Information Hub‎ > ‎The Bad Guys‎ > ‎

Ransomware

Updated 06/04/2016


  Ransomware is malware
  (hostile software that enters
  your computer) that "carries a
  gun" by holding your computer
  files at hostage by encrypting
  items until you pay the funds in
  the manner they demand,
  usually Bitcoins to remove any
  risk of being traced back to
  those responsible or those
  making the demands.
  

To provide an incentive, the longer you wait the more you loose and the financial demands remain the same.  While companies have been impacted so have individuals.  CNN reported $209 Million was collected by the "Bad Guys" in the first quarter of 2016 with an expected $1,000 Million to be collected in 2016.  Attacks in the first quarter of 2016 were 4 times that of 2015.

In Feb 2016, the Hollywood Presbyterian Medical Center paid $17,000 in bitcoins to recover their data.  Even when paying their is no assurance their data will be recovered "as it was" and not altered during the decryption process.  The "Bad Guys" make no representation of "100% good as it was or your money back".  Victims could pay and still not get their data back completely or potentially at all.

Despite stories in the past, Android and Mac systems are being targeted.  No computing platform has immunity from these attacks.  Any security gap will be exploited.  Mobile devices have escalated the risk of malware attacks.

For those who go into unknown places and/or click on anything, this is potentially part of your future.  Consider changing your behaviors.

Payment is often demanded in Bitcoins as the transfer is untraceable and places it outside of bank and law enforcement control or monitoring.  Discounts or release of your software without payment are not extended to those who are unemployed, no money, or other personal matters.

Here are some of the Ransomware that is out there:

Jigsaw
Deletes files at regular intervals to increase the urgency to pay ransom faster.  Jigsaw ransomware operates like this:  for every hour that passes in which victims have not paid the ransom, another encrypted file is deleted from the computer, making it unrecoverable even if the ransom is paid or files decrypted via another method.  The malware also deletes an extra 1,000 files every time victims restart their computers and log into Windows.

Petya
Encrypts entire drives, Petya ransomeware encrypts Master File Table.  This table contains all the information about how files and folders are allocated.

RansomWeb, Kimcilware
Encrypting web servers data.  RansomWeb, Kimcilware are both families that take this unusual route - instead of going after users’ computers, they infect web servers through vulnerabilities and encrypt website databases and hosted files, making the website unusable until ransom is paid.

DMA Locker, Locky, Cerber and CryptoFortress
Encrypting data on network drives, even on those that are not mapped. DMA Locker, Locky, Cerber and CryptoFortress are all families that attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found.

Maktub
Maktub ransomware compresses files first is to speed up the encryption process.

Not safe in the cloud
Deleting or overwriting cloud backups. In the past, backing up your data to cloud storage and file shares was safe. However, newer versions of ransomware have been able to traverse to those shared file systems making them susceptible to the attack.

SimpleLocker
Targeting non-Windows platforms.  SimpleLocker encrypts files on Android, while Linux.Encode.1 encrypts files on Linux, and KeRanger on OSX.

Cerber
Using the computer speaker to speak audio messages to the victim.  Cerber ransomware generates a VBScript, entitled “# DECRYPT MY FILES #.vbs,” which allows the computer to speak the ransom message to the victim.  It can only speak English but the decryptor website it uses can be customized in 12 languages.  It says “Attention! Attention! Attention!”  “Your documents, photos, databases and other important files have been encrypted!”

Tox
Ransomware as a service is a model offered on underground forums networks.  It will provide the malicious code and infrastructure to facilitate the transfer of funds and the encryption key for the victim to be able to access their information.  Tox ransomware does this.


The simple lesson from this is stop engaging in risk behavior using your on-line and computing devices unless you like small, lightweight and expensive metal paperweights.

Being aware of where you are pointing your browser and smart browsing practices are important along with insuring your security, anti-virus and anti-malware software, including your operating systems are all kept up to date.  It is not uncommon for some of these products to release updates daily.  But these updates to NOT insure complete protection in preventing attacks as malware attacks are becoming smarter and hackers are finding new ways to penetrate and people are not being smart in how and where they use their computers.  Remember that mobile devices may have the least protection not from having less protection but from the busy lives these users have and thus may not be focused on thinking security but more on quick and easy access.  Any malware from your mobile device can potentially be transfered to your computers as a "trusted source" of security.

Ideas for protecting yourself beyond not doing stupid things?
  1. A storage backup device is not free but neither is the software and data you have that is at potential risk.  Currently a 5 Terabyte (5,000 Gigabytes) using a USB 3.0 connection can be obtained, with some shopping, for about $135 including tax.
    For many this should be sufficient storage.  Enlist the help of a computer guru to
    "partition" your backup device to isolate licensed software from the operating system from your back-up files from a "Snap Backup" which is simply copy everything now.  Having a partition protects files with the same name from overwriting each other.  You can visualize this has having just one physical disk drive but making it appear there are multiple disk drives, which is exactly how the computer sees and work with partitions.

  2. Before performing a backup, run scans of your computer for potential unwanted items after updating this software.  This provides some level of comfort that you will not put software at risk on your known good software backup device.

  3. Ransomware reportedly hits quickly.  Use an external storage device for key or critical items on your computers.  Include license keys and licensed software so you can restore quickly if needed.  DO NOT keep the external storage active during normal use of your computer to avoid being impacted during an attack.  DO NOT perform backups while your computer is still connected to the Internet.