What ransomware should you look out for?

2015 was a year of ransomware.

Although these offending programs surfaced about 10 years ago, it wasn’t until 2013 that their mass distribution commenced along with fake antivirus scanners, from which file-encrypting malware actually evolved. In 2014, the trend continued, and in 2015, ransomware grew into the prevalent computer threat on the loose.

The campaigns started with targeting end users and are now steadily moving to the realm of organisations, hitting businesses, police departments, even NGOs, and governments. Obviously, these organisations have more data and hence more to lose; furthermore, they have more money at their disposal.

Ransomware variants range from moderately harmful browser lockers to real disasters that encrypt files with strong RSA encryption using 2048-bit keys. Not only do these plagues employ intimidation tactics based on the risk of losing data, but they may also blackmail victims by threatening to put sensitive files online for everyone to see unless the ransom is paid.

The security industry is discovering new variants of ransomware virtually every day. Cybercriminals leverage popular business models, including affiliate schemes and the so-called Ransomware-as-a-Service.

In 2016, computer users need to be particularly watchful to avoid these threats. Data backups are vital in these circumstances, but they are still rarely utilised by the average user. It’s ransomware that is teaching us to make backups.

With plenty of these strains out there, there are three particularly widespread and dangerous ransomware samples that have caused huge financial losses to individual and enterprise users.

СryptoLocker

This sample appeared in September 2013. It accommodated all the characteristics inherent to ransomware: the ability to infect computers by means of phishing and via malicious links, the use of a crypto algorithm to lock a victim’s files, and a notification holding the ransom instructions. The buyout can be done through Bitcoin or a prepaid voucher – either way, the payment is practically impossible to track down.

CryptoLocker reportedly brought its authors several million dollars within a very short period of time. The original build of CryptoLocker is now defunct. It was thoroughly dissected by researchers who came up with a decryption tool and was ultimately taken down by law enforcement.

Regretfully, the cybercriminals were able to share their knowledge and tactics, which resulted in the appearance of new versions along with a number of copycats. The present-day breeds have a different code than CryptoLocker, but they act the same way. For some reason, the fraudsters like to name their new products after this infamous infection, and the difference cannot be determined without in-depth analysis.

New incarnations of this pest are widely present among the most heavily distributed ransomware. The extortionists apparently found the use of spam emails and spear-phishing emails with rogue attachments to be the most effective distribution model. The recent builds are highly sophisticated. To thwart interception by email scanning solutions that can follow hyperlinks, the virus requires would-be victims to visit a rogue site and type a CAPTCHA string before the payload is executed.

TeslaCrypt

TeslaCrypt, which was first detected in February 2015, is currently the most active ransomware. It has since evolved to version 3.0. People may also know TeslaCrypt as the .vvv file virus because one of its variants would encrypt its victims’ files and append them with .vvv extension.

Computer help forums are full with requests to help with decrypting .vvv files. As security researchers are constantly busy looking for vulnerabilities in the ransomware code and sometimes successfully decrypt files encoded by TeslaCrypt, the criminals in their turn improve the code to patch those flaws. TeslaCrypt originally targeted gamers, making them pay to unlock the respective data. Along with documents, therefore, it was also after files related to popular video games.

A popular vector of contaminating computers is via the Angler Adobe Flash exploit. Meanwhile, multiple cases of distribution through spam emails with rogue attachments have been reported as well.

СryptoWall

As with all the most successful and thus dangerous threats of its kind, CryptoWall has gone through four iterations to date. We have CryptoWall 4.0 now. As per approximate estimates, this infection has earned its makers more than $300 million since it went live.

It took the bad guys about a year to get from $20 million to the above amount, which demonstrates how rapidly this underground business is growing. Geographically, the primary targets are the USA, UK, and Japan, followed by Australia and Canada. Other countries are on the list too.

Distribution techniques include the use of spam emails, misleading advertisements, and compromised web pages. CryptoWall payloads mainly arrive with catchy emails that contain ZIP attachments masqueraded as PDF documents. Exploit kits are known to be also involved in the propagation of this threat.

Having intruded on a computer, CryptoWall scans the hard disk, removable media and network shares for a specific array of file extensions. All detected data gets encoded with RSA encryption. The Trojan then obliterates the original files beyond recovery. The most recent variant encrypts the filenames along with the files proper, thus making it very problematic to even figure out what needs to be recovered.

The 'pay or not' dilemma

Trusting the criminals is a bad idea, therefore it’s advised to refrain from paying the ransom. The scammers may not decrypt your files at the end of the day. If you pay, this will prove to the offenders that it’s worth moving on with their business.

Thankfully, security professionals have created decryption tools that can recover data locked by several ransomware variants. These services have already done the restoration trick for thousands of people. Search Internet forums for such utilities.

Prevention

As far as prevention goes, it’s very easy. Here are several simple tips that will help you stay on the safe side:

  • The rule of thumb is a backup, backup, and once again backup. It’s not enough to just say it once, so we need to shout out loud how important backups are these days. Make copies of your important files in several locations that aren’t connected to your PC. Store backups offline on an external hard drive and online on cloud services too.
  • Never open attachments or embedded links in emails unless you know with 100 per cent certainty that they are safe.
  • Use reliable anti-malware capable of detecting harmful links before they reach your inbox. Remember security suites featuring behavioural detection are more effective than signature-based ones.
  • Do not fail to keep all of your applications up to date.
  • Stay away from suspicious websites. Do not visit pages that look too good to be true or host shady software.

David Balaban, Editor at Privacy-PC.com

Image source: Shutterstock/Martial Red