503-359-1275
503-359-1275
 
Tag Archives:

The Business Guide To Ransomware

The Business Guide to Ransomware, Part 3

The Business Guide to Ransomware, Part 3, is our third post in this series of defensive information you need to know, that will absolutely save your company if you are one of the unfortunate ones forced into finding backup copies of your database after you’ve been successfully attacked. This truly is critical information for all companies who depend upon access to the data that runs all businesses.

COMMON TYPES OF RANSOMWARE

As we’ve noted in previous posts, ransomware is constantly evolving and new variants are appearing all the time. So, it would be difficult, if not impossible, to compile a list of every type of ransomware proliferating today. While the following is not a complete list of today’s ransomware, it gives a sense of the major players and the variety in existence.

CryptoLocker

Ransomware has been around in some form or another for the past two decades, but it really came to prominence in 2013 with CryptoLocker. The original CryptoLocker botnet was shut down in May 2014, but not before the hackers behind it extorted nearly $3 million from victims. Since then, the CryptoLocker approach has been widely copied, although the variants in operation today are not directly linked to the original. The word CryptoLocker, much like Xerox and Kleenex in their respective worlds, has become almost synonymous with ransomware. CryptoLocker is distributed via exploit kits and spam. When the malware is run, it installs itself in the Windows User Profiles folder and encrypts files across local hard drives and mapped network drives. It only encrypts files with specific extensions, including Microsoft Office, OpenDocument, images and AutoCAD files. Once the dirty work is done, a message informing the user that files have been encrypted is displayed on said user’s screen demanding a Bitcoin payment.

CryptoWall

CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014, and variants have appeared with a variety of names, including: Cryptorbit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits. The initial version of CryptoWall used an RSA public encryption key but later versions (including the latest CryptoWall 3.0) use a private advanced encryption standard (AES) key, which is further masked using a public AES key. When the malware attachment is opened, the CryptoWall binary copies itself into the Microsoft temp folder and begins to encode files. CryptoWall encrypts a wider variety of file types than CryptoLocker but, when encryption is complete, also displays a ransom message on a user’s screen demanding payment.

CTB-Locker

The criminals behind CTB-Locker take a different approach to virus distribution. Taking a page from the playbooks of Girl Scout Cookies and Mary Kay Cosmetics, these hackers outsource the infection process to partners in exchange for a cut of the profits. This is a proven strategy for achieving large volumes of malware infections at a faster rate. When CTB-Locker runs, it copies itself to the Microsoft temp directory. Unlike most forms of ransomware today, CTB-Locker uses Elliptic Curve Cryptography (ECC) to encrypt files. CTB-Locker impacts more file types than CryptoLocker. Once files are encrypted, CTB-Locker displays a ransom message demanding payment in, you guessed it, Bitcoins.

Locky

Locky is a relatively new type of ransomware, but its approach is familiar. The malware is spread using spam, typically in the form of an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. Bitcoin ransom is demanded when encryption is complete. Are you sensing a pattern here? The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking five million emails associated with Locky campaigns over the course of two days.

TeslaCrypt

TeslaCrypt is another new type of ransomware on the scene. Like most of the other examples here, it uses an AES algorithm to encrypt files. It is typically distributed via the Angler exploit kit specifically attacking Adobe vulnerabilities.

You may also be interested in: Talk Nerdy to Me and TeslaCrypt, which installs itself in the Microsoft temp folder. When the time comes for victims to pay up, TeslaCrypt gives a few choices for payment: Bitcoin, PaySafeCard and Ukash are accepted here. And who doesn’t love options?

TorrentLocker

TorrentLocker is typically distributed through spam email campaigns and is geographically targeted, with email messages delivered to specific regions. TorrentLocker is often referred to as CryptoLocker, and it uses an AES algorithm to encrypt file types. In addition to encoding files, it also collects email addresses from the victim’s address book to spread malware beyond the initially infected computer/ network—this is unique to TorrentLocker. TorrentLocker uses a technique called process hollowing, in which a Windows system process is launched in a suspended state, malicious code is installed, and the process is resumed. It uses explorer.exe for process hollowing. This malware also deletes Microsoft Volume Shadow Copies to prevent restores using Windows file recovery tools. Like the others outlined above, Bitcoin is the preferred currency for ransom payment.

KeRanger

According to ArsTechnica, KeRanger ransomware was recently discovered on a popular BitTorrent client. KeRanger is not widely distributed at this point, but it is worth noting because it is known as the first fully functioning ransomware designed to lock Mac OS X applications.

 So what’s next?

In our next post, Part 4, we’ll continue with this series on with the Business Guide To Ransomware by sharing how to protect your business from a Ransomware attack.

In the meantime, if you would like more information on Data Backup and Disaster Recovery, download your Free Business Advisory Guide Here.

Don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

If you would like to chat about this, or anything call us at 503.359.1275

Dedicated to your success,
Wally Moore
dts|infotech  . . . computer networks that work      

www.dtsinfotech.com

503.359.1275

 

The Business Guide to Ransomware, Part 2

The Business Guide to Ransomware, Part 2, is our second post in this series of defensive information you need to know, that will absolutely save your company if you are one of the unfortunate ones forced into finding backup copies of your database after you’ve been successfully attacked. This truly is critical information for all companies who depend upon access to the data that runs all businesses.

How Ransomware is spread

Spam is the most common method for distributing ransomware. It is generally spread using some form of social social engineering; victims are tricked into downloading an e-mail attachment or clicking a link. Fake email messages might appear to be a note from a friend or colleague asking a user to check out an attached file, for example. Or, email might appear to come from a trusted institution (such as a bank) asking you to perform a routine task. Sometimes, ransomware uses scare tactics such as claiming that the computer has been used for illegal activities to coerce victims. Once the user takes action, the malware installs itself on the system and begins encrypting files. It can happen in the blink of an eye with a single click.

Another common method for spreading ransomware is a software package known as an exploit kit. These packages are designed to identify vulnerabilities and exploit them to install ransomware. In this type of attack, hackers install code on a legitimate website that redirects computer users to a malicious site. Unlike the spam method, sometimes this approach requires no additional actions from the victim. This is referred to as a “drive-by download” attack. The most common exploit kit in use today is known as Angler. A May 2015 study conducted by security software vendor Sophos showed that thousands of new web pages running Angler are created every day. The Angler exploit kit uses HTML and JavaScript to identify the victim’s browser and installed plugins, which allows the hacker to select an attack that is the most likely to be successful. Using a variety of obfuscation techniques, Angler is constantly evolving to evade detection by security software products. Angler is just one exploit kit; there are a variety of others in use today as well. Spam botnets and exploit kits are relatively easy to use, but require some level of technical proficiency. However, there are also options available for the aspiring hackers with minimal computer skills. According to McAfee, there are ransomware as-a-service offerings hosted on the Tor network, allowing just about anyone to conduct these types of attacks.

In our next post, Part 3, we’ll continue with this series on with the Business Guide To Ransomware by introducing you to the common types of Ransomware.

In the meantime, if you would like more information on Data Backup and Disaster Recovery, download your Free Business Advisory Guide Here.

Don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

If you would like to chat about this, or anything call us at 503.359.1275

Dedicated to your success,

Wally Moore
dts|infotech . . . computer networks that work
www.dtsinfotech.com
503.359.1275

 

Get Help Now