4 lessons you need to learn about ransomware before it snags you

By Bev Robb, IT consultant

Ransomware inspires fear in the hearts of those who have experienced its tenacious grip, and curiosity in the souls of those who haven’t.

To pay or not to pay

Over the past few years, malefactors have added yet another sinister twist to the crimeware game — cyber extortion.

End users panic (specifically those who have never backed up their system), while many security experts say “never pay the ransom.” Government entities like the Department of Homeland Security also discourage victims from paying ransom because “paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”

In struts CryptoWall 3.0

Launched in January of this year, CryptoWall 3.0 (Crowti) is distinct from previous versions because it now utilizes I2P (anonymous peer-to-peer network), simplifying the process while making for a much friendlier user experience. It also provides an easier-than-pie installation in comparison to a novice user attempting to communicate with the attackers via TOR. Another drastic difference that sets CryptoWall 3.0 apart from the rest is that the attackers appear to be highly reliable in returning the victim’s encryption key to unlock the encrypted files — once the ransom is paid.

In a nutshell: CryptoWall 3.0 can be spread by email, an infected website, or the vector of infection may be unknown. But once it gets into your network, it will begin to establish network connections to random command and control (C&C) servers that are hidden on the Tor and I2P anonymous network. It will then upload all of the workstation system information and generate a random 2048-bit RSA key pair, register the workstation, and copy the public key back to the victim’s computer.

Next, it will copy and encrypt each file on the victim’s computer (the files to be encrypted are predetermined by the C&C file extension list). After each copy is created, it then deletes the original file from the computer. It continues on its merry way until every file has been copied, encrypted, and the original file has been deleted. Once it has run through the predetermined list of extensions (like .pdf, .doc, .png, .JPG) on the computer, it will also attack every mapped network drive, external drive, or USB flash drive until its mission is complete.

Once the encryption process is done, CryptoWall will stop the Volume Shadow Copy Service (VSS) — making your backup and restoration service completely null. On Windows 7 and above it will also stop file versioning and delete the cache. Once all system protection and volume shadow images become disabled, ransomware injects its code into a newly spawned svchost.exe process. The Dell SonicWALLThreats Research team provides a far more technical peek here.

It leaves instructions, too.

At the root of every directory (that was attacked) these three files will appear:

DECRYPT_INSTRUCTION.txt
DECRYPT_INSTRUCTION.html
DECRYPT_INSTRUCTION.url

These miscreants are clever little buggers and exceptionally generous in leaving myriad step-by-step instructions on how to pay out the ransom.

Five hacking generations

Security freelance writer Drew Robb lists five hacking generations in his KnowBe4 whitepaper “Your Money or Your Life Files“:

1. Gen One [sneaker-net viruses]: Teenagers sitting in dark, damp basements writing viruses in order to gain notoriety. They just wanted to show the world that they could do it and were relatively harmless.
2. Gen Two [malicious viruses and worms]: Students that created malicious-type viruses that spread quickly around the globe (Sasser & NetSky), and were capable of causing multimillion dollar losses. This generation also desired to show off its “elite skills” in order to gain notoriety.
3. Gen Three [amateur cybercrime, botnets]: This generation shifted from recognition to remuneration, where easy money became the name of the game. This generation invested in botnets to control thousands of computers to send spam, attack websites, steal identities, and create havoc while indulging in all types of nefarious activities.
4. Gen Four: [professional cybercrime, rootkits, extortion]: This generation became better organized, hired coders that were capable of creating higher quality malware and introduced malware that could hide itself. This is also the generation that spiked the interest and entrance of traditional mafias.
5. Gen Five [underground economy]: Stolen goods and illegal services are now bought and sold, and all the tools of the trade are available for sale. Inexperienced green cybercriminals now have the opportunity to learn the trade and get to work quickly. This underground economy operates just like professional businesses and services do: with social networks, escrow services, along with licensed malware that receives high-end tech support, botnet rental by the hour, and seller reviews.

Undoubtedly, Gen Five will continue to add alarming and sinister twists to the global cyberthreat landscape.

“A layered security approach may be in the best interest of any organization that desires to be proactive.”

The state of contingency

In overall security planning, leave no stone unturned. The latest variant of crypto-ransomware, CryptoWall 3.0, is a unique threat. This version maliciously encrypts your data and holds it hostage. If you do not have a working backup and you can’t or won’t pay the ransom, your data becomes irrecoverable (like ashes in the wind) and is lost forever.

A layered security approach may be in the best interest of any organization that desires to be proactive — maintaining a reactive approach may be obsolete at this stage in the game.

4 ransomware lessons you need to learn before it snags you

1. Backup is crucial: Use more than one backup solution (such as an external drive and cloud storage). After the backup is complete, disconnect external drives and mapped cloud network drives from the ransomware vulnerability chain. Be sure to test backups weekly.
2. Use proactive security scanning: Use anti-virus/anti-malware suites that are consistently updated with the latest definitions. Stop malicious process activities; block network connections to malicious sites. Implement ad-blocking and anti-spam filters.
3. Increase endpoint security: Read this Enterprise Stragey Group whitepaper (commissioned by RSA Security) on “Rethinking Endpoint Security.”
4. Use security awareness training: End users are generally the weakest link. Teach employees about safe Internet practices and how to identify social engineering and spear phishing attacks. Test your employees’ security awareness with in-house phishing attacks and interactive security activities.

Have you been a victim of ransomware? How did you deal with it? Did you have a solid backup or did you pay the ransom? Are there more ransomware lessons to be learned?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.