Ransomware – Current Variants and Security Best Practices: Part 1 of 2

CryptoLocker ransomware was first identified in 2013 and has emerged as one of the most damaging and widespread threats we face today. There are constant waves of variants with a common goal of extorting money from business and home users. Cyber criminals are now evaluating the value of data and ransom demands are growing! There is evidence that financial and medical institutions will be increasingly targeted — That’s not to say it will slow down for other business or home users anytime soon.

The current ransomware families such as Cryptowall, TeslaCrypt and Locky tend to present as an email from what appears to be a legitimate sender with an attached document (often in the form of an invoice). The attachments contain an MS Word, Excel document or a .zip file containing an embedded macro.

When launched:

  • The file executes and attempts to download the actual ransomware payload from a number of web addresses that only exist briefly
  • It keeps trying until it successfully reaches an available web address and is able to download the payload
  • Then, the ransomware is executed and it contacts the command and control server of the attacker
  • It sends information about the infected computer and downloads an individual public key for this computer
  • Files on the local computer are then encrypted along with any accessible network drives
  • The most current variants attempt to delete automatic backups of the Windows Operating System (shadow copies) to prevent this type of data recovery
  • At this point, a message appears on the user’s desktop explaining how to pay the ransom (currently the typical demand is $200 – $500 in the form of bitcoins)
  • Often the attacker sets a timeframe to pay or the key is destroyed and files are no longer available
  • The ransomware deletes itself leaving only the encrypted files and ransom notes

Email seems to be the most popular technique to spread this threat but is not the only known approach. Exploit kits are also common and just recently several high-profile news sites unknowingly ran malicious online advertisements that contained ransomware. These malicious ads are called malvertising.

“LOCKY” is one of the most recent variants of ransomware.

The most common way that Locky arrives is:

  • You receive an email containing an attached document (typically an invoice in .zip)
  • The document looks like gobbledygook
  • The document advises you to enable macros “if the data encoding is incorrect”
  • The hackers want you to click on the ‘Options’ button at the top of the page
  • They use technologies to spread infections that are permitted in many companies and in which malicious code can easily be disguised (Microsoft Office macros, JavaScript, VBScript, CHM, Flash and Java)
  • Once you click Options, Locky will start to execute on your computer
  • As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper

Please always be cautious! Stay tuned for best practice recommendations on how to deal with ransomware.

This blog was authored by CBE’s Security Team.

Enter your email address to follow this blog and receive notifications of new posts by email.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s