Read Part I here: Money or data? The Ultimate Guide to Understanding Ransomware – Part I
Now that we’ve been introduced to ransomware, let’s see how it spreads and infects machines.
How does it enter systems?
Common penetration techniques include:
– Spam and social engineering
– Direct drive-by-download or malvertising
– Malware installation tools and botnets
When ransomware first hit the scene a few years ago, computers predominantly got infected when users opened e-mail attachments containing malware, or were lured to a compromised website by a deceptive e-mail or pop-up window. Newer variants of ransomware have been seen to spread through removable USB drives or Yahoo Messenger, with the payload disguised as an image.
CTB Locker, the ransomware making headlines and victims right now, spreads through aggressive spam campaigns. The email poses as a fax message which carries a .zip archive as an attachment. If the executable file inside the zip file is accessed, the data on the system is encrypted and the victim is asked to pay a ransom to receive the decryption key.
But the latest variants can be re-engineered to propagate themselves without human action. We’ve recently seen an increasing number of incidents involving the so-called “drive-by” ransomware. Drive-by download attacks are launched from compromised websites or through malicious ads and usually exploit vulnerabilities in browser plugins like Flash Player, Java, Adobe Reader or Silverlight. The tools used for such attacks have the functionality to achieve privilege escalation. Privilege escalation exploits allow attackers to execute malware programs with administrator or system-level privileges instead of using the victim’s local user account, which might be restricted.
Modus Operandi
Each ransomware variant can be engineered to operate differently. However, common traits include fairly complex obfuscation and covert launch mechanisms meant to avoid early antivirus detection. This means the malware wants to stay hidden and thus, uses techniques to thwart detection and analysis—including obscure filenames, modifying file attributes, or operating under the pretense of legitimate programs and services. The malware’s additional layers of defense leave the data unreadable, which make the process of reverse engineering very difficult.
It’s worth adding that ransomware‘s communication protocols have been upgraded from plain text (HTTP) to Tor and HTTPS, making encrypted calls to C&C servers almost impossible to track through network traffic monitoring. File encryption has also been revamped to use crypo-libraries that perform strong, asymmetric cryptography rather than using short-length keys or hard-coded ones. Earlier samples such as Cryptolocker and Cryptowall first contact the server and perform encryption afterwards, for instance.
To get a better idea of how ransomware works, let’s examine Cryptolocker. Cryptolocker ransomware gets installed by a Zbot variant (Trojan used to carry out malicious tasks). After execution, it adds itself to Startup under a random name and tries to communicate with a command and control server. If successful, the servers sends a public key and a corresponding Bitcoin address. Using asymmetric encryption (a public key to encrypt and a private key for decrypting files) Cryptolocker begins encrypting more than 70 types of files that might be present on the victim’s device.
Here’s how encryption works, briefly:
Source: Microsoft
Meanwhile, a variety of messages and instructions – often localized – are displayed on the user’s home screen.
Infected users are instructed to pay a fee for the private key stored on their servers – without it, decryption is impossible. When the ransom is paid, decryption will start and a payment verification screen will be displayed. After decryption ends, the Cryptolocker files are deleted.
Note: Don’t take hackers’ word for it, paying the ransom does not guarantee that you can recover your files.
Who are the victims?
Ransomware doesn’t just impact home computers. Businesses, financial institutions, government agencies, academic institutions and other organizations can and have been infected with ransomware. Such incidents destroy sensitive or proprietary information, disrupt daily operations and, of course, inflict financial losses. They can also harm an organization’s reputation. Attackers aim at targeted files, databases, CAD files and financial data. For example, Cryptolocker was used to target more than 70 different file extensions, including .doc, .img, .av, .src, .cad.
“Ransomware is a very challenging threat for both users and antimalware companies, boosting impressive capabilities and an unprecedented success rate in extorting money from its victims,” says Cătălin Coșoi, Bitdefender Chief Security Strategist.
Stay close for Part III, to learn about the best ways to protect your data from ransomware.
About BitDefender
Bitdefender is the creator of one of the world’s fastest and most effective lines of internationally certified software.
The company is an industry pioneer, introducing and developing award-winning protection since 2001. Today, Bitdefender technology secures the digital experience of 500 million home and corporate users across the globe.
Top international testing organizations and world-renowned software reviewers acknowledge Bitdefender’s solutions as the world’s most effective. In January 2015, Bitdefender won AV-Comparatives’ Product of the Year a second time, taking Gold awards in Proactive Malware Detection for its industry-leading heuristics, Real World Detection for accurate performance in real-life situations and Malware Removal for its thorough disinfection. At the same time, Bitdefender’s nearly undetectable impact on system performance won it Best Overall Speed.
Bitdefender has further confirmed its industry leadership with titles including Best Antivirus of 2014 and two Editor’s Choice awards from PCMAG, The Best Performance 2014 Award by AV-TEST for its Endpoint Solution, and 2013 Editor’s Choice from CNET. Bitdefender is also the only security solution to win all 35 VB SPAM awards given out by Virus Bulletin.