Ransomware: Still Active and Looking for Victims/Volunteers

by lg0p89

There have been many articles over the last few years concerning ransomware.  As of late, the furor has started to die down.  There simply has not been the abundance of press or research articles on this topic.

What Is Old Is New Again!

Attackers, simply due to human nature, tend to either exploit new vulnerabilities or, alternatively, to recycle old methods.

The targets still have the data, money, and other information they are looking for.  A recent example occurred in February of 2015.  There was a local chiropractor's office.  The office manager visited a website, as she had done so many times before.  This website had local news and advertisements, just like so many others.  As she was reading through the stories, she clicked on a pretty picture for another news story.  The office closed, the workstation was shut down for the evening, and the staff went home for the night.

The next day arrived, just like so many other days.  She logged in and saw a message across her screen that said: "Warning!  Your files have been encrypted!"  She had 72 hours to make a payment with Bitcoin, Ukash, Paysafe Card, or MoneyPak.  The cost for the de-encryption key was one bitcoin.

With this, the choice had to be made to either pay the fee or to ignore this and recreate the data from the last backup.  The chiropractor's office elected not to pay.  So many things can and generally do go wrong when paying.  They may pay once and receive the key.  Generally, it does not go this smoothly.  The office probably would have paid once, not received the key, and then would have had to pay again.

Unfortunately, the office did not regularly back up their system.  In fact, it had been over six months since the last time.  Fortunately, they had their year-end data done and to the accountant for the tax returns.  The secretary only had to recreate the data from the files for nearly two months of work.  This wasn't as precise as the original data, but all things considered, it was reasonably close.

Targets

Originally, this attack was focused on consumers.  They were easy to phish with using, for instance, a well-crafted email.  The attackers have become more flexible and the attacks are becoming different (quasi-XSS versus only the email), attacking more targets (not limited in number), and also focusing on businesses.  With businesses, the attackers are also not focusing on one specific sector.  They are also not limited geographically, as there are victims from Michigan to Los Angeles.

As noted, this has not been limited to either consumers or a specific industry.  The Swedesboro-Woolwich School District in New Jersey was also a victim.  In March of 2015, their servers were encrypted.  The ransom for the key was 500 bitcoins.  Although the bitcoin value does fluctuate, 500 bitcoins is still a significant amount.  The school district was not going to pay the fee, but instead was working to restore the files.  In the interim, they were reduced to working with pens and paper.  The FBI and Department of Homeland Security got involved.

Also, in December of 2014, the Tewksbury (Massachusetts) Police Department was a victim of this.  They ended up paying the $500 ransom in bitcoins.

How These Work

Unfortunately, this is a very simple process and does not take an expert in computer science to implement.  There are three primary versions of this attack.  There can be the phishing emails with the malicious links.  This avenue may state there is an "Incoming Fax Report" as the hook.  The file clicked on has the malware and, before the user knows it, the plan is set in motion.

Another version involves the user visiting a compromised website.  Simply clicking on the website or on one of the pictures on the website infects their system.  A third variation would be the user clicking on a pop-up window.

The user's machine (or, worse yet, servers) becomes infected immediately after the unintended encounter.  The affected computer and/or servers are then encrypted.  The attackers may infect a few files or the entirety of the hard drive or servers.  The extent they are willing to go with this depends on the files.  If a file or set of files that open appear to be vital to the business, they may encrypt everything.  This may include payroll or medical records.  For simpler items that hold more sentimental value, the attackers would probably only encrypt small portions of the target.

The user may not find out until the next day when they log in.  The user would get the warning message and their heart would skip a beat.  The attackers would then demand a varying number of bitcoins to provide the decryption key.  There have been different versions of the malware noted in the wild.  It would not be likely to have only one variant, given the number of malicious programmers and the different targets.

Lessons Learned

Generally, it is not advisable to pay the ransom, per the FBI and many others.  After the initial payment, they may or may not provide the key, which can translate into a very bad day.  Much of the prevention itself lies in education of the users.  If an email looks too good to be true, it probably is.  There is still no free lunch.  As there continue to be more infections, each offers an opportunity to teach the users.  This is much like becoming immunized at the doctor's office.

There are also a number of best practices to implement at the home and/or workplace.  One item to consider is ensuring with regularity the user's systems are up-to-date.  They should not be clicking on pop-up windows or visiting questionable websites.  If the user receives an email that was not expected, and/or looks suspicious and has an attachment, it probably is malware.  Social networks can also be used to spread the malware.  The users need to regularly back up their systems.

These can be used as a learning tool to further minimize these issues.