The fight against Ransomware, who is there to help?
One of the biggest threads in our current IT environment is one that we find hard to cope with. IT organisations around the world struggle to keep infections small and are looking for solutions to stop it before the infections take place. In my job as a consultant I talk to many people and so far each one of the organisations I’ve spoken to got infected at least once last year.
I have to say I wasn’t that aware of the issue, I knew it was there but not that it was hitting with that much impact already. You think that infections happen from “unsafe” contact so that in some way it’s a user browsing a dodgy site where to got the infection. Bad luck, you’re own fault. This is different, this a happening more sneaky where people are send what seem legitimate documents that are infected. Once they open these document something executes, in memory or on disk and it spreads to encrypt.
We’ve seen this before with viruses, they used to be pretty damn hard to get rid of. every freaking time a user would call with the same issue. If I look back over the course of the past 10 years I think we dealt with viruses pretty well. Nowadays they are no longer the threat they used to be, virus scanners have improved much, management solutions made their way onto the desktop and together they prevented viruses from executing and spreading.
The new type of viruses are these ransomware, they are different and harder to stop. They are also more damaging for you need a key to decrypt the files, without that key those files have to be restored from backup or are lost. So we have to learn how to stop them, again… that’s life, you learn, you fall, you get up and you learn..
So let’s dive into this world of ransomware. This first article is an overview, I will write a few more looking a different products and exploring how we can handle this. For me this is as much a journey into the unknown as perhaps for many of you, I have ideas on how to handle this but never really looked for them. A few conversations in the last 6 months got me interested.
Before you can find a solution for an issue you need to understand what it is you’re talking about. So let’s see how ransomware is defined, what are we talking about? Ransomware is there to scare people into paying a certain amount of money, it’s so called “scare-ware” or “scam-ware”. Before we had ransomware we had the E-mails from the laywers who had a lot of money they wanted to put on your bank account. Those techniques we learned already so now we’re in for a new treat.
Quote from the Trend Micro site: Ransomware is considered a “scareware” as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to the FAKEAV malware, though using a different tactic. Instead of capturing the infected system or encrypting files, FAKEAV coax users into purchasing their bogus antimalware software by showing fake antimalware scanning results.
Quote from Wikipedia site: Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction
How do you get infected?
Infection are not different than with viruses or perhaps they are a bit. Let me explain. Viruses and ransomware are hidden in websites, commercials, any kind of file type you open. It might be that you open a Microsoft Word document and that you are asked to enable macro’s. The minute you do so, the code that was hidden there, not able to execute, is given permission (by you) to execute. Depending on the sort of virus or ransomware it will do it’s damage.
Macro’s in Microsoft Word are not the only source of course, although you should disable them if you don’t need them. Make sure only the ones from a location you trust are trusted – and still you are not 100% safe 🙁
Ransomware can be hidden in any kind of file type, there is no file type that can’t be infected. Imagine a simple PDF file. In a PDF you can add links and other active content. Once you open the PDF and access what is offered you might be executing and your in trouble.
The evolution of ransomware is the most scary part of it, they evolve into more advanced viruses making it harder to find or stop them. Most ransomware infections where java code or executables running on your machine. New ransomware uses Powershell which is default installed in the new Windows operating systems. Powershell is powerfull and to easy to access for them.
…and to scare you more… last week 288 Dutch news sites were infected. 288 news sites that had a commercial of some kind online that got a code in them and everyone on the site who clicked the commercial got infected. Think about it, by the way my commercials – click them – are safe, I host them myself so they are not generated automatically as on most news sites. I run ad-blockers for I don’t care about commercials but most people don’t I think and are vulnerable to this.
Generally speaking you should not click on just everything, perhaps you miss a good video but at least you’re not that vulnerable to infections. Most “harmless” infections (not even talking about ransomware) comes from these video’s and stupid sites that lure you with half naked women and clever titles.
Can you recover?
Once you are infected you have a hard time getting back to normality. If you have a backup of the files you might be able to restore but backups are not made every minute so you will lose information. If you follow the directions on the screen you have a chance to receive a key to decrypt the files, there is no guarantee however that you will. Perhaps accepting that you lost some work and restoring is the best option here.
Files are encrypted with AES encryption, AES uses symmetric keys, in other words one key is used to encrypt and to decrypt. more advanced ransomware uses RSA encryption, that’s more of an issue as RSA is a asymmetric key cryptography. RSA works with two key, one publicly available for anyone to use to encrypt the files and one secret one that you need to decrypt them. If you don’t have the secret key, you can’t decrypt. If you payed money and they don’t give you the key you are lost.
If you combine the both you have another matter. I was reading at the Trend Micro site that they found a crypto locker that used RSA+AES together. The files are encrypted with an AES key and the key to decrypt is stored in the encrypted file. This key is again encrypted with RSA to make it more fun.
Lastly for this article, there are several variants of ransomware. Trend Micro has a very extensive list of ransomware. scroll down to see the whole list – link here – Look through them and learn the behaviour.
According to some sites there are couple ransomware families active at this moment;
- CryptoLocker, around since 2013
- CryptoWall, around since 2013, now at 4.0
- TorrentLocker, around since 2014
- CTB-Locker, being sold since 2014
- TeslaCrypt, around since 2015 is evolving to 3.0
In my next article I will look at different products that claim to handle ransomware.
Never open Email attachments if you are not 100% sure that they are safe, that might be difficult to keep up but that is one of the things to keep infections out the door. For more advanced methods and tools to help you I will continue my search in my next article. Stay tuned and stay save.