CryptoLocker ransomware was first identified in 2013 and has emerged as one of the most damaging and widespread threats we face today. There are constant waves of variants with a common goal of extorting money from business and home users. Cyber criminals are now evaluating the value of data and ransom demands are growing! There is evidence that financial and medical institutions will be increasingly targeted — That’s not to say it will slow down for other business or home users anytime soon.
The current ransomware families such as Cryptowall, TeslaCrypt and Locky tend to present as an email from what appears to be a legitimate sender with an attached document (often in the form of an invoice). The attachments contain an MS Word, Excel document or a .zip file containing an embedded macro.
- The file executes and attempts to download the actual ransomware payload from a number of web addresses that only exist briefly
- It keeps trying until it successfully reaches an available web address and is able to download the payload
- Then, the ransomware is executed and it contacts the command and control server of the attacker
- It sends information about the infected computer and downloads an individual public key for this computer
- Files on the local computer are then encrypted along with any accessible network drives
- The most current variants attempt to delete automatic backups of the Windows Operating System (shadow copies) to prevent this type of data recovery
- At this point, a message appears on the user’s desktop explaining how to pay the ransom (currently the typical demand is $200 – $500 in the form of bitcoins)
- Often the attacker sets a timeframe to pay or the key is destroyed and files are no longer available
- The ransomware deletes itself leaving only the encrypted files and ransom notes
Email seems to be the most popular technique to spread this threat but is not the only known approach. Exploit kits are also common and just recently several high-profile news sites unknowingly ran malicious online advertisements that contained ransomware. These malicious ads are called malvertising.
“LOCKY” is one of the most recent variants of ransomware.
The most common way that Locky arrives is:
- You receive an email containing an attached document (typically an invoice in .zip)
- The document looks like gobbledygook
- The document advises you to enable macros “if the data encoding is incorrect”
- The hackers want you to click on the ‘Options’ button at the top of the page
- Once you click Options, Locky will start to execute on your computer
- As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper
Please always be cautious! Stay tuned for best practice recommendations on how to deal with ransomware.
This blog was authored by CBE’s Security Team.