Ransomware: What It Is, What it Does and Keeping Free of It

By Simon Kravis

With increasingly powerful variants known by exotic names such as Zepto, Locky, Dridex and Angler, Ransomware poses a growing and critical threat to enterprises. In 2015, there were nearly 407,000 attempted ransomware infections and over $US325 million extorted from victims with many experts seeing it as the security issue of 2016.

The term ransomware describes malware that restricts access to PCs or files until a payment is made when instructions or software to restore access are supplied. The ready availability of strong encryption components and untraceable online money transfers via BitCoin has driven the evolution of this lucrative form of extortion. It is based on malware encrypting user files followed by a demand for payment for access to decryption keys and tools to regain access to file content.

Together with the increasingly well-engineered delivery methods, Ransomware presents a serious threat to data and image storage. Individuals and small organisations without dedicated IT resources are most vulnerable, but a number of US hospitals are reported to have been attacked.

The rapid speciation of ransomware is shown in the diagram below, and income from ransoms provided by attacked individuals and organisations has been estimated at US$60m per year early in 2016.

Attacked organisations often find it more cost-effective to pay ransoms and thus help to fund development of the next generation of ransomware. Cybersecurity company FireEye investigated the financial performance of the TeslaCrypt ransomware (the most common ransomware reported for Dec 2015 to May 2016) and the interactions of victims with the ransom system in early 2015.

It found that 13% of victims paid ransoms averaging 1.5 BitCoins or $US1000 in Paypal MyCash, netting TeslaCrypt about $US12,000 per week during the two-month period. 21% of the victims interacted with TeslaCrypt via its messaging system and their messages (and TeslaCrypt responses) indicate the impact that ransomware infections have on individuals and small organisations.

There are also documented cases where the decrypting process failed after the ransom was paid (probably due to software bugs), leaving victims out of pocket and with inaccessible encrypted files.

Delivery mechanisms for ransomware include unsolicited emails framed to encourage the recipient to open an attached file, which may be a macro-containing Office file or a zipped script file which downloads the ransomware executable and generates machine specific encoding keys. Ransomware may also be delivered via exploit kits on web sites which advantage of security holes in common programs such Java or Flash that install malware when the site is accessed by a browser. Legitimate Web sites may be hacked to redirect browsers to sites containing an exploit kit.

Because decrypting files without a key is so difficult, anti-ransomware efforts are focussed on avoiding infection rather than recovering encrypted data, although occasionally decryption keys become freely available.

The US Department of Justice successfully located the servers used by CryptoLocker in 2014 as part of Operation Tovar, which involved law enforcement agencies, security companies and academics from many countries. As a result, security firms Fox-IT and FireEye offered a free decryption portal service for files encrypted by CryptoLocker.

More recently, the TeslaCrypt operation made its decryption master key available on its ransom payment site for unfathomable reasons. Suggested motives are genuine remorse, a desire to retire in a media-friendly way, or being hacked by a rival ransomware operator who wished to drive them out of business. The key has been quickly packaged into free clean-up applications that will have been rapidly utilised on machines infected with TeslaCrypt.

However, the rapid evolution and high profitability of encrypting ransomware means that free decryption resources are unlikely to be available for all ransomware in future and the only certainty is that the sophistication and threat level of ransomware will increase. Preventing infection is much more effective than trying to deal with it once it has happened.

When infection occurs, it may be difficult to know exactly what type of ransomware has been run: apparently authoritative analyses may describe ransom notes and features of earlier versions. In addition, infections may not be immediately apparent on individual machines where programs other than email clients and web browsers are infrequently used, as Web browser operation is not seriously affected and the Outlook email clients are not affected as Outlook keeps a lock on any active archive (.pst) files, thus preventing them from being encrypted. As the ransom price may increase with time, delay in payment may increase costs if the user decides to pay the ransom.

The effect of a ransomware infection on cloud servers would be colossal, as operator would face the prospect of closure of the service unless the ransom was paid and service restored promptly. Windows Server operating systems have highly restricted Internet access by default and only the required software for server operation, which limits the channels for infection. It is to be hoped that all servers would have a very high level of protection, and highly limited access, making infection much more difficult. However, no Internet-connected system can be invulnerable and disgruntled ex-employees with detailed knowledge of system design may be aware of exploitable loopholes in security.

Advice for avoiding infection by ransomware is abundant – most security software vendors offer it, and the common features are very clear:

Users should be instructed not to open email attachments which come from an unrecognised source or are thought to be bogus. Many different email subjects and content can be used to lure the recipient into clicking on an attachment. Fake invoices are particularly common. Typing the email subject into a search engine and seeing if it appears in conjunction with any identification as spam may be useful.

Users should be instructed not to click on web site links unless they absolutely trust the page. Links which offer something that seems too good to be true (e.g. Click here for your chance to win $5000/ a free iPad) are much more likely to download malware than provide what they state.

Use security software and ensure that is enabled, and using an up-to date threat database. When a new ransomware variant appears, it will be not be identified by any threat database until it is reported to the security software vendor and this may take some days. Some anti-ransomware software looks for behavioural attributes of software rather than relying on signatures from a database requiring regular updates. This closes the day zero loophole but will be prone to false positives.

Ensure that data is backed up on a filesystem not connected to a network so that unencrypted files can be restored if needed. Network-connected backups may also be encrypted if accessible to the ransomware.  Additionally, tens of thousands of ransom notice files may be generated in user and system folders and these may need to be removed as they may affect applications. Another problem is that application configuration and operation files may be affected which are not necessarily backed up. This will require system re-imaging as well as backup restoration.

Ensure that patches blocking access to security holes in any installed applications (particularly common ones such as Java, Flash and Office) are applied as soon as they are released.

Simon Kravis is the principal of information management consultants Aleka Software http://www.alekaconsulting.com.au/contact.html