Search this Blog

Loading...

Wednesday, April 2, 2014

Ransomware: a Q&A


Ransomware

A Q&A written by @bartblaze
 

Who creates them? What is their goal? How successful are they, and what is their recipe for success?

Much like my previous article on botnets, this article will be a Q&A, a question & answer.
Hopefully, we'll be able to clear up some of the mysteries behind ransomware. I have been able to interview experts in the anti-malware world. They will each give their opinion on this particular subject.

There will be additional resources as well, for those wanting to know even more about ransomware.

I will pose my question and place the answer of each expert right beneath it, for your convenience.

At the end of this post, I have recapitulated some of the answers and included additional tips and tricks as well (prevention & disinfection) . Thus, if you are not interested in the individual answers of the experts, just scroll down to the end of this post or click here to jump immediately to the conclusion. I however advise to read the full answers as they're all interesting. 

Note: you can also download this article as a PDF on MediaFire.

Introduction

As we all know, ransomware has been on the increase in the past years. The first step is distinguishing between the different versions of ransomware that are doing the rounds:

1) browlock - in the browser (which I blogged about recently, see:
Browlock ransomware cases increasing)
2) 'normal' ransomware - locks screen and asks for money
3) 'encrypting' ransomware - encrypts files and asks for money

Below you can find some example images:

Browlock (Source)























'Normal' ransomware: Reveton (Source)















'Encrypting' ransomware: CryptoLocker (Source)






















Whether you or someone you know have/has had any of the variants above, the end-goal of ransomware is always the same: extorting money from the unsuspecting user. The fact this specific piece of malware is still alive means it's successful in its spreading and method.

Without any further ado, let's get to the questions - and the answer according to each expert. 

Below the experts interviewed - included is a link to their website, and a link to their Twitter page. If you have Twitter, I strongly advise you to follow them if you aren't already. The experts are the following:

Malekal - Malware Researcher - @malekal_morte
Adam Kujawa - Malwarebytes Head of Malware Intelligence - @Kujman5000
MalwareMustDie - MalwareMustDie NPO Malware Researcher -  @MalwareMustDie
Fabio Assolini - Kaspersky Senior Security Researcher - @assolini
Fabian Wosar - Emsisoft GmbH Administration/Development - @fwosar

Remember, you can always skip to either:
  • the full conclusion by clicking here.
  • the prevention & disinfection by clicking here


Interview

a) When did you first encounter ransomware? How did you, at first, perceive it?

Malekal: 
The first Ransomware Fake Police attacks began at the end of 2011.
Those Ransomware spread using malvertising on so-called “warez” websites, and so the traffic was huge in France because warez movie streaming is very popular.
The Fake Police skin page was in German and ugly, so French users knew it was a scam.
Then in December 2011, the first Ransomware Fake Police appeared in French and became more and more real.
You can find some screenshots and story in this topic:
http://www.malekal.com/2014/02/02/en-some-words-about-malvertising-in-adult-world/

Fake Police Ransomware is declining, now some crypter versions appear (CryptoLocker, Cryptorbit, BitCrypt)
Some also target corporations, like the “OMG Ransomware”:
http://www.symantec.com/connect/blogs/omg-ransomcrypt-trojan-conscience

The chances to pay are higher for corporates as they can’t allow to lose files, especially for fileservers. Note that you can’t be sure that hackers send you the decryptors.


Adam Kujawa:
Ransomware has been around since the late 80's in some form or another. The first time I personally dealt with it was almost two years ago, when Reveton was a big problem.  I first perceived it as a weak attempt to extort money from unsuspecting users, however as I delved deeper into its operations, tactics and spread I realized how dangerous it was, beyond just the damage it was doing to the system.


MalwareMustDie: 
Do you mean encounter if in real life? If not, I tested many of those for my private reversing purposes for I do not remember the first time..

So, practically, it is rare to have ransomware here (editor's note: in Japan). We are strict in
dividing malware/crimeware case and software for hacking, spying, scamming and stealing..
You can go to jail for owning a sample, but ransomware is categorized as extortion, and is close to an act of terrorism, which is pretty bad stuff to deal with.

The first encounter, it was not known as "ransomware" but as "Winlocker" with the Russian language that locks your machine unless you enter the password. It was in 2009, I was reversing the malware to crack the password. Then a couple of years ago, a local site was utilized by (again) Russian criminals and serving a Trojan to download the Urausy.C ransomware variant.



Fabio Assolini:
Well, 2007 or 2008. It was a Gpcode infection on a friend's machine; the malware changed the desktop image with a big announcement about the infection... (editor's note: see Wiki article here for more information about Gpcode)


Fabian Wosar:
I simply don't remember. Even a few years ago we had to deal with thousands of samples a day. There is just no way to pinpoint when I first looked at one. There also isn't any memorable story either, as neither my friends and family nor me has ever be effected by ransomware.

That being said, the first most notable case of ransomware that I worked on for an extended period of
time was the ACCDFISA case in early 2012. Grinler from BleepingComputer contacted us for help with this particular malware and I just happened to take over the case. ACCDFISA is kind of an odd introduction, mostly because at the very core level it's rather primitive.
The author himself was incapable of implementing certain key aspects of his ransomware, like the actual encryption, and used various third party components like WinRAR instead.
So my first impression was rather underwhelming to be honest, as technically speaking ACCDFISA isn't very interesting even for ransomware standards back then. 
(editor's note: for more information about ACCDFISA, read here)



b) What is, in your definition, ransomware and what are its main characteristics? What is the psychological aspect of ransomware?

Malekal: 
Ransomware is a family of malware that blocks or restricts access to the computer or data, it demands money to recover access.
Before Fake Police Ransomware appeared, the border between scareware/rogues were close because scareware/rogues block the access to the computer.
Both use a psychological attack and try to deceive users.
Rogues/scareware show fake antivirus alerts, Ransomware Fake police sends a fake notification stating that you are suspected to spread or download pornographic materials or violate the copyright law, etc. It tries to let users feel guilty for surfing on porn websites or download copyrighted content.


Adam Kujawa:
Ransomware is malware that ransoms a users system or files, demanding payment for returned control and/or access. It can either encrypt the files or lock down the system by suspending the users ability to access applications or really do anything other than stare at a ransom screen.  The psychological aspect really exists in what has been referred to as FBI or Police Ransomware, which accuses the user of using their system in some illegal way and that a government organization has seized control.  The ransom claims to wipe the slate clean if the user is willing to pay a 'fine'.  I tend to call this method of ransom, assumed guilt, where the user is most likely not guilty of anything but the fact that they might not remember doing something or someone else doing something on their system that could have been illegal. When the user feels this way, they may be inclined to pay the 'fine' just because they aren't sure that they did NOT do something illegal and would rather just be free of the concern.

Some ransomware that came a bit later used the threat of Child Pornography on the users system.  The ransom screen included a picture of CP that was apparently 'discovered on the users system.'  This turned the tides because now the Ransomware made the user guilty of a crime, having CP on their system.  In addition, the user may not have sought the help of a security specialist to remove the malware because of the implications made by the ransom screen and the image presented.  Regardless if the user was an offender or not, they didn't want other people to think they were, which was enough to make some people just pay the fine.  Based on the sheer volume of Ransomware infections happening between 2012-2013, it was obvious the cyber criminals were making money.



MalwareMustDie:
Well, if a criminal locks the victim's computer & related belongings and asks money to give back or to unlock it, it is ransomware. So it has to be the blocking of access of one's belonging and ultimately money to be paid to the criminal.

The only aspect that I know of ransomware is an act of "extortion" via the internet. It's a form of crime that is aggressively conducted to break many "don't" rules in web + real life, and I really worry of its psychological damage to the victim rather than to us researchers - since many innocent people can interpret those message differently and wrongly, like as just happened in Romania, how sad. (editor's note: read that story here)


Fabio Assolini:
In a few words: encrypt your files and ask for money. For the user it's a tragedy, for companies a big headache. But for both cases, a backup can save a lot after an infection.


Fabian Wosar:
I am not a psychologist and since I never have been in that specific situation myself, I would prefer to leave the second question to people with more and possibly firsthand experience. To me, ransomware is a program, that prevents a user from using his device or accessing his data, until a ransom
is paid. Most of the times the ransom is just plain money, but there have been cases where the ransomware actually asked the user to complete surveys for example, that generate income for the malware author in other ways.



c) How does ransomware usually enter the system? For example, does it rely heavily on exploits in vulnerable software or does it use the old social engineering trick and sends an email with an attachment?

Malekal:
Fake Police Ransomware uses malvertising (malicious advertising) to spread, they focus on porn and warez websites. After you surf in this kind of websites, the fake page can appear, and so, the psychological attack works better.

Malvertisings lead to Exploit Kits (EK) that takes advantage of vulnerabilities in outdated programs, that's why users have to update all the programs installed on their computers, especially plug-ins like Java, Adobe Reader/Flash etc. Some programs like Secunia can help in this purpose.
They can also disable Java in their Browsers :
http://java.com/en/download/help/disable_browser.xml

Some crypters go via a fake Flash update. When you are surfing and some warning update page appears and send you an executable, don't open it! Same deal for email attachments.

And for Corporate, be careful about RDP Bruteforce, use a strong account password, if possible do not allow access to RDP from the internet.


Adam Kujawa:
Both.  Reveton Ransomware was frequently found as the payload for the Blackhole Exploit Kit, which used infected web servers and malvertising as its main method of spreading.  Cryptolocker was primarily seen being spread with Phishing attacks using the social engineering aspect. So at the end of the day, Ransomware is spread via multiple means, same as any malware.


MalwareMustDie:
I learned that adult site trolling or via its malvertisements is a popular "gateway" used by ransomware infections, like Reveton. The others, like Cryptolocker, are from scam scheme + its malvertisement
(attachment) as well.
 

Depending on the nature of the ransomware and the group who distributes them - for example you'll see Winlocker is found mostly in Russian "grey" sites of various chatting topics, whereas Urausy is distributed by exploit kits. Some families of ransomware (like Reveton) are specifically from adult
sites, and some specific - like Browlock goes from "traffic hijacking" to exploitation via EK. Malvertisement is mostly a trigger that can lead to those, except Crypto and other Locker families
that was found straight on in spam attachment. And so on. It really depends on the case or family.



Fabio Assolini:
Several ways: social engineering, using attachments in emails, drive-by-downloads on popular but infected websites, etc...


Fabian Wosar:
Each ransomware family has their preferred way of distribution. Reveton for example was mostly distributed through exploit drop sites. CryptoLocker was installed mostly through already existing secondary infections as well as through large email spam campaigns. The criminals behind ACCDFISA outright went out there and hacked machines on the internet running remote control services by trying to brute force user passwords. The ways into a victim's computer are almost as diverse as the ransomware families themselves.



d) In the end of 2013, it was very clear that ransomware had overthrown rogueware as scaremongering malware. However in 2014, rogueware is making a comeback. Do you expect more competition between these two? Do you consider it a possibility of ransom -and rogueware "joining forces", or even the same actors are behind some families?

Malekal:
Fake Police Ransomware has overthrown rogueware because they probably are more profitable.
Scareware/Rogues can "only" be sold around 50 euros, with Fake Police Ransomware or cryptors (editor's note: encrypting ransomware) you can ask 100 euros or more.

Also the Fake Police Ransomware was a new phenomenon, so users are more liable to pay.
More profitable to hackers, so some rogues/scarewares actors switch to it.
BestAv affiliation were behind a familly of rogue like Security Tool and others, at the end of 2011, they use malvertising and then created Urausy Fake Police Ransomware.

I try to reduce as much as possible the malvertising phenomenon and so the traffic to the Fake Police Ransomware decreases. Urausy seems to be dead, the last big player now is Reveton. I expect to get them smaller as well. Cryptors will probably emerge more and replace Fake Police Ransomware.



Adam Kujawa:
I'm not sure the developers are the same people but the criminals peddling it most certainly are. Cybercrime is a multi-million dollar business and at the various levels you find different actors.
You wouldn't expect someone growing marijuana to suddenly start making meth. At the same time, a pot dealer could easily switch to selling cocaine, which is a perfect case for how cybercriminals at the distribution level work.  They want the product that will return the most profit.

There was a big push to inform the public about Rogueware over the last decade and then there was a big push to inform the public about Ransomware, if either market will continue to profit, they will have to change tactics and make it no longer about scaring users but forcing them to pay up or else.  The natural evolution brought us Cryptolocker and its children in 2013-2014.


MalwareMustDie:
Both are not new, both are not using the same crime scheme in their process. Cryptolocker has overthrown the ransomware chaos in trending ransomware, but if nobody pays the ransom any longer, no matter what, they will become "dead" and useless. On the other hand, rogueware will always be there, but recently users are better educated to notice which ones are fake. The technology is the aspect to boost the trend, that can be used by both malware categories, like
encryption, online payment, filtration, sysinternals integration, etc.
 

If a new technology comes up and is being used in a specific malware category that threat will be on the raise in trend. This is why when we were monitoring PowerLocker and knowing many
new features they will use, we decided to end this by disclosure before is just too late since they planned to release in early January 2014 (the weakest moment in handling new methods of a threat).

(editor's note: for more information about PowerLocker aka PrisonLocker, read here)


Fabio Assolini:
I expect ransomware + bitcoin miners together, that already hapenning. Why not mining some coins while the user aren't using the machine? (editor's note: see this article for more information about this latest trend)



Fabian Wosar:  
I don't think that ransomware overthrew rogueware in the sense that it actually is responsible for the decline of rogueware outbreaks we experienced in 2012 and 2013. 
Any rogueware operation is based upon creating this large smoke screen that suggests that this rogueware is legitimate software and actually does something useful for the user so he wants to buy
it. This pretend legitimacy also means they pretty much have to use payment methods that the user sees as legitimate, like credit cards. Once the payment processors started to crack down on rogue merchants as part of their RogueBlock campaign in early 2012 they pretty much dried out the main income stream of almost all major rogueware operations. 

(editor's note: see here for more information on the RogueBlock campaign)

Ransomware on the other hand doesn't care about perceived legitimacy. Especially ransomware that
encrypts your data is very blunt about what is going on. Screen lockers usually try to be more deceptive, often suggesting they belong to your local law enforcement agency, but even they don't care to keep up the appearance when it comes to payment. So I don't believe there will be a major battle between those two. In fact, I wouldn't be surprised if ransomware as well as rogueware campaigns are run by the very same people, as some of the largest ransomware campaigns started right after large rogueware campaigns were shut down.




e) How effective is ransomware in reality? What is its actual success rate? Meaning, how many % of infected users actually pay up? Is it a certainty you will get back access to your browser/machine or personal files?

Malekal:
Difficult to know, you have some % for the Ransomware Reveton in this Krebonsecurity article : http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

"The one on the right, for instance, shows that the attackers managed to get their malware installed on 2,116 PCs in France, and of those, only 3.7 percent — 79 victims — opted to pay to rid their machines of the ransomware. But those 79 victims each paid $100, earning the miscreants 7,800 Euros. That’s the haul from just one country; bear in mind that this stats page shows the total take from a single day (May 17, 2012). According to these stats, at least 322 people from all countries they ran the scam in opted to pay the ransom that day, earning the attackers more than €28,000 (~$34,500)! The next day (the screen shot below left), the miscreants earned €43,750 (~$54,000)."

For Cryptors, I think the OMG Ransomware variant works well as they target corporations. On my forum, most of them decide to pay to recover the files :
http://forum.malekal.com/extention-omg-ajoute-aux-fichiers-t44686.html

The criminals behind the OMG Ransomware choose to recover the files and give support. They also state this in their how-to-decrypt text file, and point to my forum or to Forospyware's forum to confirm they indeed recover your files by providing you with the decryptor tool.
They use this reputation to increase the chances of people paying.


Adam Kujawa:
 It depends, Ransomware like Cryptolocker is more effective now because everyone knows about FBI Ransomware, back when FBI ransomware came out, it was very effective because people thought it was legit.  I can't give you percentages because I don't have them but a good rule of thumb is if you see a certain kind of attack scenario being reused or re-branded, it usually means its effective.  We see malware like PrisonLocker now because of the success Cryptolocker had, just as 2012 was full of different families and variants of FBI Ransomware.

It is never a sure thing that you will regain access to your system, some ransomers have timers that prevent getting access again after the time has ran out.  A common issue with Reveton ransomware and others like it was that the callback domains would change often enough, maybe every few days, and with them any chance of getting the system unlocked, even if the user paid.

Cybercriminals are just as bad as any other kind of criminal, if someone were to hold you at gunpoint and demand your money, would you pay them? If you did, what stopped them from trying the same thing again?  If someone kidnapped your child and demanded payment and you agreed, what would stop them from demanding more money?  At the end of the day it's a money game and if a criminal thinks they can get more out of you than what you have, it's in their best interest to keep trying.




MalwareMustDie:
We'd need more research for this, but recently I read that 40% of victims are actually paying the ransom. This means that we are 40% failing in making effort to educate the right perception to fight this threat. Not to mention that the crook is a crook..not decent people, we just can't trust them, don't expect much of getting back stolen stuff or unlocked if you pay.
 


Fabio Assolini:
I saw a research pointing that In Europe or US 25% of companies pay the ransom.
In Latin America few people pay for it, companies and user's aren't used to pay for software, even to a ransomware in its system. Generally they format and restore the system.



Fabian Wosar: 
You will have to ask the bad guys how much money they are making. They are the only ones who have these types of numbers. It also depends on the ransomware family and the people running the campaign whether or not you will get access to your files back. 
Some groups simply don't care, grab your money and run. This is especially true for some CryptoLocker copycats going around at the moment. Other groups will provide decrypters and unlock codes and even provide technical support in case something doesn't work. In the end you have to keep in mind you are dealing with criminals here. So they are pretty much unpredictable.

 

f) What's the chance of bank credentials being stolen, CC theft or simple abuse when paying up to get rid of the ransomware or to recover your files?

Malekal:
I think chances are low, some Fake Police Ransomware embedded some stealers or were purchased via malware packs. So passwords can be stolen, but I don't think the chances are big for bank credentials.
 


Adam Kujawa:
Most often, Ransomware uses prepaid cards rather than accepting CC info, this is because using CC info could leave them to be tracked, using Pre-paid cards allows them to be anonymous.  The same with cryptocurrencies.  So unless the Ransomware also installs a banker Trojan on your system, left there after you had paid the ransom to steal your info, your CC info is safe.


MalwareMustDie:
The chance always exists, as with any other threat vector.


Fabio Assolini:
Big. Negotiating with cybercriminals is not secure in anyway.
 


Fabian Wosar: 
Most ransomware will not steal any private information. There have been some cases like later Reveton variants that try to steal login credentials, but that is still an exception. 
However, malware in general rarely comes alone these days. It usually brings along some friends in form of secondary infections. It is not unusual that those secondary infections will steal private information or install even more malware later that will. 



g) Last but not least, which preventive measures can be taken? Do you have any other (personal) tip to protect one's self against ransomware or malware in general?

Malekal:
Some cryptors go via a fake Flash update. When you are surfing and some warning update page appears and send you an executable, don't open it! Same deal for email attachments.

And for Corporate, be careful about RDP Bruteforce, use a strong account password, if possible do not allow access to RDP from the internet.


Adam Kujawa:
Installing and updating (frequently) antivirus and anti-malware software is the first step to protecting a system. The second would be to update all applications (frequently) and the operating system itself.  I also recommend disabling Java in your browser and using an Ad Blocker plug-in, to prevent you from ever seeing malicious ads.  As far as email goes, unless you can completely 100% ensure the legitimacy of a particular email attachment or link, I would avoid clicking on it or opening it. Scrolling over the link in an email to determine where it's pointing to is a common method of checking for Phishing attempts.

Safe surfing is also key, sticking to trusted websites as much as possible and avoiding clicking something that seems too good to be true. (i.e. XYZ Sex Tape!!! Free XBOX!!!, etc.)


 

MalwareMustDie:
First, educate yourself about computer security. 

Do the backups, do the updates, don't open links or attachments or suspicious messages in mails/chat/IM/Facebook/Twitter/etc no matter how curious you are. 
Do not leave your PC open for too long if it's not necessary, without supervision. 
Secondly, don't use Java. If you don't know what and when you need Java, then secure your browser by activating security add-ons in it like AdBlock and NoScript. The last thing is use
Firewall and AntiVirus to help you to protect yourself and to learn to be more aware of what malware threat possibility is. AV result is not an "exact verdict" for malware and it is a WRONG idea if you  rely 
your security for 100% on those products WITHOUT raising your common sense
in security itself.

Do not blame on anyone but yourself if you have the infection, for not putting more attention on the security for your PC, and please NEVER EVER pay ransom, don't deal with those terrorists to help us kill the threat for good.



Fabio Assolini:
A good AV + updated plug-ins (specially Java) + limited user account are the most common way to avoid a lot of infections. But the most important countermeasure is a good backup.
 


Fabian Wosar: 
At the moment there is just one sure-fire way to protect yourself: Make backups. These backups have to be stored off-device. There is no point in just copying your files to an external hard drive and leave that drive connected, because ransomware will just encrypt your backups as well.

Ideally you want a system that stores your files at a location that the malware usually can't access and that implements re-visioning, so even if malware encrypts your files locally and the encrypted version of a file is synced to your backup storage, you can still switch to a non-encrypted
version of the file later. Write-once media like DVD or Blue-Ray work pretty well as well.



Conclusion

It seems obvious that ransomware has been on a rise in the last years. For example, check out these statistics from Microsoft, for the first half of 2013:

Encounter rate trends for the top 6 ransomware families in 1H13 (Source)


















I'm pretty sure we'll see the same trend in 2014, with encrypting ransomware taking the lead. However, the usual ransomware is sure to persist as well.

It seems most experts were not exactly impressed with their first ransomware encounter. Understandably, poor encryption was still used then (unlike RSA1024 which most ransomware variants currently use) and their design was ugly and not exactly inspiring.

However, even though ransomware used to be very primitive, it was also effective. Hence why we are now flooded seeing a lot of new variants pop up. In terms of malware evolution I personally think ransomware would be the uncrowned king. Its design has changed throughout the years, as did the encryption mechanism. While not perfect - many localized variants handle a language one can understand - and interpret incorrectly as a message from their police department.

As you know, ransomware - hence the name- holds the computer (and the user) ransom. You will have to pay a certain fine, usually at least €/$/£100 or more. You cannot access your data; your files, your family pictures, ... You get what I'm going at here. Ransomware is in fact an interesting aspect of the whole social engineering framework, as one expert pointed out nicely:
"I tend to call this method of ransom, assumed guilt, where the user is most likely not guilty of anything but the fact that they might not remember doing something or someone else doing something on their system that could have been illegal."
Which brings us to the question: did the user do something illegal? Well, that's irrelevant at this point, because the ransomware doesn't differentiate between a "guilty" user or an innocent one.
Some extreme cases of ransomware used images of child pornography, making the situation even worse and the user more likely to pay up.  Example: "I never downloaded any of this, better pay and get rid of it!"
"The user may not have sought the help of a security specialist to remove the malware because of the implications made by the ransom screen and the image presented.  Regardless if the user was an offender or not, they didn't want other people to think they were, which was enough to make some people just pay the fine."

Ransomware usually enters the system via malvertisements (malicious advertisements) or an exploit kit. In some cases, the ransomware is attached to an email and a few are actually installed on servers by attackers who were able to crack the RDP password from said server. In short, you can get ransomware (as well as any other malware) by the common distribution methods: exploits, malvertisements, spam (and malware attached or link to a malicious website) and even plain simple hacking. Like one expert notes:
"The ways into a victim's computer are almost as diverse as the ransomware families themselves."

Has ransomware overthrown rogueware? Not every expert seems to think so. However, there was a noticeable decrease in rogueware, which can be explained:
"Any rogueware operation is based upon creating this large smoke screen that suggests that this rogueware is legitimate software and actually does something useful for the user so he wants to buy
it. This pretend legitimacy also means they pretty much have to use payment methods that the user sees as legitimate, like credit cards. Once the payment processors started to crack down on rogue merchants as part of their RogueBlock campaign in early 2012 they pretty much dried out the main income stream of almost all major rogueware operations. "


Some cybercriminals switch from rogueware to ransomware because it is simply more profitable:
"BestAv affiliation were behind a familly of rogue like Security Tool and others, at the end of 2011, they use malvertising and then created Urausy Fake Police Ransomware."

On the comparison between rogueware and ransomware:
Both are not new, both are not using the same crime scheme in their process. Cryptolocker has overthrown the ransomware chaos in trending ransomware, but if nobody pays the ransom any longer, no matter what, they will become "dead" and useless. On the other hand, rogueware will always be there, but recently users are better educated to notice which ones are fake." 

"Cybercrime is a multi-million dollar business and at the various levels you find different actors.
You wouldn't expect someone growing marijuana to suddenly start making meth. At the same time, a pot dealer could easily switch to selling cocaine, which is a perfect case for how cybercriminals at the distribution level work.  They want the product that will return the most profit."

On the effectiveness of ransomware, let's take a glance at the image below:
Weelsof ransomware earnings on 5/17/2012 (Source)















Bear in mind this is only from one day. They have a large install base, but not too many payments. However... according to these stats, at least 322 people from all countries they ran the scam in opted to pay the ransom that day, earning the attackers more than €28,000 (~$34,500)! This is for one day!

Unfortunately, there aren't too many stats for this as the creators of ransomware obviously keep those for themselves. This leaves us with the  big question: will you regain access to your data?
"It is never a sure thing that you will regain access to your system, some ransomers have timers that prevent getting access again after the time has ran out."
Another expert notes:
"Not to mention that the crook is a crook..not decent people, we just can't trust them, don't expect much of getting back stolen stuff or unlocked if you pay."

Meaning, chances are pretty low you'll get any of your data back even if you pay. There are exceptions however, like the following expert witnesses:
"The criminals behind the OMG Ransomware choose to recover the files and give support. They also state this in their how-to-decrypt text file, and point to my forum or to Forospyware's forum to confirm they indeed recover your files by providing you with the decryptor tool.
They use this reputation to increase the chances of people paying."

Remember the golden rule for ransomware (or rogueware): don't pay! You never have 100% chance you'll get any of your data back. Repeating: DO NOT PAY FOR RANSOMWARE.

Will any other malware be downloaded or executed on your machine while you are staring at the ransomware screen? Most experts agree that chances are low, but not non-existent. There's always a chance the ransomware is accompanied by other malware, as recently happened with ransomware also downloading bitcoin-mining software. Like one expert notes:
"However, malware in general rarely comes alone these days. It usually brings along some friends in form of secondary infections."
Other examples in the malware world are for example the ZeroAccess rootkit and file-infector Katusha, or more recently Zbot (Zeus) and Fareit.

This article wouldn't be complete without providing the necessary countermeasures for this specific piece of malware. For these countermeasures, I happily refer to the full answers of the experts, which you can view by clicking here.


In short, take the following preventive measures:

  • Keep installing all relevant Windows Updates. (No, not Silverlight)
  • Install an antivirus and firewall and keep it up-to-date and running.
  • Uninstall any unused applications, for example Java.
    If you do need Java, keep the following in mind:
    • Uninstall any older Java versions, as keeping those older and vulnerable versions on your system is a very bad idea. You can follow the steps on Oracle's site itself or use JavaRa for example.
    • Disable Java in the browser by following the steps from Oracle here.
     
  •  Keep your other sofware or applications up-to-date. You can use Secunia PSI for example.
  • Install an adblocker, for example Adblock Plus.
  • An additional layer of protection in your browser (and a must nowadays) is NoScript (Firefox), ScriptSafe (Chrome) or NotScripts (Opera) to prevent automatic loading of malicious (Java)scripts.
  • As usual, don't open any unknown attachments or links. Use a strong spam filter if possible. You can also 'hover' or scroll over a link to see the real URL behind the link.
  • Try to avoid shady or unknown websites if possible. An add-on like WOT can help you determine the legitimacy of a website.
  • Keep your browser of choice up-to-date, as well as any add-ons or plugins.
  • Don't fall for the obvious spam, phishing or scam attempts. Golden rule:
    if it looks too good to be true, it probably is!
  • Last but not least, make backups! A few points to consider when making backups:
    • Don't leave your external drive plugged in after the backup. This to prevent your backup files will be encrypted as well. So, take your backup and disconnect your external hard drive afterwards.
    • Be careful with backups in the cloud as well. If you use Dropbox for example, and it syncs to your Dropbox folder after your data has been encrypted... You will have another copy of your encrypted data.
    • Test your backup, if possible. You wouldn't want to encounter an infection then to only find out your backups are corrupted somehow.
    • You can also write your backups to write-once media, like for example DVDs or Blue-Ray. Easier is of course using an external hard drive, but don't forget to disconnect it after you have made the backup.

In organisations, corporations or businesses some of the above rules apply, like for example installing and keeping antivirus software up-to-date and running. Some other points to consider:
  • Use a strong password for your servers. Even better is to disable RDP from the internet if at all possible. Additionally, use a firewall to block unknown intruders or attackers.
  • Use a strong spam filter. Preventing any infection now will save you a lot of work later.
  • Use Group Policies if possible. An excellent resource on this is the following page by BleepingComputer, which includes several examples of Group Policies to stop ransomware from ever entering your company. Be sure to test these policies on a separate machine first if possible.  How to prevent your computer from becoming infected by CryptoLocker
  • Another way is to restrict Administrator rights for your users. They shouldn't be installing any software other than work-related software anyway.
  • If possible, educate your users. Have policies & procedures in place for BYOD (Bring Your Own Device) as well as any other malware incidents or outbreaks.
  • Last but not least: make backups! This is something you should do either way. Best way is to let the backups be stored in another physical location than yours, if possible. (this not only to prevent ransomware from encrypting all the files on your shared drives or server, but also in case of a natural disaster or fire in your building. You never know.)


This all good and well, but what if I'm already infected with CryptoLocker or any other ransomware? What if my server has been infected and all my files are encrypted?

  • First things first: do not pay for ransomware!
  • If applicable, simply restore from a backup.
If you do not have a backup available:
  • If you are dealing with normal ransomware (Reveton, Urausy, ...):
  •  If you are dealing with encrypting ransomware (CryptoLocker, BitCrypt, ...):
    • Try cleaning the malware first by following the steps above. Note that in some cases this is not the best action to take, as some ransomware variants install the decryption tool on your machine as well. In that case, it is better to ask help on any of the forums above.
      Afterwards:
    • Try restoring to a previous System Restore Point.
    • Try using any of the publicly available antivirus tools for decrypting your data. Keep in mind that most of these tools are for a specific ransomware family or variant.
    • Sometimes, you are lucky and can use Shadow Copies (Restore Previous Versions). If this doesn't work, you can use ShadowExplorer for example.
    • Sometimes, you can have luck restoring files by using data recovery software like Recuva, or for a bigger chance in restoring your files, PhotoRec. Note that these require you to delete the encrypted files, so use this as a last resort. Also note there's no 100% chance you'll be able to restore any of your data. (in any case)
Note that ransomware (and any other malware) may also reside in your System Restore. Thus, after cleaning up the infection, clean out all your restore points and create a new one.

You may also want to consider filing a complaint via the Internet Crime Complain Center (IC3) or via your local police station or CERT (list of CERTs available via Enisa or Europol).


Resources

Are you interested in learning even more about ransomware? (Though I'm pretty sure your knowledge has increased greatly after reading this article.)

Below you can find an excellent list of resources, in no particular order:

Microsoft Malware Protection Center - Ransomware
KrebsOnSecurity - Ransomware (search query)
Botnets.fr - Police Ransomware
Malware Must Die - Tango Down of 44 + 19 + 75 CryptoLocker CnC Domains 
Mark Russinovich’s Blog - Hunting Down and Killing Ransomware
BleepingComputer - Information on Ransomware Programs
BleepingComputer - CryptoLocker Ransomware Information Guide and FAQ
Malware don't need Coffee  - Ransomware (search query)
Wikipedia - Ransomware



Final Word

First of all,  I would like to thank the experts for their time and of course their professional insight on the subject.

Secondly, I hope that throughout this blog post you've gathered some new knowledge about ransomware and specifically on how to prevent it from ever happening to you.

Thirdly, should you have any questions, comments, feedback or anything else: feel free to leave a comment or contact me via Twitter. I'll reply as soon as possible.

Monday, March 3, 2014

Browlock ransomware cases increasing



Browlock is (unfortunately) nothing new. It's a simple webpage that "locks" your browser and demands a certain amount (usually $/£/€ 100) to unlock it. You cannot exit out of the browser.

Browlock typically gets delivered via malvertising (which is the user clicking on a malicious ad). Read more about Browlock here:
Browlock Ransomware Malvertising Campaign

Anyways, it seems they're now also stepping up their game for Belgian (or Dutch-speaking) victims, as I recently stumbled upon the following:

Browser blocked by Browlock






















If we check the source of this webpage, we see the following iframe:



This suggests they're testing the waters in regards to Belgian users.

I have listed the most important points below, written in the most awful Dutch I have ever seen (Google Translate is clearly not the best translator out there for some languages):

U zijn onderworpen aan schending van de auteursrecht en de naburige rechten (Video, Muziek en Software) en onrechtmatig gebruik oftewel verspreid auteursrechtelijk beschermde content

U hebt bekeken of verspreiden verboden pornografische content

Onrechtmatige toegang is gestart vanaf uw computer zonder uw medeweten of toestemming, Uw PC kan besmet raken met malware

Om uw computer te ontgrendelen en naar andere juridische gevolgen te voorkomen, bent u verplicht om een release vergoeding van 100 EUR-te betalen via PAYSAFECARD (u moet aankopen PAYSAFECARD kaart, opwaarderen van 100 EUR en voer de code). U kunt aankopen de code in elke winkel of tankstation. PAYSAFECARD is beschikbaar in de winkels in het land.


When trying to exit the page:

Message in Internet Explorer. Oops :-)










In Firefox, I got no weird characters in the messagebox, but as indicated in the screenshot above - Internet Explorer wasn't exactly happy. Maybe it's due to the fact that their Dutch is terrible.

To unlock your browser, you need to pay €100. You can use any of these payment methods:

Payment methods by Browlock








Seems like quite a lot of Browlock (and in the past other ransomware) is hosted on this IP:
146.185.235.7 - IPvoid Result - VirusTotal information

WhoIs data:

WhoIs data, most probably fake



It seems the abuse address is: noc@webhosting-area.net
Somehow I doubt we will get a reply when sending to that address...




Prevention

  • First and foremost in these cases, install an extension that blocks (malicious) ads! 
    I suggest using Adblock Plus, compatible with most modern browsers.
  • An additional layer of protection in your browser (and a must nowadays) is NoScript (Firefox), ScriptSafe (Chrome) or NotScripts (Opera) to prevent automatic loading of malicious Javascripts.



Disinfection

First things first: do not ever pay! Not for Browlock, nor for other ransomware types.

Luckily, Browlock is very easy to counter: simply close your browser by killing the browser's process

When you encounter Browlock, open up Task Manager by pressing on your keyboard on:
CTRL + SHIFT + ESC, or pressing CTRL + ALT + DEL, then choosing to open Task Manager:

Start Task Manager


After Task Manager is opened, go to the "Processes" tab and kill your browser's process:

Internet Explorer - iexplore.exe
Google Chrome - chrome.exe
Mozilla Firefox - firefox.exe
Opera Software - opera.exe




Conclusion

Have you encountered Browlock? First thing to do is not panic - as you can easily remediate it.

Secondly, follow the prevention tips above to avoid Browlock.

Thirdly, if you encounter ransomware - Browlock or not: do not pay, ever! You will not get your money back and chances are you will still have the malware on your machine.

Lastly, as usual; keep your operating system, antivirus and browser up-to-date.

Thursday, February 6, 2014

Swedish newssite compromised


Today a Swedish and well-visited newssite, AftonBladet (http://www.aftonbladet.se), was compromised and serving visitors a fake antivirus or rogueware.

There are two possibilities as to the cause:
  • A (rotating) ad where malicious Javascript was injected
  • AftonBladet itself had malicious Javascript injected

Whoever the cause, the injected script may haven been as simple as:
document.write('< script src=http://http://www.aftonbladet.se/article/mal.php');

When trying to reproduce, it appeared it already was cleaned up, fast actions there.

Thanks to my Panda Security colleague Jimmy from Sweden, I was able to obtain a sample.


File:    svc-ddrs.exe
Image icon:








Size:    1084416 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     be886eb66cc39b0bbf3b237b476633a5
SHA1:    36c3671f37f414ad6e0954e094a1a7bd0dcc34fc
ssdeep: 24576:M2xJbbGmTvmN9BfQ0lc4Bt4Xsk2QkibF5BOWe8JH0:M6bb3MQ0lc434n2Qhh5kWe8JU
Date:    0x52F1C3E1 [Wed Feb  5 04:53:53 2014 UTC]
EP:      0x5a8090 UPX1 1/3 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x10eeb0 [SUSPICIOUS]
Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
VirusTotal: https://www.virustotal.com/en/file/ee2107d3d4fd2cb3977376b38c15baa199f04f258263ca7e98cb28afc00d2dd0/analysis/
Anubis: http://anubis.iseclab.org/?action=result&task_id=12dc4daced1762174cdfa58df0872aae2&format=html


When executing the sample

Windows Efficiency Master
















Fake scanning results



















Besides dropping the usual EXE file in the %appdata% folder, it also drops a data.sec file with predefined scanning results (all fake obviously). Here's a pastebin with the contents of data.sec:
http://pastebin.com/DCtDWEbi


It also performs the usual actions:
  • Usual blocking of EXE and other files
  • Usual  blocking of browser like Internet Explorer
  • Callback to 93.115.86.197 C&C
  • Stops several antivirus services and prevents them from running
  • Reboots initially to stop certain logging and monitoring tools
  • Uses mshta.exe (which executes HTML application files) for the usual payment screen
  • Packed with UPX, so fairly easy to unpack
  • Connects to http://checkip.dyndns.org/ to determine your IP

This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same.
@ydklijnsma made an excellent post on this family, which you can read here:
http://blog.0x3a.com/post/75474731248/analysis-of-the-tritax-fakeav-family-their-active



Prevention

In this case, no exploit -nor Java/Adobe, nor browser- was used. Only Javascript was injected.
  •     Install an antivirus and antimalware product and keep it up-to-date & running.
  •     Use NoScript in Firefox or NotScripts in Chrome.
  •     Block the above IP. (either in your firewall or host file)



Disinfection
  •  Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.
  • If you are having issues doing this, reboot your machine in Safe Mode and remove the malware. For any other questions, don't hesitate to make a comment on this post or contact me on Twitter.



Conclusion

Remember the PHP.net compromise? Although maybe not as big, the AftonBladet is still a very busy and frequently visited website. This shows that any website may have issues with malware or injected Javascript(s).

Follow the tips above to stay protected.





Information for researchers:

PCAP file with traffic (click)








Samples:
Filename MD5
data.sec 2b55d02b2deed00c11fa7ddd25006cbc
svc-ddrs.exe  be886eb66cc39b0bbf3b237b476633a5
svc-ddrs.exe (unpacked) d667ffdd794fcc3479415ec57de35a58
svc-ejhy.exe (related) 803df2164a3432701aff3bbf0acd2bfe

Wednesday, February 5, 2014

Remediate VBS malware


I have developed a small tool that will aid you to remove VBS malware from a machine or in a network. I made this some months ago when I saw quite a lot of these doing the rounds. The tool is written entirely in batch, should you wonder.

The tool is simple and pretty much self-explanatory:

Remediate VBS worm
Remediate VBS worm














You should run the script in the following sequence, at least on a normal machine:
A, plug in your USB and choose B, C.After these steps, perform a full scan with your installed antivirus product or perform an online scan.


Some tips and tricks:


  • Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).
  • ! When you use option B, be sure to type only the letter of your USB drive!
    So if you have a USB drive named G:\, you should only type G
    This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again).
  • I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C:\ drive. (C:\Rem-VBS.log)
  • When the tool is running, do not use the machine for anything else.
    (it takes about 30 seconds to run)
  • Accidently used an option and want to exit the script? Use CTRL + C to stop it.


You can use this to remedy the following malware:

  • Excedow
  • Jenxcus
  • Houdini/Dinihu
  • Autorun worms
  • Any other VBS (VBScript) or VBE malware
  • Any other malware that abuses the WSH (Windows Script Host)


Download the tool from here:

Rem-VBSworm
MD5: 61bc391bd9b94baa8692b323f0f5dcc4

Note: as of 23/04/2014, I've updated the tool - it is now version 2.0.0:
ADDED: detections & disinfections will now be logged
ADDED: all attached drives are now listed
FIXED: False positive on unrelated files
FIXED: Issue with Read-Only files
IMPROVED: Registry fixes
IMPROVED: Scanning time
IMPROVED: Disinfection mechanism for USB-drives





Conclusion

In regards to autorun worms, you should follow these precautions:

  • Install all your Windows Updates.
  • Disable autorun. This should already be done by Windows Update, but if not you can use:
    • Panda USB Vaccine, download from CNET
    • Follow the steps in this Microsoft article (also for companies)
  • Don't simply insert a USB-drive in your machine without knowing who it is from. Found a USB-drive at your parking lot? Yeah, don't even think about it. You might want to read:
    Criminals push malware by 'losing' USB sticks in parking lots
  • You can install and run Script Defender along your antivirus/antimalware product:
    Script Defender by AnalogX
    This will effectively block the execution of malicious scripts like VBS, VBE, HTA, ...
  • If you aren't planning on ever using VBscripts at all, or you are not working on a company laptop (which may use scripts!), you can also simply disable the Windows Script Host.
  • For companies, take a look at this as well:
    Command line process auditing
  • Last but not least, install an Antivirus and update it regularly.

Tuesday, December 31, 2013

Happy New Year!


To all my readers, I wish you a happy New Year! Stay tuned, as there will be more blog posts in 2014!

The most important tips of 2013 were probably:





Stay safe folks. May you all have a great and malware-free 2014!