Holiday Hackers

The holidays are traditionally a season to enjoy time with friends and family, to exchange gifts, and to cheerily overindulge in food and drink. Unfortunately, there are Grinches out there that will do everything they can to spoil your holidays with ransomware and other threats.

Ransomware has become one of the most widespread and damaging threats that Internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and exploit kits, extorting money from home users and businesses alike.

The current wave of ransomware families can have their roots traced back to the early days of fake antivirus, through Locker variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation.

Once all the files are encrypted, the ransomware displays ransom notes which give instructions about how to make payment. The text content is hardcoded in the binary itself and adds generated Tor links and user-specific ID to it. The identifier generated by the command and control server is unique to the infected user, in order to identify the user machine.

The same ransom demand text is written into several files with “DECRYPT_INSTRUCTIONS” in their file names, and is displayed in three different applications – the web browser, a text file and a png in the image viewer, as shown in the figures below.

Ransom message

Protection

NetWorks uses Sophos solutions to protect against CryptoWall and other ransomware and malware attacks.

If you suspect you’ve been compromised by ransomware, you can remove the malware using Sophos’ Free Virus Removal Tool. Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack.

Apart from having your antivirus up to date, there are additional system changes to help prevent or disarm ransomware infections that a user can apply.

1. Back up your files.

The best way to ensure you do not lose your files to ransomware is to back them up regularly. Storing your backup separately is also key – as discussed, some ransomware variants delete Windows shadow copies of files as a further tactic to prevent your recovery, so you need to store your backup offline.

2. Apply windows and other software updates regularly.

Keep your system and applications up to date. This gives you the best chance to avoid your system being exploited using drive-by download attacks and software (particularly Adobe Flash, Microsoft Silverlight, Web Browser, etc.) vulnerabilities which are known for installing ransomware.

3. Avoid clicking untrusted email links or opening unsolicited email attachments.

Most ransomware arrives via spam email either by clicking the links or as attachments. Having a good email anti-virus scanner would also proactively block compromised or malicious website links or binary attachments that lead to ransomware.

4. Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.

We’ve seen many malicious documents that contain macros which can further download ransomware silently in the background.

5. Install a firewall, block Tor and I2P, and restrict to specific ports.

Preventing the malware from reaching its call-home server via the network can disarm an active ransomware variant. As such, blocking connections to I2P or Tor servers via a firewall is an effective measure.

6. Disable remote desktop connections.

Disable remote desktop connections if they are not required in your environment, so that malicious authors cannot access your machine remotely.

7. Block binaries running from %APPDATA% and %TEMP% paths.

Most of the ransomware files are dropped and executed from these locations, so blocking execution would prevent the ransomware from running.

Don’t get caught with this screen this Christmas!

Our partner, SophosLabs, has published new research examining the recent evolution in file-encrypting ransomware, in their paper titled The Current State of Ransomware. They look at the most prevalent variants including CryptoWall, TorrentLocker, CTB-Locker and TeslaCrypt – as well more obscure variants that employ novel or interesting techniques.

Leave a Reply