"Good Afternoon.  This is Your Fake AV Calling."

by lg0p89

Background

Early in the summer of 2013, my wife's son called for his mother.  He noted that the computer said there was a problem.  Naturally, we went to see what the issue was.  After heading downstairs, the laptop screen showed a rectangle with flashing lights in the lower right-hand corner stating the app was running a scan.  Also, there was an attention grabbing banner warning that the computer was infected and immediate action was required to fix the issue.  All you had to do was just click on the yellow warning sign, which just happens to be next to the bar scrolling through all of the viruses allegedly found on the computer, along with the malware and porn.  Oh, and by the way, yes, there was a fee involved to fix this.  Nothing in life is free.

The young family member was a victim of ransomware.  Of course, he denied clicking on anything he was not supposed to or visiting any adult-oriented websites.  The computer was not chock full of malware, viruses, and porn.  Somewhere along the way, the computer had been infected with ransomware.  Prior to this, his mother elected to ignore my repeated requests to renew and update the Anti-Virus (AV) package as the expiration was quickly approaching.  How does the quote go regarding a horse and water?

Definition

Ransomware is a form of malware.  There are two primary types of ransomware.  These involve either, once infected, locking the system up where the user is not able to access the files or programs, or encrypting the user's system, such that they need to have the password to open and access the system.  This also has been known as scareware.  (Russinovich, 2013)

General Operations

The bottom line of this attack is to force the user into believing their system is totally infected and has to be cleaned immediately.

The user, for example, does an Internet search.  There is a site listed that looks intriguing and "exciting."  The user clicks on the site, not knowing it is not remotely what it appears to be.  Immediately, the ransomware is installed as a register entry.  Until cleaned, every time the user starts or restarts the system, the warning as described earlier comes up.  This warning may be a pop-up window, a new website page, or another form that appears legitimate.  The ransomware may lock up your system and/or files (Zorz, 2013) until you pay up.  (Leyden, 2013)

People generally are so stressed out that they just pay and hope they get their system back.  That is a bad idea.  Now they have your credit card number and your computer's accessibility.  They may continue to demand money, much like a shark smelling blood in the water.  Good times are going to follow.  The better route is to have this fixed by a professional.

The warning may also state, in order to elicit a quicker response, that illegal activities have been detected coming from your system.  This notice feeds into the person's worries and concerns.

Although technology has improved over the years by leaps and bounds (thank you Moore's Law), the method and look of ransomware have not changed much since 2006.  The new improvement on the malware lately is with the lockout function.  (Russinovich, 2013)

Specialty Add-On

Not all of these are the same.

Granted, there is a generic framework that is common.  As an example, a seemingly genuine, legitimate website or pop-up shows on your screen.  This looks just like the MS or other AV service provider warning.  This states you have to take immediate steps to fix the issue.

For fun and excitement (for them), the ransomware engineers have added a menacing voice to the application.  Imagine the noob turning on their laptop.  The warning pop-up appears listing all of the horrific things that can happen or have happened to the computer.  To increase the user's anxiety and the probability they will pay, there is added the threat of imminent loss of the family's pictures and information that won't be able to be retrieved if they don't get this fixed immediately.  Their firm will just happen to fix it right now for them for the reasonable price of $xx.xx.

Now (here is the fun part), add in the deep, authoritarian voice (think Darth Vader) telling the user everything they have been reading.

Avoiding the Issue

When the user's system is infected, this is potentially a traumatic and stressful experience.

There are ways to avoid most of the risk.  The users should ensure the AV definitions are up to date.  These should be updated frequently.  For myself, every time the laptop is turned on the definitions are updated.  This only takes two or three minutes at the most, and decreases the risk to the user.  As this is being typed, the definition update took all of 45 seconds.  The inconvenience to the user in this case is not significant.

The firewall should be left on at all times.  This should not be turned off.  There really is not a significant point to not having this on.  This will provide an additional layer of protection, above the user's knowledge of what not to do to get in trouble in the first place.

If you are receiving emails from UPS or FedEx - along with 30 others in the same email - telling you to open an attachment to claim an undeliverable package, don't open it.  The user should not open an email or attachment that looks to be suspicious.  Too often at work, one of the users receives one of these emails and opens the attachment.  If you do, you probably will have a bad day after IT is alerted to this.  The sysadmin will not be happy four hours later after scanning your system and trying to fix it, only to later ghost the template image onto your system.

Also, scan your system regularly.  This is not harmful and may slow down the system temporarily, but it will still be workable.

Conclusion

Ransomware can be a significant pain to everyone involved.

Users need to understand not to click on anything suspicious.  If something seems too good to be true or does not make sense, this it is and it probably does not.  If the user does slip up, don't pay the deviants who infected your system.  It will only lead to more fruitless payments, stress, pain, and yet more data loss.

There are ways to lessen the risk to the users from this.

References
Return to $2600 Index