Ransomware: there isn’t just one kind to be concerned about – Ransomware Series Part 1

by | Dec 5, 2016 | Security | 0 comments

In this first installment of the Ransomware series we will look at the different types of attacks.  However, as quickly as we learn about existing methods of attack, cyber hackers are already preparing to change the way they attack.

There are two distinct types of Ransomware–Locker Ransomware or Encrypting Ransomware.  Let’s review some terminology first before we start identifying the different types of Ransomware that exist today.

  • Ransomware is a form of Cyber-attack used to obtain your data and gain payment.
  • Bitcoin, PaySafeCard and Ukash are forms of payment used by cyber bullies because it is secure for them, which helps them avoid getting caught.
  • Encryption is a form of locking up files with a code.
  • Decryption is a form of unlocking files with a code.

What are some examples of Ransomware and what do they actually do?

  1. CryptoLocker, also known as the “Police Virus,” has been around for over a decade and continues to be on the rise. CryptoLocker uses social engineering techniques to trick the user into running it. For instance, you could receive a request to review a file from an email address that is similar to your organization’s. Commonly this is sent in a ZIP file format. Once you download the file, it begins to hide in your system in the user’s profile under AppData,LocalAppData. It will then make a registry key to make sure it runs every time the computer starts up. Once it is finished encrypting your files, you will see a popup demanding ransom.
  1. Locky is typically spread via an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption.
  1. CryptoWall takes your data hostage and the cyber criminals use an asymmetric encryption, where the decryption key is different from the encryption key and is not stored next to the encrypted data. Basically this forces the victims to pay the thief a ransom for the decryption key to unlock the data.
  1. Crysis can encrypt files on fixed, removable, and network drives and it uses strong encryption algorithms and a scheme that makes it difficult to crack within a reasonable amount of time.
  1. zCrypt tries to spread as a virus and can spread on USB sticks. It can detect important directories and encrypt files that are changed. It does scramble files first to make recovery impossible.
  1. Powerware is aimed at businesses using Microsoft word and the PowerShell scripting interface. This ransomware’s innovation is that after trying to enable macros it hooks into the Powershell to download a malicious script. Without writing files to the system, it makes it very hard to track and recover.
  1. Petya will overwrite the Master Boot Record causing the blue screen of death and crash. When the user reboots, instead of seeing the blue screen you will see a nice skull with cross bones splash screen requesting payment. Basically this one holds your entire system hostage making recovery impossible.
  1. Cerber targets cloud-based Office365 and uses phishing campaigns. It recently evolved this year by terminating processes in databases and creating random extensions to existing files. You will also get a Readme.hta note with instructions for payment of the ransom. Since this has evolved it is a bit harder to fix without a restore.
  1. CTB-Locker is delivered through spam campaigns, where the email message pretends to be related to a FAX message that needs your immediate attention. When the email is opened you are asked to download a zip file attachment.  The process proceeds to encrypt your data and then you receive a ransom payment note.
  1. Jigsaw targets Office365 users and the infection is typically within an email campaign. Once you are infected, the cyber hackers play an audio file for you that says you need to pay up. It gives you instructions and if you fail to deliver on payment not only has it already started encrypting your data, but it will progressively delete your files until it is paid or your files are gone. Oh, and you do have a timeframe, so no extensions are given from them.
  1. KeRanger is not widely distributed at this point, but its focus was on Mac OS X applications. Mac OS has been known to be virus-free for many years and the KeRanger is the first fully functioning ransomware designed to lock Mac OS X applications. Its form of attack was through the users who downloaded version 2.90 of Transmission. This Ransomware not only encrypts files, but also attempts to encrypt the user’s Time Machine backup to prevent additional data-recovery methods.
  1. LeChiffre enters the PC via a malicious download or by cyber criminals scanning the network, gaining access, and manually running the virus in your environment. Once it enters, LeChiffre will start encrypting files before changing their extension from .txt, for example, to .txt.LeChiffre. The cyber hackers promise to decrypt all the files in return for bitcoin.
  1. TeslaCrypt is distributed via the Angler exploit kit, and this ransomware targets Adobe vulnerabilities. TeslaCrypt installs itself in the Microsoft temp folder.
  1. Hydracrypt & Umbrecrypt are in the same family and they both mysteriously disappeared in June 2016. They basically encrypt your files and ask for ransom.
  1. RAA is delivered as a .js file that uses crypto-js to embed in your system. It deletes Windows Shadow Copy Service and even drops the Pony password stealer to hunt for credentials. It is easy to spot since it is a JavaScript attachment.
  1. TorrentLocker, in addition to encrypting files, collects email addresses from the victim’s address book to spread malware beyond the initially infected computer/network.
  1. ZCryptoris a self-propagating malware strain that exhibits worm-like behavior, encrypting files and also infecting external drives and flash drives so it can be distributed to other computers.

Should you pay the Ransom?

Paying the ransom is like putting your trust in a known thief to hold your wallet and not take your money. These are cyber criminals that steal your information and sell it on the black market. They are not going to give you your files back. Maybe some victims have been lucky and paid the ransom and received their files back, but here is the reality; there is no guarantee. So if you are thinking about paying them, you might want to use a prepaid card, get a credit monitoring service, and hope they actually deliver your files. There are other ways to protect yourself against an infection and to aid in remediation when an infection occurs.

If you want to learn more about how to protect yourself against Ransomware, check out our Ransomware Blog Series every month or contact us our Security Services at info@peters.com for a complimentary consultation.