Friday 15 April 2016

Ransomware. What is it, and how can you fight it?

Ransomware. What is it, and how can you fight it?

There’s a very nasty type of computer attack out there, and it can cost you real money

Few PC users will run their system without an adequate form of protection against various kinds of attack. Anti-virus and firewall software is commonplace, and going online without this basic level of protection is seen by most as reckless. Why risk the loss of data or system instability when a simple program, many of which are free, could protect you? Makes sense, doesn’t it? Of course it does, and the majority of users would agree.


What if, however, this diligence and focus on security was flawed? What if all your attempts to protect your system failed and you found yourself attack by a problem that had no fix? What if no amount of software could remedy it, and only by spending a good deal of cash could you get your PC and your data back? What would you do then?

Although you may have never heard of it, ransomware is just this kind of threat and is one of the most insidious attacks in the computing world today. Sadly, it’s also a threat that seems to be growing year on year. This is a threat that can cause a whole truckload of misery as well as financial hardship in one fell swoop. Worst of all, it’s also a threat that, if you’re unlucky enough to be attacked by it, may not even have a way out. Let us elaborate.

Digital Hostage


Ransomware is a system attack that’s designed to extort money from targets, and it does this by holding the user’s system ransom, hence the name. The attack, which can come in differing forms, usually assaults the user by locking their system out or encrypting their data with a very strong, nigh-on unbreakable level of encryption. The only way to get the data back is, you’ve guessed it, to pay a ransom. The attackers use encryption so strong that even cutting-edge law enforcement computer labs fail to break it, and in the past the likes of police departments and even the FBI have advised users to pay up. It’s that bad.

During a meeting with of business and technology experts (via The Security Ledger - bit.ly/1XopBiV), the FBI’s Assistant Special Agent in charge of the FBI’s cyber and counter-intelligence program, Joseph Bonavolonta, said, “The ransomware is that good, to be honest, we often advise people just to pay the ransom.”

When even the FBI, with all of the resources at its disposal, says there’s no hope, you know things are serious, and some ransomware isn’t playing around.

The only way to get data back or access a locked system is to use the encryption key or special code, which the attacker holds on to, threatening to delete it if payment is not met by a deadline. Once the key is gone, the targeted user is left without their data or access to the system. Other methods of recovery that are used include programs sent to the victim after payment that can unlock a system. Of course, that’s even if the attacker makes good on their promise, and even after payment, there’s no guarantee a solution will be delivered. You take a risk either way.

Ransomware attacks often infect a system via a form of trojan, such as a downloaded program, email attachment or a hole in network security. This is one of the easiest ways for an attack to bypass security and gain a foothold within a system. Once in, the payload is then dropped, which can take various forms.

One of the most common is the use of something now cslled ‘scareware’. You’ve probably seen these at some point. They’re those fake pop-up messages that claim your system is insecure or that there’s illegal content detected on your PC. They fool people into clicking links or installing software to remedy the situation, and from that point, the ransomware is in. Depending on the type of ransomware infection, the trouble then starts, and the user is forced to pay up if they want a chance to escape the situation unscathed.

By the time you even see the pop-up, your data may be at risk, as a lot of the pop-ups are ‘policeware’, pop-ups that claim your system has been seized by the authorities due to illegal activity. These request payment in order for the system to be released. These are, of course, fake, and if you really were the subject of such investigation by the police or any other government authority, this isn’t how you’d find out, and we doubt any form of payment would change the matter.

Pay Up


Unlike the kinds of intrusion we usually hear about in the media, ransomware creators aren’t interested in stealing data or leaking passwords. Payment is what the attackers want, pure and simple. Because this is obviously a very illegal practice, this is usually made using various forms of hard-to-trace transaction. Commonly used methods include wire transfer, premium texts, Ukash, Paysafecard and the popular digital currency Bitcoin. These offer the best protection for the perpetrators of the crime, making it more difficult for their acts to be tracked down. It’s not impossible, though, and attackers have been caught.

These payment methods have changed over the years as more options have become available, from ransomware’s first attacks, to modern strains that use newer e-currency like Bitcoin. Everything about the threat has evolved, and more ransomware threats are always being discovered. Luckily, security companies are also countering many of these, and there are standard antivirus solutions to many threats.

Steer Clear


You may be worried that this type of attack is unavoidable, given its tricky nature, and in some respects, this may be true. As with any form of PC security, though, there are things you can do to stay safe, if not totally immune.

First and foremost, you need to be aware, pure and simple. Vigilance and care is always going to be your first line of defence, and ransomware is no different. As it often relies on the downloading of files and pop-up warnings, you can avoid a lot of attack by simply being watchful.

As we always advise, be careful about what you download and install, and be aware of the risks some websites carry. Big name download sites will often be safe enough, as they usually try to screen their available content, but this isn’t always the case, so don’t take it for granted. Websites that skirt the legal, such as pirate download sites and other potentially questionable locations are natural breeding grounds for viruses, and that includes ransomware. Always be very wary about downloading from these sites. It’s not only illegal to download these files, but your chances of infection are higher.

You also need to be aware of the normal activity of your system day to day. It’s very unlikely that a random pop-up you don’t recognise will appear to prompt you of any illegal software on your system, and even anti-virus alerts should be recognisable by you, as you know what your own anti-virus software looks like. Just as punishing mails are often easy to spot if you’re careful, so too are ransomware attacks, at least a good deal of them.

If you see a pop-up for a security tool you don’t recognise or a warning about illegal software you know you’ve never used, ignore it and certainly don’t follow its instructions. To be safe, restart your PC and don’t click anything, running your security software and other malware scanners immediately. Instead of closing the pop-up, try using shortcuts like Alt+F4 to kill it.

By far the most effective way to stay safe from ransomware is to take a pre-emptive approach, ensuring your data is safe and sound at all times. This means backing up and doing so on a regular basis. This regularity will depend on the data you need to protect, with data that’s updated and used daily needing to be backed up on a daily basis, whereas data that you simply need to keep safe but don’t update often needn’t be backed up as much. Of course, it goes without saying that you’d need to back up to a location that’s not on your actual PC, such as an external hard drive you can disconnect during PC use or even optical media. Just make sure there’s no way for the ransomware to find it. It should also be noted that some strains of ransomware specifically target NAS (network attached storage), so don’t assume backing up to such a device makes the data safe. It’s far more unlikely it’ll be attacked, but there is a chance. For the best protection, always use a medium that can be isolated and disconnected from your PC and network.

Make the most of your backup software’s ability to perform automated backups, and set it to do so according to your own specific needs. This way, even if your system is attacked by ransomware, your data will be safe and sound, copied to your backup location. You can ignore the threats, format your system and move on.

If you decide to pay up in order to regain access to your data, don’t take it for granted that you’re safe, even if you do get the data back. There have been many cases of reinfection, and in many cases the actual ransomware isn’t removed. For this reason, it’s often a good idea to back up your data and wipe your system with a proper format. Some would also advise you look into changing your IP address and update your security. To change your IP if you have a static address, contact your ISP.

If you do get attacked, regardless of the outcome, always report it, because ransomware is a very real threat and one that the authorities are trying to crack down on. There’s no one place to report this kind of attack, and it varies depending on where you live. To find out more, try calling your local police enquiry line (please don’t use emergency numbers). You should be able to find instructions on who to contact and how.

Should You Be Worried?


Ransomware sounds nasty, doesn’t it? That’s because, sadly, it is. Although you may treat it like an illness you always think will happen to someone else, ransomware is a big problem, and although the overall impact of the threat is less now as security software vendors and the public are more aware of it, it’s still out there, and being aware of this is important.

We should be concerned, but in the same way as any other PC security issue. As with normal viruses, as long as you’re careful, keep your security up to date and keep a healthy backup schedule, you have little to fear.

It’s also very important to note that it’s not only PC users who are potential targets of ransomware. Both Apple Mac and mobile devices have been hit with ransomware strains, so even if you’re not a PC user, you need to be aware of the threat and take action accordingly.

A final question remains. Should you pay if you’re held ransom? It depends. Not to sound overly non-committal, it’s very hard to advise here with a single specific answer. The FBI and other authorities have advised payment in the past, and others have said you should in no circumstances pay up. The real answer here lies with you and how important your data is. If you’re a gamer and you’ve been hit, potentially losing hours or days of progress in a game, is it worth giving in to such criminals over that? For some players, who have invested huge amount of time in games like World of Warcraft, it may well be, but for others, it’s just not that important.

If the data held ransom is very sensitive, though, such as financial data, family photos and other important files, the temptation to pay up may be very strong, and no one would blame you for doing so. The importance and threat will vary for everyone, and the answer here is not black and white.

Just be aware that you’re dealing with criminals. They may be anonymous faces behind a keyboard and not mask-wearing thugs with guns, but they’re still criminals, so they aren’t exactly trustworthy. Some people have paid and have received no code to unlock files and, as we’ve said, some have but have then been reinfected at a later date. Because of this, getting in touch with the police is always a good idea (but we repeat, not emergency numbers; don’t clog up those lines).

The bottom line is stay alert, look after your important files, and if in doubt, always err on the side of caution.


Type Of Ransomware


Winlockers
This breed of ransomware doesn’t actually encrypt any data. Instead it simply locks your PC and often displays a pop-up message from some form of law enforcement, including the FBI. There are many variants, but most will order a payment to be made in order to unlock the PC and provide directions on how to pay.

SMS
SMS ransomware is effectively exactly the same as Winlocker. The only real difference is the SMS code you’re given in order to pay the ransom. Instead of providing details on payment, you simply have to text a premium number with the code supplied to have your system unlocked.

MBR
Similar in some respects to Winlocker ransomware, MBR ransomware instead locks the system at the Master Boot Record level by changing the MBR file, and it even stops Windows from loading entirely. Most will claim that this is done using encryption, but in truth, there’s commonly no encryption used at all. People have managed to find affected files and have used MBR repair tools to bypass it. There are more nasty variants out there, though, so don’t assume it’ll be easy to get rid of it.

Encryption
More advanced than the system lockout ransomwares and the one that has caused the most trouble. Encryption ransomware is a trojan that can encrypt files on your system with a very strong encryption algorithm. The only way to recover data is with a key, provided by the attacker.

This kind of ransomware is the most serious, as it’s usually impossible to remove unless security software vendors have cracked it. You’ll be very glad you backed up your data if you ever find yourself attacked in this manner.


Common Ransomware Strains


CryptoLocker and Cryptowall
By far the most famous (or infamous) ransomware. These two strains are not related, despite the similar name, but both have caused all sorts of problems. These are the examples the FBI was talking about when it advised users pay the ransom.

To give you an idea of how strong the encryption is here, it’s likely your home encryption, if you’re using any, is around 256-bit. This may vary, of course, but this is common. Businesses may have more powerful protection. It’s solid protection, and will keep your data safe.

CryptoLocker used a 2048-bit RSA key pair to encrypt the data. This provided an insane level of encryption complexity. Luckily, CryptoLocker was eventually found and seized by the authorities in 2014. Up to that point, it’s been estimated that around $3 million was pilfered by the ransomware.

Cryptowall is still a threat and has another very powerful level of encryption. According to the FBI (via Ars Technica – bit.ly/1GAp6Y5), as of June 2015 Cryptowall has amassed around $18 million from victims. The latest variation of it, Cryptowall 4.0, has been made even more effective at avoiding security software, and it encrypts both data and file names.

TeslaCrypt
One of the more recent strains of ransomware is TeslaCrypt. This prays on a specific type of computer user, and that’s gamers. This strain targets gaming-centric files such as game saves, replays and other data related to the subject. According to AV vendor Kaspersky, the strain only affects files less than 268MB in size.

It’s known to display a HTML warning and is a clone of CryptoWall that apparently demands around $500 from the victim. This price can double if the user delays payment.

CTB-Locker
According to Sophos, CTB-Locker is another encryption-type ransomware that encrypts files on the target machine before issuing a ransom demand. The security vendor describes this strain as being particularly infective, with a high infection rate. It uses powerful encryption tech, as well as Bitcoin and Tor, and it’s also multi-lingual.

TorrentLocker
Despite the name, this ransomware isn’t focused on Bittorent and is usually distributed via email spam. It seems to be a geographically targeted threat, with lures and ransom demands targeted at a specific region. It utilises AES encryption and often masquerades as CryptoLocker to capitalise on the well-known name. It’s also self-propagating, stealing email addresses from a victim’s address book in order to spread to other users automatically.


Origins Of Ransomware


Although ransomware is relatively new to the public consciousness, it’s actually been around since the late 80s. In 1989, the first recorded instance of ransomware was AIDS (Aids Info Disk). This strain altered the system’s autoexec.bat file (a very important boot file on older systems of the time). This would count the number of times the system booted up, and when it reached a certain number, it would hide and rename files on the system, making it unbootable. Users had to pay $189 to make the system usable again.

The threat was cracked due to the use of simple encryption, and the creator was caught. This creator, Dr Joseph Popp, created the trojan in what was claimed to be a misguided attempt to do a good thing, as he said the money gathered would be donated to AIDS research. He was declared mentally unfit to stand trial. Today’s ransomware creators are not so charitable, however, and money is not used for such honourable purposes.

Future ransomware became more and more complex, and threats such as Gpcode and Krotten were launched, but the world remained largely unaware until 2013, which saw the arrival of CryptoLocker and the rise of Bitcoin. This currency made tracking payments difficult, and in some cases impossible, according to reports. This fact made the idea of ransomware appeal to more and more criminals, who saw a viable and safe method of extorting money.