Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key.
Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm.Attackers may use one of several different approaches to extort money from their victims:
After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.
The victim is duped into believing he is the subject of an police inquiry. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
Read about: Bitcoin use in Ransomware
The malware surreptitiously encrypts the victim's data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.To protect against data kidnapping, experts urge that users backup data on a regular basis. If an attack occurs, do not pay a ransom. Instead, wipe the disk drive clean and restore data from the backup.
Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files.
"There are two types of ransomware in circulation:"
"Encrypting ransomware:" which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
"Locker ransomware:" which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
"Ransomware has some key characteristics that set it apart from other malware:"
It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
It requests payment in Bitcoins, because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
Usually, the ransom payments has a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
It can spread to other PCs connected in a local network, creating further damage;
It frequently features data exfiltration capabilities, which means that ransomware can extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals;
It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.
"Where does the current wave of ransomware infection come from?"
Even though most companies have extensive security mechanisms in place, such as virus scanners, firewalls, IPS systems, anti-SPAM/anti-virus-email-gateways and web filters, we are currently witnessing large numbers of infections worldwide with ransomware infections, such as Cryptowall, TeslaCrypt and Locky. Files on computers and network drives are encrypted as part of these infections in order to blackmail the users of these computers to pay a sum of money, usually in the region of USD 200-500, for the decryption tool.
"A common infection scenario may look like this:"
A user receives an email that comes from a seemingly plausible sender with an attached document, a parcel service with attached delivery information or anexternal company with an attached invoice.
The email attachment contains an MS Word or Excel document with an embeddedmacro. If the recipient opens the document a macro will attempt to startautomatically, executing the following actions:
It tries to download the actual ransomware payload from a series of webaddresses that only exist momentarily. If a web address cannot be reached, thenext one is accessed until the payload has been downloaded successfully.
"The macro executes the ransomware"
The ransomware contacts the command & control server of the attacker,sends information about the infected computer and downloads an individual public key for this computer.
Files of certain types (Office documents, database files, PDFs, CAD documents,HTML, XML etc.) are then encrypted on the local computer and on all accessible network drives with this public key.
Automatic backups of the Windows operating system (shadow copies) are often deleted to prevent this type of data recovery.
"Best practices to apply immediately"
Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you haveadministrator rights.
Consider installing the Microsoft Office viewers.
These viewer applications let you see what documents look like without opening them in Word or Excel itself. Inparticular, the viewer software doesn’t support macros at all, so you can’t enablemacros by mistake!
Patch early, patch often.
Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more.
The sooner you patch, the fewer open holes remain forthe crooks to exploit. Keep informed about new security features added to your business applications. Forexample, Office 2016 now includes a control called "Block macros from running inOffice files from the internet" which helps protect you from external malicious content without stopping you using macros internally.
Open .JS files with Notepad by default.
This helps protect against JavaScript borne malware by enabling you to identify the file type and spot suspicious files.
Show files with their extensions.
Malware authors increasingly try to disguise the actual file extension to trick you into opening them. Avoid this by displaying files with their extensions at all times.
0 comments:
Post a Comment