Ransomware

No more ransom adds immense power to globe against Ransomware Battle

We are at the end of 2016, hope everyone aware of Ransomware and it’s impact on business.One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence.

Attacks are more successful when effective countermeasures are not in place.  Security firms are consistently developing and releasing anti-ransomware applications and decryption tools in response to the threat.

Variants of ransomware that rely on types of strong Asymmetric encryption that remain relatively unbreakable without the decryption key, victim response is sharply limited to pay the ransom or lose the data.

Types of Ransomware

There are two main forms of ransomware in Circulation today

  • Locker Ransomware
  • Crypto Ransomware

Honestly both of the ransomware are designed to disturb over digital life. They were designed in order to deny the things that we required or to serve and offer to return what is rightfully ours on payment of a ransom.

Locker Ransomware

Locker ransomware is typicall spread through social engineering, phishing campaigns, and Vulnerable sites. Locker ransomware simply  restrict user access to infected systems by either denying access to the user interface or by restricting the availability of computing resources.

Certain capabilities, such as numeric keyboard functionality, might remain unlocked while the rest of the keys and the mouse are locked. This design increases user frustration while restricting user action to following the attacker’s instructions.

Attackers abandoned locker ransomware in favor of its more robust counterpart, crypto ransomware. Locker variants are still developed, but they are less numerous than crypto ransomware families.

 

Crypto Ransomware

Instead of restricting user action by denying access to the user interface, Crypto ransomware targets the data and filesystems on the device. The critical system files and functionality tend to remain unaffected.

People do not think rationally under time limits; as before, the cyber-criminals are compensating for a lack of technical sophistication by leveraging human behavior against the victim.

The victim is subject to the anxiety of the ticking clock, the fear of the consequences of making the wrong decision, and the fear of regret if the data is lost forever.

Crypto ransomware did not popularize until 2013 because attackers failed to realize that successful crypto ransomware attacks rely on current strong encryption algorithms and proper management of the accompanying cryptographic key.

According to information security researchers at Symantec, the current crypto ransomware threat landscape is still fragmented into new entrants into the market and mature criminal groups.

Both types of attackers try to employ industry-standard encryption algorithms, such as RSA, Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) with a suitably large key in their ransomware.

Crypto ransomware is often spread through Tor, botnets, or other malware. Crypto ransomware is as simple as weaponizing strong encryption against victims to deny them access to those files.

Examples of Crypto ransomware

Locky:

On February 5, 2016, medical systems belonging to Hollywood Presbyterian Medical Center were infected with the Locky ransomware. Healthcare data remained unaffected but, computers essential to laboratory work, CT scans, emergency room systems, and pharmacy operations were infected.

And the hospital paid a ransom of 40 Bitcoins ($17,000) to unlock their machines.Seems the Hospital was not targeted, but occurs in result of a random malicious email.

TeslaCrypt/ EccKrypt:

TeslaCrypt infects systems through the Angler exploit kit, which leverages vulnerabilities in Adobe Flash (such as CVE-2015-0311). Silverlight and Internet Explorer may be exploited in absence of Adobe Flash.

The TeslaCrypt binary is compiled in Visual C++. The ransomware code is encoded within the binary. After the code is decrypted into memory, TeslaCrypt overwrites the MZ binary 13 onto itself.

TeslaCrypt originally targeted 185 file types related to 40 computer games (Call of Duty, Skyrim, Minecraft, etc.) on Windows systems.Victims are prompted to pay a ransom of ~$500 (in Bitcoins, PaySafeCard, or Ukash).

Cryptolocker:

Cryptolocker is a crypto ransomware trojan that began infecting Windows systems in September 2013 through the Gameover ZeuS botnet, and encrypting the host data with RSA public-key encryption.

This trojan encrypts document, picture, and CAD files on the local hard-drives and mapped network drives with the public key and logs each encrypted file as a registry key.

Cryptowall/ CryptoDefense/CryptorBit:

The Cryptowall family of ransomware first appeared in early 2014 and became popular after Operation Torvar dismantled the Cryptolocker network.

Cryptolocker is spread through various exploit kits, spam emails (with attached RAR files that contain CHM files), and malvertising pages.

Unlike Cryptolocker, the Cryptowall malware targets Windows systems globally; though, the United States (13%), Great Britain (7%), the Netherlands (7%), and Germany (6%) were the most affected.

CTB-Locker:

The “Curve-Tor-Bitcoin-Locker” (CTB-Locker) is a PHP based trojan that was publicly analyzed by security researcher Kafeine in mid-2014. CTB Locker is essentially a ransomware as a service (RaaS), where the attackers outsource the spread of the malware to a number of script kiddies and botnet operators (often referred to as affiliates) for a share of the paid ransoms.

CTB-Locker is also available in English, French, German, Spanish, Latvian, Dutch, and Italian to accommodate affiliates and targets from most American and European countries.

In February 2016, attackers began to use the CTB-Locker to encrypt websites hosted by WordPress. This variant of CTB-Locker is referred to as Critroni.

The attackers hack an insecure website and replace its index.php file or index.html file with different files that encrypt the site’s data with AES-256 encryption.

Hybrid Ransomware:

One of the prevalent malware mitigation strategies is a layered depth. It stands to reason that in accordance with the concept of mutual escalation, attackers will begin to “attack in layers.”

This behavior already occurs in APT campaigns and in some ransomware attacks, where for instance, the adversary launches a DDoS attack alongside a more concerning attack.

Delivery Channels

Ransomware follows the same distribution and infection vectors as traditional malware. The primary difference is that ransomware threat actors often lack the sophistication to breach modern networks.

Traffic distribution system (TDS):

Traffic distribution services redirect web traffic to a site hosting an exploit kit. Often, traffic is pulled from sites hosting adult content, video streaming services, or media piracy sites.

Some ransomware groups, especially criminals who purchase their malware instead of developing it themselves, may hire a TDS to spread their ransomware.

If the host is vulnerable to 17 the exploit kit on the landing page, then the malware is downloaded onto the system as a driveby-download.

Malvertisement:

As with a TDS, a malicious advertisement can redirect users from an innocuous site to a malicious landing page. Malvertisements may appear legitimate and can even appear on trusted sites if the administrator is fooled into accepting the ad provider or if the site is compromised.

Phishing Emails:

As with most malware campaigns, phishing emails and spam email are the primary delivery method of malicious content into a network because users are culturally trained to open emails and to click on attachments and links.

Botnets are used to send spam emails or tailored phishing emails at random or to personnel within an organisation. These botnets and email services are a criminal enterprise unto themselves.

Downloaders:

Malware is delivered onto systems through stages of downloaders to minimize the likelihood of signature based detection. Ransomware criminals pay other threat actors to install their ransomware onto already infected machines.

If the ransomware threat actor actually decrypts the system, then the ransomware infection could draw attention to the other compromise; however, it could just as easily mask the other malware by focusing the user’s attention on certain infected systems.

Malware groups who conduct widespread phishing campaigns and watering-hole attacks may be equally willing to sell access to the systems that they compromised by accident.

Social Engineering:

Popp’s AIDS trojan relied on social engineering, and human ignorance, to generate profit. The only systems infected belonged to users who ignored the plainly worded warning pamphlet.

These victims were either brash or curious. In 1989, a decent percent of the 20,000 victims probably had no choice but to pay the ransom.

Self-Propagation:

Select ransomware variants contain the functionality to self-propagate through a network in a fashion similar to other malware. The majority of these samples are crypto ransomware because locker ransomware is not exceptionally popular at the moment; however, Android variants of crypto ransomware and locker ransomware have appeared in the wild.

One such variant targeting Windows is the Ransomlock (W32.Ransomlock.AO) screen locker.

Criminals will have to develop a mechanism to check whether or not a system has already been infected (such as a certificate) and a mechanism to decrypt all systems belonging to a victim who has paid the ransom; otherwise, the entire business model will be upended.

This could be accomplished by either simultaneously removing or deactivating the ransomware from all of the victim’s systems.

Targets for Ransomware

Unlike APT campaigns, financially motivated cyber threats, like ransomware campaigns, do not care about the individual target.Instead, they target the subset of society believed to be most likely to pay the ransom demand.

Ransomware is often spread in mass in the hopes that a portion of the users will pay. Ransomware, whether purchased or developed, is relatively cheap in comparison to APT malware. Delivery is virtually free.

Payment Medium

The payment method has evolved with ransomware since the AIDS trojan in 1989.Instead, some variants, such as the 2009 Trojan.Ransomlock, ask for wire transfers and premium rate text messages while others demand that the ransom be paid with a digital voucher (CashU, MoneXy, MoneyPak, etc.) or in cryptocurrencies.

What to Do after a Ransomware Infection

  • First place you need to go is nomoreransom.org (No more ransom adds immense power to globe) a site hosted by lead by by security firms and cybersecurity organisations in 22 countries.
  • Next place to go is the Free Ransomware Decryption Tools provided by AVG.

How to respond for an Ransomware Attack

The following best practices can help you efficiently address a ransomware attack against your organisation, and return to normal business operations as quickly as possible by checkpoint.

Block Ransomware Communication

Many types of ransomware (but not all) require connecting with a command and control server (C&C server) to obtain an encryption key in order to function. Implementing Anti-Bot technology to block ransomware and other forms of malware from connecting and communicating with command and control servers can limit, and possibly eliminate the ability for the ransomware to function.

Contain Infections To Prevent It From Spreading, Minimizing Business Impact

While some ransomware requires communications with a C&C server to obtain an encryption key, other variants do not. Some are now bundling the public encryption key with the malware itself, encrypting files before they even reach out to their command and control networks.

But, even if the ransomware manages to encrypt files on the infected device, all hope is not lost. Anti-Bot technology can identify and quarantine malicious process and communications, and automatically lock down the infected devices.

This can dramatically reduce the damage caused by the ransomware and limit the impact on your business.

Don’t Panic, There May Be An Existing Solution

If you do become the victim of ransomware, do not panic. There may be an existing solution. Contact your IT professionals immediately, as they are best equipped to determine an appropriate response.

In some cases, you may be left only with two options – restore encrypted files from back-up or pay the ransom.  In several instances, like TeslaCrypt and Shade ransomware for example, decryption keys may be available on the internet. A quick search might save your team significant time and money in dealing with the attack.

Analyze And Understand The Attack And Determine An Appropriate Response

To Top

Pin It on Pinterest

Share This