Cyber criminals are constantly looking for ways to develop more complex malware. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness thwart the efficacy of malware and its spread. 

Ransomware is malware that stops users from using their PC - it holds important data files for ransom. Most common ransomeware known as Cryptolocker. Released in September 2013, CryptoLocker targets all versions of Windows. This trojan encrypts almost all files using a combination of RSA & AES encryption. When the encryption is over, computer and software keep on working, but the personal files, such as documents, spreadsheets and images, are encrypted.

This threat is pervasive and preys on a victim's biggest fear: losing their valuable data. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, it makes extortion of victims more effective because there is no way to retrieve encrypted files without the attacker's private key.

How does Ransomware works?

Ransomware, like other malware, can arrive in a variety of ways. However, in most instances it propagate as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by legitimate company. The email attachment contains an executable file with the filename and the icon disguised as a PDF or Microsoft Office file, taking advantage of Windows' default behavior of hiding the extension from file names to disguise the real .exe extension. Ransomware may also get automatically downloaded when a user visits a malicious website or a website that has been hacked.


When first run, the payload installs itself in the user profile folder, and adds a key to the registry that causes it to run on start-up. It then attempts to contact one of several designated command and control servers; once connected, the server generates a RSA key pair, and sends the public key back to the infected computer. 


The payload then encrypts files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain extensions, including Microsoft Office, pictures, and other multimedia files. The payload displays a message informing the user that files have been encrypted, and demands a ransom or else the private key on the server would be destroyed, and "nobody and never will be able to restore files." 


What can users do to prevent these threats from affecting their computers?

The below listed preventive measures can be used to prevent Ransomware infection to an extent.

  1. Do NOT open attachments from unknown senders. While we have seen Ransomware attacks sourced from watering hole attacks, or social harvesting attacks, the vast majority are coming in through email via spear-phishing attacks. 
  2. Show hidden or known file extensions.
  3. Turn on the pop-up blocker and set it to high. 
  4. In order to reduce the impact, apply a scheduled backup of important files on another storage location.
  5. Do not click on links that seem suspicious 
  6. Do not allow any software that you do not know the origins of to be installed on your system. 
  7. Keep endpoint security versions update 
  8. Keep endpoint signatures up to date
  9. Virtualize or completely disable Flash, as it has been repeatedly used as an infection vector 
  10. Use iSheriff Web, Endpoint and Email Security to protect possible infection vectors. iSheriff Email Security is currently catching these attacks before they reach the endpoint.
  11. Enable software restriction policies. System administrators need to enforce group policy objects into the registry to block executables from specific locations. This can only be achieved when running a Windows Professional or Windows Server edition. The Software Restriction Policies option can be found in the Local Security Policy editor. After clicking the New Software Restriction Policies button under Additional Rules, the following Path Rules should be used with Disallowed Security Level:

      - "%username%\\Appdata\\Roaming\\*.exe"
      - "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\\*.exe"
      - "C:\<random>\\<random>*.exe"

      - "%temp%\\*.exe"
      - "%userprofile%\\Start Menu\\Programs\\Startup\\*.exe”
      - "%userprofile%\\*.exe”
      - "%username%\\Appdata\\*.exe”
      - "%username%\\Appdata\\Local\\*.exe”
      - "%username%\\Application Data\\*.exe”
      - "%username%\\Application Data\\Microsoft\\*.exe”
      - "%username%\\Local Settings\\Application Data\\*.exe”


Should I pay the ransom?


Because the needed private key to unlock the encrypted file is only available through the cyber criminal, users may be tempted to purchase it and pay the exorbitant fee. However, you should never pay a ransom. Payment to Cyber-criminals only encourages more malware campaigns. There is no guarantee that payment will lead to the decryption of your files.


References

  • http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/
  • http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-version-or-copycat/
  • http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
  • http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx