Ransomware, it’s nothing new but it is making a big comeback over the last few years and I have seen it gradually rise and encrypt peoples laptops, servers and heard of entire networks held to ransom. Due to the current rise I decided to write about it.
When was the first known encrypting ransomware discovered?
1989, the year of the “AIDS” trojan, aka. “Aids Info Disk” or “PC Cyborg Trojan” which replaced the AUTOEXEC.BAT file and it would then count the number of times the machine had booted, once it reached 90 days it would then hide directories and encrypt the names of all the files on the C: drive and rendered the system to be unusable. It would then display a message to the user asking them to “renew the license” and contact PC Cyborg Corporation for payment, this involved sending $189 to a post office box in Panama! Like today’s ransomware more than one type of variant exists and different one’s will do slightly different things, except one thing and that is to try and extort money from you. AIDS actually had an end user license agreement and would display it to the user, an excerpt can be seen below.
If you install [this] on a microcomputer…
then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs…
In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use…
These program mechanisms will adversely affect other program applications…
You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life…
and your [PC] will stop functioning normally…
You are strictly prohibited from sharing [this product] with others…
A few years later the AIDS Trojan was analyzed even further. A fatal weakness was discovered in the malware by Young and Yung and pointed out to show that that the AIDS Trojan relied on symmetric cryptography. They then showed how to use public key cryptography in order to implement a secure extortion attack. They published and expanded on this in a 1996 IEEE Security and Privacy paper [YY96]. A cryptovirus, cryptotrojan or cryptoworm hybrid encrypts the victim’s files using the public key of the author and the victim must pay to obtain the needed session key. This is one of many attacks, both overt and covert in the field known as Cryptovirology.
What is Cryptovirology?
It is a field that studies how to use cryptography to design powerful malicious software (malware). Think of Regin, Stuxnet, Dark Hotel APT which have come from nation states, have been stealthy and intended to steal information or spy on users for an extended period of time without them knowing about it, they may also be used to cause harm and often sabotage.
The first attack that was identified was called “Cryptoviral extortion”. This involves a virus, worm or trojan hybrid encrypting the victim’s files and then they must pay the malware author to receive the needed session key which providing they have no backups will be the only option available to recover their data from the grasps of the lock on anything that it has touched.
What do I do if I am infected?
- Turn off your machine, disconnect it from the network and restore from a backup. If you are seeing a pop up asking for payment then the chance of your files being already encrypted already is very high as you usually will not see this until it has finished the encryption process.
- Alert your IT/Security department of what has happened as they will need to assess the damage and see if there has been any sort of spread within the company network eg network shares.
- You may be able to decrypt some files if hit by CrypoLocker for example with an online decryption tool like this one by FireEye and FoxIT in which the key’s were obtained during Operation Tovar when a huge amount of Law enforcement and business joined forces in order to take down the Gameover Zeus botnet which was believed by the investigators to have been used in bank fraud and the distribution of CryptoLocker. Now at this point I will say don’t hold your breath as this is only for CryptoLocker and there are many, many variants out there!
How do I protect myself or users?
- Back up all your important data or anything that you do not want to lose and make sure it is not left connected to your machine if you choose to backup locally. Try to use some form of online backup service also if it is really important as there is more of a chance of restoring your data if you can restore previous versions of your files.
- Make sure you have an up to date Anti-Virus and also maybe some other third party tools like Malwarebytes, Spybot etc and use a nice layered approach, IDS and also some form of packet analysis can help with the cleanup if you need to trawl through the network and see how far the infection has spread.
- Use a standard user with UAC enabled to the maximum and have a separate administrator account with a different password.
- Make sure all your software is up to date, you can use Personal Software Inspector from Secunia for this as this provides an effective automated patch management solution.
- Be vigilant when clicking on emails and avoid clicking on or opening attachments from people you don’t know or companies you have not previously done business with.
- Don’t use internet explorer, use firefox or chrome and use a plugin like no-script to make judgements yourself on what to and what not to allow access to run in your browser. I have been using this for years and it is very effective and quite possibly the best protection for blocking malicious payloads from being delivered to your system from within the browser.
- Drive-by downloads are a common form of infection and as per step 5 above use no-script to protect against something like this, just don’t allow scripts to run globally and you should be ok.
- Show hidden file-extensions within your browser, for example if you receive an e-mail that says “super_secret.PDF.EXE” it should raise concerns, this however requires vigilance and with some proper “Spear Phising“ you may not notice this and click it regardless, at this point just turn of your machine and disconnect it from the network.
- Disable files from running in AppData or LocalAppData folders and this can be done one of two ways, manual and the automated tool which has instructions here on usage.
- Disable RDP XP, 7, 8 & 8.1.
There is quite possibly more you could do to protect yourself also but informing the user and providing some form of user awareness training about the dangers of emails and testing your users internally which yes I know sounds a bit cruel but it is a very good way to make them learn.
Users are your weakest link, you can have the best endpoint protection in place but without a signature for the latest variant of ransomware, virus, malware etc you then find yourself infected again. It is your responsibility to inform your users and if you don’t then don’t blame them, they don’t know any better, just because you know doesn’t mean everyone does so spread awareness and watch the infections fall.
Before I let you go though I would like to make you aware of the latest attack vector’s coming your way and that is RansomWeb which has been given the name due to similarities with ransomware like the extortion of money for example after encrypting your database, think Personally Identifiable Information (PII), credit cards etc.
File integrity monitoring is the trick to detecting RansomWeb but this is not always the case with a web application provider so it may be some time before this becomes a reality and when this get’s out of control providers will be reactive rather than proactive to the latest threat.
It’s also hard to gauge how successful RansomWeb will be, but if RansomWare is anything to go by, threat agents will find a way to make it a lucrative business and start reeling in the money.
Finally the way I see this moving in your internal network is as follows:
- System is infected.
- Held to Ransom with a timer.
- Timer runs out, you haven’t paid the ransom so you get a system wipe. (Destructive Malware, Wiper) You have already lost your data once encrypted but this just puts the final nail in the coffin.
Why do I think this? Well just look at the Sony hack before Christmas when exactly that happened to them. According to the FBI this was North Korea who did this but the smell of inside job is so strong with this I am not even going to get into it here as it is another article in itself.
What we learned though is 100TB’s + was exfiltrated from their network, the ransom was asked, denied and then their systems were wiped and staff were forced to use pen and paper to carry out their work. Would you be able to sustain such a hit to your business?
I also feel this is just another way to invoke more stringent regulations on the internet, we will see how true this is but when “North Korea” is apparently hacking your country and “Cyber Terrorism” and “Cyber War” are been thrown around you have to STOP, LISTEN, LOOK and then make your own educated judgement, don’t believe all the hype as the media likes to bite on certain things and make them sound far worse than they actually are.