My ability to predict the future is dismal at best, so I figured I was sounding the death knell for ransomware when I apprehensively made this claim in my post, “Ransomware: Extortion via the Internet“:
Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.
Well, in irony Shakespeare would love, it seems I’m wrong, and my prediction is coming true.
For those not familiar with ransomware, the post referenced above describes it, but being written in 2010, makes my effort woefully out of date. Ransomware has come a long way since then. Here’s the current Wikipedia definition:
Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed.
Some forms of ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying.
What I meant by “coming a long way” is the increased deviousness of the ransomware developers. From 2009 through 2010, ransomware primarily encrypted data files, preventing users from accessing them. That didn’t work very well; computers were still operational, allowing users to seek and destroy the malware.
So, the bad guys decided to lock the computer — still no go; users opted to rebuild. Next step, have ransomware pretend to be an antivirus product asking to remove insidious malware. Nope, didn’t fool enough people.
The bad guys decided to go back to locking the screen, but with a twist. They planted a pornographic image on the frozen screen hoping to shame the user into sending money. This approach was successful, particularly if the computer happened to be at work.
The current flavor du jour is trying to scare the user by planting a screen similar to the one shown above (courtesy of Symantec). Time will tell the effectiveness of this newest approach.
How the bad guys were paid was a weak link. Using SMS or phone-based payment offered some chance of following the money trail and a chance to collar the crooks. So the ransomware community was ecstatic when prepaid electronic payment systems such as MoneyPak came into play. That type of service pretty much eliminated any chance of finding who was behind the scam.
I’ve been asked to comment on how to avoid ransomware. Oddly enough there is nothing special required. Ransomware is the payload. How it gets installed on the computer is up to the developer and the malware distribution network hired by the developer. Yep, middlemen have made themselves invaluable even in the digital underground.
There already exists a humongous amount of information on how to protect one’s computer from malware. I’ve used millions of electrons discussing it myself. So, I’d like to use this week’s allotment for a better purpose. Not much is written on what to do if your computer is held hostage. And that’s where I’d like to focus.
To that end, I contacted my friend and award-winning security pundit Brian Krebs. I can’t think of anyone who has a better handle on ransomware and what to do when confronted with it.
Kassner: Brian, ransomware like the kind using the screen above looks quite convincing. What separates ransomware from other malware?
Krebs: Ransomware quite simply is malicious software that tries to extort money from victims by holding their computers and/or personal files hostage until payment is made.
Kassner: I’ve read your essays about the current best-seller ransomware, Reveton (Ransomlock). Please describe what one would encounter if their computer was infected with Reveton?
Krebs: The portion of the attack that’s visible to the victim starts with a message that takes over the screen and disables key press combinations that would normally minimize windows, including Ctrl-Alt-Del. The message usually spoofs the victim’s national law enforcement authority (if the victim is at a US Internet address it will show a warning made to look like it was issued by the FBI), warning that the user’s computer has pirated software/movies (or in some cases child pornography) and that this is a violation of the law punishable by jail time.
The message states that users can avoid this trouble if they choose to pay a fine, which is usually a few hundred dollars. The victims are instructed to pay for a uKash or Moneypack voucher — essentially a prepaid card — and to transmit the code that allows one to redeem the funds on that voucher.
Kassner: There is significant information explaining how to avoid ransomware. But not much on what to do if a person is caught by ransomware. What advice would you give someone in the grip of ransomware?
Krebs: The trick is not to panic. The attackers want to frighten victims into paying right away, but that’s almost always the wrong choice. I have seen some ransomware attacks fail when the computer is simply rebooted. Most ransomware malware, however, won’t be affected by this, and may even then create a user account on the system and then hide or remove all other accounts, forcing the victim to log in using the newly created, hijacked account. Some ransomware even disables safe mode and other fallback and rescue options.
Unplugging the system and restarting should be a first step. Download some removal tools to a removable drive or CD-Rom from another computer (Malwarebytes is a good one to start with). Scanning with some tools available on specialized “Live CD” such as distributions from Dr. Web or Kaspersky specially made for removing ransomware is another option. Frankly, just searching online for tips on removing ransomware produce some fairly exhaustive tutorials on how to regain access to your system.
Kassner: Brian, you’re always one of the first to raise the alarm when a new chunk of malware appears. What do you see as the next step in ransomware?
Krebs: More threats that actually encrypt files with strong encryption. Strangely, with many of the ransomware attacks, the user’s files are not encrypted. But I would expect this to change, and we will see file-encrypting ransomware attacks become far more common. What’s more, there is nothing to stop the crooks from scanning for removable and network drives to encrypt as well, which could present major nightmares for businesses.
And there’s no guarantee even a business that pays the ransom will get their files back. There was a terrifying story in September about an Australian company that had all of its files encrypted by ransomware, and their business ground to a halt. They ended up paying the ransom, but the thieves simply took the money and vanished, leaving the victim firm with files they couldn’t use.
There you have it. Ransomware works and is an effective moneymaker for the digital underground. So don’t expect it to go away any time soon. Fortunately, ransomware is not forcing us to do anything other than what’s required to protect ourselves from other types of malware.
Some more irony — the cost of getting caught by ransomware might be the incentive needed to get more people to secure their computers.
I would like to thank Brian for his diligence in spreading the word about ransomware.