Everything you ever wanted to know about Ransomware

What is Ransomware?

Cryptolocker and Cryptowall are forms of 'Ransomware', basically software that takes files, encrypts them (scrambles them), and holds the keys for ransom.

Ransomware operators usually demand payment in BitCoins (Internet currency) of a unique value amount, that’s how they identify which 'client' has paid the ransom, where they release the keys, so the files can be decrypted (unscrambled) again.

These days there is even customer-support to help smoothly pay the ransom!


How do people get infected by Ransomware (eg, Cryptolocker)?

Usually by either clicking on links on the web, or email attachments (phishing). Sometimes also by files downloaded from the Internet as well, or USB drives, etc.


How does Ransomware do it's damage?

Once a file that runs the Ransomware (Cryptolocker, Cryptowall, etc) software is clicked, it runs on the computer, and encrypts all files it can see.

This can consist of files on the local hard-disk, but also any shares, that may happen to live on the network, eg, on a SAN, or a central file-server, that are accessible to the infected PC as well.

Ransomware avoids the system and program directories usually, to ensure system stability, for when the ransom is paid.


How much does Ransomware earn threat-actors?

According to an article by Brian Krebs on the Reveton Ransomware, a single country targeted, earned the threat-actors $44,000 USD per-day (that's ~$1.3M USD per-month).


Can’t we break the encryption?

In the early days of Cryptolocker's, yes. Nowadays, the bad-guys are using the same strong-encryption the good-guys are using, meaning unless you have the digital decryption 'keys', you have little to no hope of recovering the files.

As Ransomware is written by threat-actors with varying experience in programming encryption protocols, sometimes the encryption is not implemented correctly, allowing loopholes to be used to regain access to the encrypted files again, but this is hit-and-miss.


Should i/we pay the Ransom?

Computer security experts say don't pay the Ransom, as it only encourages them. The FBI's advice is to pay the Ransom if you want your files back, as there are really no other options to get any important files back, if one is not prepared for these attacks in advance (unless a loophole in the programming is found).

Prevention is better than cure, here.


Doesn't anti-virus protect me?

Antivirus technologies require a "patient-zero" usually, before it's discovered, and Antivirus 'detections' are written, and distributed out to the Antivirus software on your computer(s).

Malware can also be 'packed' (morphed if you will..) so the same malware can be re-packed, to make it look different, but really be the same code.

This allows malware to bypass Antivirus easily. New thinking is required in this space, as antivirus is currently too hit-and-miss to be reliable anymore.


What's new in the Ransomware world?

Cryptolocker style malware (malicious software) until a few weeks ago, only encrypted files.

Enter 'Petya'. Now it encrypts the hard-disk (technically, re-writes the MBR, and scrambles the MFT & MFT Mirror), rendering the whole computer, useless, until it's either re-formatted, the files forensically reconstructed, or the ransom paid, and decryption keys obtained to decrypt (un-scramble) the files.

A YouTube video of how it infects, is here.

[embedyt] http://www.youtube.com/watch?v=3Ixtt8LVpTk[/embedyt] 

UPDATE: Although not a simple process, recovery of the MFT is possible (in Petya’s current incarnation) on this site.


Drives partitioned with GPT, may not be able to be recovered, even with the decryption keys.

In February 2016 a hospital was hit with Ransomware, and this has become a recurring theme, also targeting schools, even police-departments are fair-game.


What does the future of Ransomware have in store?

Discussion of the first Ransomware 'worm' has been circulating. Larger scale infections bring in more profit to Ransomware operators.

Although theoretical at the moment (and we hope it never happens), Ransomware could infect critical medical equipment, and Ransom threats of administering lethal doses of drugs to patients after a countdown is reached.


Ransomware threat-actors are generally interested in the biggest payout for the least amount of effort.


What are the latest preventative measures?

Network-segmentation, least-privilege access & good password management has always been good security advice, and can help limit a Ransomware infection.

Regular backups, and system restore-points are also good advice.

'Application-Whitelisting’ products like Microsoft’s AppLocker can prevent running unknown executables via policies the Administrator has created of which executables to trust.

There are some cases where Application-Whitelisting can be defeated, but is mostly effective, when used correctly.

Similarly, ‘Reputation-Based’ services are also effective to not run executables that have no, or low, reputation, such as is becoming prevalent in most well-known Antivirus products.