One of the more ingenious forms of computer hacking in the past decade is the development and implementation of ransomware. Ransomware is a type of computer malware which when infected into a user’s computer restricts access to that computer and demands a form of ransom be paid before the system can be accessed. The ransom can range from $100 to upwards of $10,000.
The malware code actually encrypts all of the files in the user’s computer essentially rendering the files useless. The malware also puts up a user interface which displays a message to the user indicating what has happened, and instructions on how they can make the payment to unlock and decrypt their files. Once the user has sent payment and the payment is verified, then the encryption is unlocked and the user has access to their files again, but this is not always the case.
The malware commonly known as ransomware works as a trojan horse virus. This means that the virus is allowed to infect your computer when you click on a malicious link and are directed to a website where the code infects your computer, or when you download an attachment that injects the code into your computer.
It is called a trojan horse virus because you are tricked into thinking it is a file that you want to open, named something like "invoice.zip" or "nicepicture.zip". Typically, this is an instantaneous change as the malware very rapidly deploys the code to take over the target computer. Users often are unaware of what they have done before their computer is locked and they have no way to access their files. This code is also smart enough to simply bypass the common virus detection programs, so the common virus detection programs will do nothing to stop the injection of this code.
Once the code has begun to infect your computer it will submit your data files to an RSA encryption process that will encrypt all of your files and prevent you from accessing them. The code essentially encrypts every file on your computer and prevents you from accessing any one of these files. The encryption program used by the ransomware malware varies with each instance of the virus.
The specific type of encryption may vary and thus the decryption code, but the process is the same. Because the creators of these viruses have had years to perfect their craft they have also started injecting code in their malware that will delete all of the Shadow Volume copies that you have created as they have identified this as a plausible method of fighting against the virus. By erasing these copies, they force you to pay their ransom in order to get your files back.
Once these files have been encrypted you will see a pop up window which will display instructions on how to get your files back. You will need to pay the requested ransom, they will verify that this payment goes through, and then they will begin to run the decryption program giving you access to your files. Since these are criminals, they are not required to decrypt your files after you pay, so you may or may not get your information back. Most malware programs also leave a residue of code behind that continues to track your online behavior.
Recently we’ve seen a big change in the encrypting ransomware family and we’re going to shed light on some of the newest variants and the stages of evolution that have led the high profile malware to where it is today. In its first evolution of what we know as Cryptolocker, the encryption key was actually stored on the computer and the victim, with enough effort, could retrieve said key. Then you could use tools submitted on forums to put in your key and decrypt all your data without paying the ransom.
In future iterations, malware authors made sure that the only place the key was stored was on a secure server so that you were forced to pay. In newer variants of Crytpolocker the VSS, or Shadow Volume, is almost always deleted at deployment. Malware authors also give the victim a special extended period of time to get their files they waited past the deadline, but the price usually doubles or even triples. This threat is ever evolving.
There are two main ways to prevent ransomware attacks and to minimize any negative effects of an attack.
The best way to prevent these attacks is to never click on a link that you are not 100% sure is a safe location. This means that you should not visit websites whose authenticity cannot be verified, and which look suspicious. You also should avoid clicking on ad banners and on suspicious “too good to be true” offers and promotions. These links quite often lead to a sham website whose only function is to inject this malware code into your computer. Even with the best of intentions, you may accidentally click on a link which you did not intend.
To avoid this mistake becoming very costly, you should always have a regular backup of your files, and this backup should not be attached to your computer. This will ensure that even if you do have a malware attack you can still have access to all of your files.
As always, the best way to prevent this code form ever infecting your computer is to never click on links you do not trust and not to open attachments in email from anyone you do not trust. This will help to prevent an infection in the first place.
If you ever feel you may be a victim of one of these attacks immediately disconnect the affected machine from the network by unplugging the Ethernet cord or powering the machine off, even if the ransomware tells you not to.
Posted by: Systems Administrator Jeremy Smario