which hackers/cyber criminals use to infiltrate your system , other simple methods to watch are scams and phishing activities which attempt to obtain information or compromise your computer.   This applies to messages from people you know, most web-based email accounts (Yahoo, Gmail, etc.) can be compromised.

 

 

 

  • Disable Java (not JavaScript) in your internet browser. Exploits through Java occur frequently, even though Java itself it rarely needed while using the internet.

 

 

 

bitt-ransomware-04

 

 

  • While Internet Explorer is relatively popular, it lacks a feature included in Mozilla Firefox that makes Firefox a safer browser to use, particularly if you are susceptible to JavaScript threats.  Firefox has a NoScript add-on which blocks all JavaScript programs from sites that you have not pre-approved.

 

bitt-ransomware-05

 

 

  • Back up important data on your computer to an external drive (preferable) orstoragelocation (an online “cloud” or flash drive) regularly to prevent total loss in the event your computer is stricken with a virus or other harmful malware.

 

 

 

 

 

  • Never open or run executable files directly from the internet.  Download them to your computer’s hard drive or an external storage device and perform a virus scan first.

 

 

 

 

 

 

 

 

  • Establish more than one e-mail address for multiple purposes.  For example, you could have one e-mail address known only to close friends and family members, another for online banking and financial transactions, and another for online gaming purposes.  This reduces the amount of potential malware threats and phishing risks you are exposed to.

 

 

 

 

 

  • If you have a supplemental firewall program such as Comodo and ZoneAlarm which ask for permission when an unknown program is attempting to download a file, connect to your computer, or execute a program. Never allow the action unless you know what the program or file is first and are sure it is from a trusted source.

 

 

 

 

 

  • Social engineering can be your worst enemy when it comes to malware, On the day StarCraft II was released, security firms reported a huge number of warez downloads for
    the game that were really wrappers for viruses. On the day Michael Jackson died, sites sprang up claiming video exclusives of the
    singer’s last moments. Again, these were links to malware. Employing the lure of a hot topic as a means of walking us towards malware is a common hacker tactic. When you’re tempted to click a link, follow the old mantra: if something sounds too good to be true, it probably is.

 

  • The best tool to avoid spyware and stay safe on the Internet is your own brain. Free software with no potential upgrades or strings attached, websites that are covered in flashy ads, and free Wi-Fi in an unexpected place are all signs that something may be wrong, and ignoring that intuition can get you in trouble. By staying aware of what you are doing, and thinking about your security while you live your online life, you stand a better chance of avoiding potentially dangerous situations.

 

With the constant innovation which technology brings, bad actors will always find ways to bend useful technology to their will. It is up to us to remain vigilant and take the time to educate ourselves on some useful best practices for our digital lives. The best security measure you have is yourself, take your time and be aware. After some practice, you will start to spot the potential threats and not fall victim to them!