Definition: Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).
How Ransomeware work
Ransomware can be installed on a computer in a many ways but the most common to date has been through Web exploits and drive-by downloads. Some ransomware are also delivered as attachments to spammed email.
After the file has been downloaded, it is executed. The ransomware then proceeds to disable the computer by disallowing execution of various programs. A ransom is then demanded in an appropriate language and using local police images. Localization of content is performed by geo-locating the user’s IP address using an online service, which tells the ransomware where the compromised computer is located. Geo-location services are usually not associated with the attackers, but are freely available. Figure shows an example of a single Trojan with several different localized ransomware messages.
The victim purchases an electronic payment PIN and then enters that number into the box provided.This payment PIN will then be sent by the ransomware to a C&C server where the attackers can retrieve it. At this point, the attackers should honor their promise and send a command to the ransomware telling it to uninstall itself. Unfortunately, this rarely happens. In actuality, many of the ransomware variants do not even contain the code to uninstall themselves. All the attackers care about is obtaining the payment PIN.
Ransomware is evolving rapidly, new form of ransomware variants now encrypt files, aside from locking the system. This is to ensure that users will still pay up even if the malware itself was deleted. This new type of ransomware was dubbed as “CryptoLocker” due its new behavior.
Do’s
- Backup your files regularly.
- Apply software patches as soon as they become available. Some ransomware arrive via vulnerability exploits.
- Bookmark trusted websites and access these websites via bookmarks.
- Download email attachments only from trusted sources.
- Scan your system regularly with anti-malware
Don’ts
- Do not attend unsolicited mails.
- Never ever pay the ransom. Paying ransom does not guarantee that you will get back your file. Infact paying ransom will boost criminals to extort more money out of you.
- Do not visit untrusted websites.
Definition: Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).
How Ransomeware work
Ransomware can be installed on a computer in a many ways but the most common to date has been through Web exploits and drive-by downloads. Some ransomware are also delivered as attachments to spammed email.
In a typical drive-by download, the user browses to a website (in the case of ransomware, the websites tend to be pornographic in nature). The attacker has inserted a hidden iFrame—a special redirect—into this website. This redirection causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain multiple different exploits, which, if the computer is not fully patched, causes the browser to download a file (the malware).
After the file has been downloaded, it is executed. The ransomware then proceeds to disable the computer by disallowing execution of various programs. A ransom is then demanded in an appropriate language and using local police images. Localization of content is performed by geo-locating the user’s IP address using an online service, which tells the ransomware where the compromised computer is located. Geo-location services are usually not associated with the attackers, but are freely available. Figure shows an example of a single Trojan with several different localized ransomware messages.
Once the ransomware has determined what country it is in, it sends that data to its command-and-control (C&C) server. This server then responds with the appropriate ransom message written in the local language and with police images from that country. This kind of malware is coined as Reveton.
The victim purchases an electronic payment PIN and then enters that number into the box provided.This payment PIN will then be sent by the ransomware to a C&C server where the attackers can retrieve it. At this point, the attackers should honor their promise and send a command to the ransomware telling it to uninstall itself. Unfortunately, this rarely happens. In actuality, many of the ransomware variants do not even contain the code to uninstall themselves. All the attackers care about is obtaining the payment PIN.
Ransomware is evolving rapidly, new form of ransomware variants now encrypt files, aside from locking the system. This is to ensure that users will still pay up even if the malware itself was deleted. This new type of ransomware was dubbed as “CryptoLocker” due its new behavior.
Crytolocker encrypt the files using AES+RSA encryption algorithm. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available.
Cryptolocker propogates through spam mail. This kind of ransomware is quite common now-a days and can be observed in many well known industries as well.
Do’s
- Backup your files regularly.
- Apply software patches as soon as they become available. Some ransomware arrive via vulnerability exploits.
- Bookmark trusted websites and access these websites via bookmarks.
- Download email attachments only from trusted sources.
- Scan your system regularly with anti-malware
Don’ts
- Do not attend unsolicited mails.
- Never ever pay the ransom. Paying ransom does not guarantee that you will get back your file. Infact paying ransom will boost criminals to extort more money out of you.
- Do not visit untrusted websites.
