An In-Depth Look at Ransomware
What is Ransomware?
Ransomware is a generic term for a family of malware, which, once active on your systems, searches for documents and pictures then encrypts them. Once encrypted the malware leaves a note with instructions on how to pay the attacker to receive a key allowing decryption of your files. These tools encrypt not only your local files, but can also attack any network mapped drives and sometimes connected cloud storage solutions.
Some notable examples of ransomware are:
Reveton – One of the first examples of ransomware to hit the scene, this malware didn’t encrypt files but rather blocked internet access with a fake law enforcement warning demanding payment to restore access.
CryptoLocker – One of the most recognizable versions of this type of attack, it was first was reported in late 2013 and was one of the first to employ the encryption/ransom technique. Originally, it also claimed to only allow 72 hours before the decryption key was permanently deleted.
Cryptowall – One of the most recent variants in this family, Cryptowall first appeared in 2014. Employed more sophisticated attack methods and techniques to hide itself from anti-malware engines. Cryptowall also attempts to delete volume shadow copies of files which is a common method of recovery.
To decrypt your files, most of these tools require payment using either cash cards or bitcoins. Many operate out of TOR websites in an effort to obfuscate their identities. Payments typically range from $200 to $500, though there are many variations that require different amounts of money. Once paid, a decryption key should be sent that can be used to recover your files.
Ransomware is a growing avenue for criminal enterprise. The FBI reported in January 2015 that over 1000 cases had been reported in the United States, with estimated losses nearing 18 million. There are certainly many more who didn't report their infections and the overall losses are probably much higher.
How does Ransomware Work?
Ransomware packages are delivered just like many other types of malware. They can enter your system through email, malicious websites, malicious packaged software, etc. There's also been a trend of droppers - a malicious program that doesn’t have any payload of its own, but rather infects a system and then downloads a payload via command and control servers. These infect a system and may lay dormant for some time before downloading and installing the ransomware payload.
Once the software has infected the system, it begins to systematically crawl the file system, typically looking for documents (word, excel, powerpoint) and images (jpeg, gif, png). When these files are found, it then encrypts them and deletes the originals. Once a directory is completed, the notice is dropped in the form of a text file with instructions on how to send payment to decrypt the files. Each folder that's encrypted will receive one of these instruction files.
Depending on the variant of ransomware you are infected with, they can also do a variety of other malicious activates. These activities can include, but aren't limited to: disabling of anti-malware software, altering firewall rules, deleting backups and volume shadow copies of files, browser hijacking and Bitcoin theft.
According to reports, most victims who pay the ransom do receive the keys they paid for, and many are able to pay past a deadline and still receive keys. There's never any guarantee when dealing with a criminal element, but ultimately these thieves require a certain level of trust to continue making money. Many have even gone as far as to set up support portals and have online staff to assist victims in paying and recovery.
How can I Protect Myself?
As with any malware defense, there are a few basic techniques that will help prevent infection. There are also some specific steps you can take for Cryptowall/Cryptolocker that will help prevent infection. Some of these steps may impact other applications on your systems, so always be sure to fully test new policies before enterprise-wide enforcement.
Ensure current anti-malware/anti-virus software is installed on your computers and regularly updated
Enable E-mail filters to inspect and block suspicious messages
Don't download and run programs from unknown sources. If possible in your environment, centrally manage software installation
Clean up known malware infections quickly even if they appear to be less important. Many times a dropper infection can be leveraged into a ransomware attack
Utilize Windows local security policy or Group Policy to restrict software execution. Bleeping Computer has an excellent guide on how to implement this approach on your assets. You can review this guide here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#manual.
How can I Recover after a Successful Attack?
If you have a system that has been compromised by Ransomware, there are a few steps you can take to recover the encrypted data. Having quality backups is always the first/best prevention for this sort of attack. Here are a few other techniques for recovery outside of paying the ransom:
Restore from backup – If you have regular, quality backups one of the easiest solutions will be to restore your data from a current, non-encrypted, backup source.
Restore deleted files with file recovery software – Cryptowall encrypts files and then deletes them. Deleted files in Windows when deleted are technically still there, just not able to be seen by the file system. There are recovery tools that can find and restore these files sometimes. Worth noting, however, is that the longer the system was in use post-attack, the higher chance that those deleted files will not be recoverable.
Restore from Shadow Volume Copies – Depending on which variant employed, you may be able to restore from Shadow Volume Copies. This is a difficult process and not always the most reliable, but it's an option. There is a guide on Bleeping Computer that gives a good rundown on how this restoration works: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#shadow
Restore from Cloud Storage – If you employ a cloud storage service, your files may be synced online and able to be restored from there. There's a chance, however, that ransomware has encrypted those as well. In that case, typically, you can log into your cloud storage provider and restore previous versions of the files back from before they were encrypted. Contact your cloud storage support for instructions on how to accomplish this.
Decrypt files using online tools – Over the last year, a couple of command and control servers for ransomware have been taken down by law enforcement. When confiscated, these servers revealed the encryption and decryption keys in use by that variant of ransomware. These keys have been collected by Kaspersky and they've set up a site to allow you to search and see if your system has been encrypted with one of the keys. You can view this tool and check your files here: https://noransom.kaspersky.com/
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!