top of page

Ransomeware news

What is ransomware?

Ransomware is a sophisticated piece of malware that blocks/encrypt the victim’s access to his/her files, and the only way to regain access to the files is to pay a ransom.

 

There are two types of ransomware in circulation:

  • Encryptors, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the  blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.

  • Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.

  • Some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families.

 

Ransomware has some key characteristics that set it apart from other malware:

  • It feature sunbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);

  • It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;

  • It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;

  • It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;

  • It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;

  • It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;

  • Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.

  • It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);

  • It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;

  • It can spread to other PCs connected to a local network, creating further damage;

  • It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals; encrypting files isn’t always the endgame.

  • It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.

 

Their feature list keeps growing every day, with each new security alert broadcasted by our team or other malware researchers.

How do ransomware threats spread?

 

Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.

Nevertheless, these are the most common infection methods used by cybercriminals

  • Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);

  • Security exploits in vulnerable software;

  • Internet traffic redirects to malicious websites;

  • Legitimate websites that have malicious code injected in their web pages;

  • Drive-by downloads;

  • Malvertising campaigns;

  • SMS messages (when targeting mobile devices);

  • Botnets;

  • Self-propagation (spreading from one infected computer to another); WannaCry, for instance, used an exploit kit that scanned a user’s PC, looking for a certain vulnerability, and then launched a ransomware attack that targeted it.

  • Affiliate schemes in ransomware-as-a-service. Basically, the developer behind the ransomware earns a cut of the profits each time a user pays the ransom.

Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).

These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions. The WannaCry attack is a perfect example of this since it used a wide-spread Windows vulnerability to infect a computer with basically no user interaction.

That’s why each new variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more.

For example, here’s how online criminals find vulnerable websites, inject malicious JavaScript code into them and use this trigger to redirect potential victims to infected websites.

How do ransomware infections happen?

Though the infection phase is slightly different for each ransomware version, the key stages are the following

 

  • Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.

  • If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.

  • The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.

  • The contacted C&C server responds by sending back the requested data.

  • The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network.

  • A warning pops up on the screen with instructions on how to pay for the decryption key.

 

Everything happens in just a few seconds,

so victims are completely dumbstruck as they stare at the ransom note in disbelief.

Conclusion

Ransomware brought extortion to a global scale, and it’s up to all of us, users, business-owners and decision-makers, to disrupt it.

We now know that:

  • creating malware or ransomware threats is now a business and it should be treated as such;

  • the“lonely hacker in the basement” stereotype died a long time ago;

  • the present threat landscape is dominated by well defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks;

  • even more,cyber criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.

 

We also know that we’re not powerless and there’s a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them.

 

Stay safe and don’t forget the best protection is always a backup!

bottom of page