Threat Intelligence Blog

Posted October 22, 2015


By Marc Larson and Val Vask

Ransomware has been around since at least 1989, but there has been an exponential rise in cases within the last three years and in the past year, ransomware has cost businesses around $18 million.

Ransomware is malicious software (malware) that renders a victim’s computer or network data temporarily or permanently inaccessible unless a “ransom” is paid within a specified period of time. The very nature of the word “ransomware” suggests financial gain is the primary motivating factor for cybercriminals to distribute such malware.  This type of Trojan typically targets Windows-based systems, but has evolved to include other systems and devices. To further complicate matters, criminals often ask victims to pay the ransom in bitcoin or with payment vouchers.

The recent rise in ransomware scams can be attributed to several things:

  • The advent of Bitcoin (in 2009) and other digital/virtual currency has allowed ransomware authors to extort money from users anonymously.
  • The proliferations of peer-to-peer (P2P) networks or P2P file sharing protocols like BitTorrent. This has given ransomware authors a new mechanism to transfer large files and malware over the Internet. Ransomware developers even named one of their Trojans “TorrentLocker” after the BitTorrent application itself.
  • Better online anonymization software and privacy tools, like the Tor Network, allow ransomware authors to obfuscate their command and control (C2) structure, making it more difficult for authorities to identify the cybercriminals behind a ransomware campaign. In fact, CTB Locker (Curve-Tor-Bitcoin) owes its name, in part, to Tor, which refers to the ransomware’s C2 infrastructure.
  • Ransomware authors are more sophisticated today than they were before 2009. One of the reasons for this stems from better encryption methods. In the past, Ransomware developers used symmetric encryption, which stored the keys needed to decrypt files in either the compromised system’s registry or within the malware itself. Now, cybercriminals use asymmetric encryption, where they store a “private” key at an unnamed location that won’t be revealed unless the victim pays the ransom.
  • The growth of the Internet means more Internet users are dependent on the Internet for personal and professional use. With this growth also comes an increase in cybercrime and the digital underground economy that supports it, making ransomware an obvious byproduct of its growth.
  • The prevalence of mobile devices has also spurred renewed interest in ransomware development since cybercriminals can now focus on developing malware targeting smart phones.

There are two types of ransomware: non-encrypting and encrypting. Non-encrypting ransomware is also known as “blockers,” “computer lockers,” or “ransomlocks,” while encrypting ransomware is also known as “encryptors,” “data lockers,” or “CryptoLockers.” Non-encrypting ransomware takes control of a device’s screen, which prevents users from accessing data hidden behind a window or message prompt. On the other hand, encrypting ransomware restricts access to the actual files stored in the computer’s hard drive or external storage device by encrypting those files. In other words, non-encrypting ransomware prevents victims from accessing their desktop, while encrypting ransomware prevents victims from accessing their files and personal information because it has been encrypted.

CryptoLocker is arguably the most famous example of an encrypting ransomware Trojan due to its global reach and scope. Like most cryptoviruses, Cryptolocker propagated via emails containing malicious attachments delivered by botnets specific to that ransomware (in this case, the Gameover Zeus botnet). A botnet is an army of compromised hosts (also known as bots or zombies) that typically receives instructions from a single entity through a C2 server. The C2 server acts as a centralized controller that communicates remotely with bots in the network.

The notoriety of CryptoLocker captured the attention of an international task force, which resulted in the takedown of the Gameover Zeus botnet—effectively neutralizing CryptoLocker’s delivery mechanism. Although international efforts were successful in diminishing CryptoLocker’s momentum, other ransomware variants followed in its wake, including Cryptowall, CTB Locker, CryptoLocker 2.0 (which is completely different than the original CryptoLocker), TeslaCrypt, and TorrentLocker, to name a few.

Cryptowall (also known as Crowti) and Teslacrypt (also known as Tescrypt) are currently the most popular versions of ransomware, with Cryptowall accounting for over 56 percent of distributed ransomware and Teslacrypt accounting for almost 11 percent.

Who and What are Targets?

Ransomware is a continuing threat to any business storing sensitive data on its networks because it can target anything connected to the Internet that stores data. This includes, computers, mobile phones, smart TVs, network-attached storage (NAS), and other “smart” devices now considered part of the Internet of Things (IoT).

Historically, cybercriminals primarily targeted individuals, but they are now starting to focus on specific groups and small and medium-sized businesses (SMBs). Ransomware that targets specific groups is known to sometimes leverage region-specific notifications from postal services, telecommunications, utilities, and government bodies. These notifications are normally delivered by emails meant to impersonate the targeted area’s local or national law enforcement bureaus, or delivery companies such as UPS and FedEx. For example, Canadians and Europeans have received emails that appear to be from police departments, and Scandinavian countries have been targeted with ransomware that appears to come from their local postal service.

Small and medium-sized businesses are targeted because they typically lack the robust IT support, security framework, and budget needed to prevent ransomware. This includes off-site/off-network storage capabilities, the ability to diligently monitor networks or web applications for vulnerabilities, and the time to update or patch their network or website software.

How Is Ransomware Distributed?

Ransomware can infect a device in a number of ways. Below are a few of the most common.

  • Spam or Spear Phishing Emails: Frequently contain “archive” files—compressed file formats like .cab or .zip—that, when accessed, install a downloader program that connects to a malicious domain containing ransomware.
  • Botnets: Spread malware via spam and spear phishing emails.
  • Exploit Kits/Packs: Malicious toolkit that spreads malware by exploiting security vulnerabilities in software.
  • Malvertisements: Malicious or compromised ads that can download malware onto your computer with or without clicking on them.

While preventative measures are not always foolproof, the best way to protect your information is by starting with these recommendations:

  • Back up your files to an external storage device – not a NAS – on a regular basis (anywhere from daily to monthly) to ensure you can restore deleted or corrupted data
  • Use pop-up blockers
  • Disable plugins
  • Use antivirus software and keep it updated
  • Don’t open unsolicited email attachments, click on ads with dubious claims, or visit websites of questionable reputation

If you are hit with ransomware, keep in mind that there’s NO guarantee that 1) you’ll receive the decryption key if you pay the ransom, or 2) that the decryption key will actually work (cybercriminals use a “public” key to encrypt the data and a “private” key to decrypt it in a process called asymmetric encryption). However, sometimes a cost-benefit analysis may prove useful in determining what action to take.

Removal methods for ransomware differ slightly between each variant. Below are some suggestions for dealing with ransomware if your device is compromised:

  • Remove the infected or compromised system from the network to prevent the malware from spreading.
  • Attempt to identify the type of ransomware infecting the system (often possible by checking the ransom notice against known strains).
  • Consult with a reputable security expert to assist in removing the malware
  • Use the proper tools to decrypt files, otherwise the files can become corrupted or overwritten, rendering them useless.
  • Revert to restore points and backups to return systems to a safe state after the threat is removed.
  • Although there are various sites that offer to recover files locked by CryptoLocker, there’s no guarantee they will work once your computer is infected. Be wary of any sites that offer to recover your files for a fee.

Though most ransomware strains do not steal data, only encrypt it, security and law enforcement recommend that users change all online account passwords and network passwords after removing the malware from the system. The best way to keep your information safe is by being proactive about your security measures.

Check out our infographic below!

Contact us for more information on our Information Security services.


Additional Posts

Weekly Phishing Report – October 26, 2015

Phishing Report: Top Targets Week of October 18 - October 24, 2015 Author: Robert McDaniel In this ...

Video: Adaptive Intelligence

Learn about LookingGlass Adaptive Threat Intelligence provided by LookingGlass ScoutVision.