Announcement

Collapse

Computer Lab Guidelines

Here in the computer lab, we talk about cool tech, the newest coolest gadgets, and tackle your toughest tech questions.

If you need to refresh yourself on the decorum, now would be a good time. Forum Rules: here
See more
See less

Crypto Ransomware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Crypto Ransomware

    NCCIC / US-CERT

    National Cyber Awareness System:

    TA14-295A: Crypto Ransomware [https://www.us-cert.gov/ncas/alerts/TA14-295A]
    10/22/2014 05:28 PM EDT Original release date: October 22, 2014

    Systems Affected

    Microsoft Windows

    Overview

    Ransomware is a type of malicious software (malware) that infects a computer
    and restricts access to it until a ransom is paid to unlock it. This Alert
    is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in
    coordination with the United States Department of Homeland Security (DHS) to
    provide further information about crypto ransomware, specifically to:


    * Present its main characteristics, explain the prevalence of ransomware,
    and the proliferation of crypto ransomware variants; and
    * Provide prevention and mitigation information.

    Description

    WHAT IS RANSOMWARE?

    Ransomware is a type of malware that infects a computer and restricts a
    user’s access to the infected computer. This type of malware, which has now
    been observed for several years, attempts to extort money from victims by
    displaying an on-screen alert. These alerts often state that their computer
    has been locked or that all of their files have been encrypted, and demand
    that a ransom is paid to restore access. This ransom is typically in the
    range of $100–$300 dollars, and is sometimes demanded in virtual currency,
    such as Bitcoin.

    Ransomware is typically spread through phishing emails that contain
    malicious attachments and drive-by downloading. Drive-by downloading occurs
    when a user unknowingly visits an infected website and malware is downloaded
    and installed without their knowledge. Crypto ransomware, a variant that
    encrypts files, is typically spread through similar methods, and has been
    spread through Web-based instant messaging applications.

    WHY IS IT SO EFFECTIVE?

    The authors of ransomware instill fear and panic into their victims, causing
    them to click on a link or pay a ransom, and inevitably become infected with
    additional malware, including messages similar to those below:


    * “Your computer has been infected with a virus. Click here to resolve the
    issue.”
    * “Your computer was used to visit websites with illegal content. To
    unlock your computer, you must pay a $100 fine.”
    * “All files on your computer have been encrypted. You must pay this
    ransom within 72 hours to regain access to your data.”

    PROLIFERATION OF VARIANTS

    In 2012, Symantec, using data from a command and control (C2) server of
    5,700 computers compromised in one day, estimated that approximately 2.9
    percent of those compromised users paid the ransom. With an average ransom
    of $200, this meant malicious actors profited $33,600 per day, or $394,400
    per month, from a single C2 server. These rough estimates demonstrate how
    profitable ransomware can be for malicious actors.

    This financial success has likely led to a proliferation of ransomware
    variants. In 2013, more destructive and lucrative ransomware variants were
    introduced including Xorist, CryptorBit, and CryptoLocker [
    https://www.us-cert.gov/ncas/alerts/TA13-309A ]. Some variants encrypt not
    just the files on the infected device but also the contents of shared or
    networked drives. These variants are considered destructive because they
    encrypt user’s and organization’s files, and render them useless until
    criminals receive a ransom.

    Additional variants observed in 2014 included CryptoDefense and Cryptowall,
    which are also considered destructive. Reports indicate that CryptoDefense
    and Cryptowall share the same code, and that only the name of malware itself
    is different. Similar to CryptoLocker, these variants also encrypt files on
    the local computer, shared network files, and removable media.

    LINKS TO OTHER TYPES OF MALWARE

    Systems infected with ransomware are also often infected with other malware.
    In the case of CryptoLocker, a user typically becomes infected by opening a
    malicious attachment from an email. This malicious attachment contains
    Upatre, a downloader, which infects the user with GameOver Zeus [
    https://www.us-cert.gov/ncas/alerts/TA14-150A ]. GameOver Zeus is a variant
    of the Zeus Trojan that steals banking information and is also used to steal
    other types of data. Once a system is infected with GameOver Zeus, Upatre
    will also download CryptoLocker. Finally, CryptoLocker encrypts files on the
    infected system, and requests that a ransom be paid.

    The close ties between ransomware and other types of malware were
    demonstrated through the recent botnet disruption operation against GameOver
    Zeus, which also proved effective against CryptoLocker. In June 2014, an
    international law enforcement operation successfully weakened the
    infrastructure of both GameOver Zeus and CryptoLocker.

    Impact

    Ransomware doesn’t only target home users; businesses can also become
    infected with ransomware, which can have negative consequences, including:


    * Temporary or permanent loss of sensitive or proprietary information;
    * Disruption to regular operations;
    * Financial losses incurred to restore systems and files; and
    * Potential harm to an organization’s reputation.

    Paying the ransom does not guarantee the encrypted files will be released;
    it only guarantees that the malicious actors receive the victim’s money, and
    in some cases, their banking information. In addition, decrypting files does
    not mean the malware infection itself has been removed.

    Solution

    Infections can be devastating to an individual or organization, and recovery
    can be a difficult process that may require the services of a reputable data
    recovery specialist.

    US-CERT and CCIRC recommend users and administrators take the following
    preventive measures to protect their computer networks from ransomware
    infection:


    * Perform regular backups of all critical information to limit the impact
    of data or system loss and to help expedite the recovery process. Ideally,
    this data should be kept on a separate device, and backups should be stored
    offline.
    * Maintain up-to-date anti-virus software.
    * Keep your operating system and software up-to-date with the latest
    patches.
    * Do not follow unsolicited web links in email. Refer to the Security Tip
    Avoiding Social Engineering and Phishing Attacks [
    https://www.us-cert.gov/ncas/tips/st04-014 ] for more information on social
    engineering attacks.
    * Use caution when opening email attachments. For information on safely
    handling email attachments, see Recognizing and Avoiding Email Scams [
    https://www.us-cert.gov/sites/defaul...scams_0905.pdf
    ].
    * Follow safe practices when browsing the web. See Good Security Habits [
    https://www.us-cert.gov/ncas/tips/ST04-003 ] and Safeguarding Your Data [
    https://www.us-cert.gov/ncas/tips/ST06-008 ] for additional details.

    Individuals or organizations are not encouraged to pay the ransom, as this
    does not guarantee files will be released. Report instances of fraud to the
    FBI at the Internet Crime Complaint Center [ http://www.ic3.gov/ ] or
    contact the CCIRC <cyber-incident@ps-sp.gc.ca> .

    References

    * Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial
    malware with ransomware capabilities now targeting U.S. [
    http://www.kaspersky.com/about/news/...etects-mobile-
    Trojan-Svpeng-Financial-malware-with-ransomware-capabilities-now-targeting-U
    S-users ]
    * United States National Cybersecurity and Communications Integration
    Center, Cryptolocker Ransomware [
    http://www.cod.edu/about/information...ansomware20131
    031_cryptolocker.pdf ]
    * Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up
    where CryptoLocker left off [
    http://nakedsecurity.sophos.com/2014...omware-cryptow
    all-picks-up-where-cryptolocker-left-off/ ]
    * Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000
    in One Month [
    http://www.symantec.com/connect/blog...er-imitator-ma
    kes-over-34000-one-month ]
    * Symantec, Cryptolocker: A Thriving Menace [
    http://www.symantec.com/connect/blog...hriving-menace ]
    * Symantec, Cryptolocker Q&A: Menace of the Year [
    http://www.symantec.com/connect/blog...qa-menace-year ]
    * Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network
    [
    http://www.symantec.com/connect/blog...ounds-gameover
    -zeus-cybercrime-network ]

    Revision History

    * Initial Publication, October 22, 2014
    That's what
    - She

    Without a clear-cut definition of sin, morality becomes a mere argument over the best way to train animals
    - Manya the Holy Szin (The Quintara Marathon)

    I may not be as old as dirt, but me and dirt are starting to have an awful lot in common
    - Stephen R. Donaldson

  • #2
    I've heard of this before. We use a little utility called HitmanPro.Alert to help protect against it.

    http://www.surfright.nl/en/cryptoguard
    ~ Russell ("MelMak")

    "[Sing] and [make] melody in your heart to the Lord." -- Ephesians 5:19b

    Fight spam!

    Comment


    • #3
      This sounds VERY similar to what my Monday Night GM went through with his computer a while back... Anytime he tried to do something, a pop-up required he 'pay a fine' because his computer was allegedly used for illegal stuff. My roommate had to wipe the sucker clean...
      Have You Touched Grass Today? If Not, Please Do.

      Comment


      • #4
        Yeah, I heard about this. If you had Cryptolocker, some security company people hacked into the criminal system and made decryption keys available. I'm not sure if the encryption keys for the other "Lockers" have been created properly.
        "It's evolution; every time you invent something fool-proof, the world invents a better fool."
        -Unknown

        "Preach the gospel, and if necessary use words." - Most likely St.Francis


        I find that evolution is the best proof of God.
        ---------------------------------------------------------------------------------------------------------------
        I support the :
        sigpic

        Comment


        • #5
          I ran into a website which said that I was doing an illegal act and that I must now pay such and such fine. It said something to the respect that I was already identified and could not avoid the fine just by closing the web page down. This happened when I was searching for source code to accompany a programming book I bought. (Later on I found the link at the beginning of the book -- it just wasn't as easily found as I had hoped.)
          Anyhow I just closed the link (or maybe shut down the browser) and continued on my way.

          One important thing is that users should not do any additional interaction with such web sites since any mouse events or key events could activate code on the website -- code which would try to install malware.

          Comment


          • #6
            Originally posted by Bill the Cat View Post
            NCCIC / US-CERT

            National Cyber Awareness System:

            TA14-295A: Crypto Ransomware [https://www.us-cert.gov/ncas/alerts/TA14-295A]
            10/22/2014 05:28 PM EDT Original release date: October 22, 2014

            Systems Affected

            Microsoft Windows

            Overview

            Ransomware is a type of malicious software (malware) that infects a computer
            and restricts access to it until a ransom is paid to unlock it. This Alert
            is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in
            coordination with the United States Department of Homeland Security (DHS) to
            provide further information about crypto ransomware, specifically to:


            * Present its main characteristics, explain the prevalence of ransomware,
            and the proliferation of crypto ransomware variants; and
            * Provide prevention and mitigation information.

            Description

            WHAT IS RANSOMWARE?

            Ransomware is a type of malware that infects a computer and restricts a
            user’s access to the infected computer. This type of malware, which has now
            been observed for several years, attempts to extort money from victims by
            displaying an on-screen alert. These alerts often state that their computer
            has been locked or that all of their files have been encrypted, and demand
            that a ransom is paid to restore access. This ransom is typically in the
            range of $100–$300 dollars, and is sometimes demanded in virtual currency,
            such as Bitcoin.

            Ransomware is typically spread through phishing emails that contain
            malicious attachments and drive-by downloading. Drive-by downloading occurs
            when a user unknowingly visits an infected website and malware is downloaded
            and installed without their knowledge. Crypto ransomware, a variant that
            encrypts files, is typically spread through similar methods, and has been
            spread through Web-based instant messaging applications.

            WHY IS IT SO EFFECTIVE?

            The authors of ransomware instill fear and panic into their victims, causing
            them to click on a link or pay a ransom, and inevitably become infected with
            additional malware, including messages similar to those below:


            * “Your computer has been infected with a virus. Click here to resolve the
            issue.”
            * “Your computer was used to visit websites with illegal content. To
            unlock your computer, you must pay a $100 fine.”
            * “All files on your computer have been encrypted. You must pay this
            ransom within 72 hours to regain access to your data.”

            PROLIFERATION OF VARIANTS

            In 2012, Symantec, using data from a command and control (C2) server of
            5,700 computers compromised in one day, estimated that approximately 2.9
            percent of those compromised users paid the ransom. With an average ransom
            of $200, this meant malicious actors profited $33,600 per day, or $394,400
            per month, from a single C2 server. These rough estimates demonstrate how
            profitable ransomware can be for malicious actors.

            This financial success has likely led to a proliferation of ransomware
            variants. In 2013, more destructive and lucrative ransomware variants were
            introduced including Xorist, CryptorBit, and CryptoLocker [
            https://www.us-cert.gov/ncas/alerts/TA13-309A ]. Some variants encrypt not
            just the files on the infected device but also the contents of shared or
            networked drives. These variants are considered destructive because they
            encrypt user’s and organization’s files, and render them useless until
            criminals receive a ransom.

            Additional variants observed in 2014 included CryptoDefense and Cryptowall,
            which are also considered destructive. Reports indicate that CryptoDefense
            and Cryptowall share the same code, and that only the name of malware itself
            is different. Similar to CryptoLocker, these variants also encrypt files on
            the local computer, shared network files, and removable media.

            LINKS TO OTHER TYPES OF MALWARE

            Systems infected with ransomware are also often infected with other malware.
            In the case of CryptoLocker, a user typically becomes infected by opening a
            malicious attachment from an email. This malicious attachment contains
            Upatre, a downloader, which infects the user with GameOver Zeus [
            https://www.us-cert.gov/ncas/alerts/TA14-150A ]. GameOver Zeus is a variant
            of the Zeus Trojan that steals banking information and is also used to steal
            other types of data. Once a system is infected with GameOver Zeus, Upatre
            will also download CryptoLocker. Finally, CryptoLocker encrypts files on the
            infected system, and requests that a ransom be paid.

            The close ties between ransomware and other types of malware were
            demonstrated through the recent botnet disruption operation against GameOver
            Zeus, which also proved effective against CryptoLocker. In June 2014, an
            international law enforcement operation successfully weakened the
            infrastructure of both GameOver Zeus and CryptoLocker.

            Impact

            Ransomware doesn’t only target home users; businesses can also become
            infected with ransomware, which can have negative consequences, including:


            * Temporary or permanent loss of sensitive or proprietary information;
            * Disruption to regular operations;
            * Financial losses incurred to restore systems and files; and
            * Potential harm to an organization’s reputation.

            Paying the ransom does not guarantee the encrypted files will be released;
            it only guarantees that the malicious actors receive the victim’s money, and
            in some cases, their banking information. In addition, decrypting files does
            not mean the malware infection itself has been removed.

            Solution

            Infections can be devastating to an individual or organization, and recovery
            can be a difficult process that may require the services of a reputable data
            recovery specialist.

            US-CERT and CCIRC recommend users and administrators take the following
            preventive measures to protect their computer networks from ransomware
            infection:


            * Perform regular backups of all critical information to limit the impact
            of data or system loss and to help expedite the recovery process. Ideally,
            this data should be kept on a separate device, and backups should be stored
            offline.
            * Maintain up-to-date anti-virus software.
            * Keep your operating system and software up-to-date with the latest
            patches.
            * Do not follow unsolicited web links in email. Refer to the Security Tip
            Avoiding Social Engineering and Phishing Attacks [
            https://www.us-cert.gov/ncas/tips/st04-014 ] for more information on social
            engineering attacks.
            * Use caution when opening email attachments. For information on safely
            handling email attachments, see Recognizing and Avoiding Email Scams [
            https://www.us-cert.gov/sites/defaul...scams_0905.pdf
            ].
            * Follow safe practices when browsing the web. See Good Security Habits [
            https://www.us-cert.gov/ncas/tips/ST04-003 ] and Safeguarding Your Data [
            https://www.us-cert.gov/ncas/tips/ST06-008 ] for additional details.

            Individuals or organizations are not encouraged to pay the ransom, as this
            does not guarantee files will be released. Report instances of fraud to the
            FBI at the Internet Crime Complaint Center [ http://www.ic3.gov/ ] or
            contact the CCIRC <cyber-incident@ps-sp.gc.ca> .

            References

            * Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial
            malware with ransomware capabilities now targeting U.S. [
            http://www.kaspersky.com/about/news/...etects-mobile-
            Trojan-Svpeng-Financial-malware-with-ransomware-capabilities-now-targeting-U
            S-users ]
            * United States National Cybersecurity and Communications Integration
            Center, Cryptolocker Ransomware [
            http://www.cod.edu/about/information...ansomware20131
            031_cryptolocker.pdf ]
            * Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up
            where CryptoLocker left off [
            http://nakedsecurity.sophos.com/2014...omware-cryptow
            all-picks-up-where-cryptolocker-left-off/ ]
            * Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000
            in One Month [
            http://www.symantec.com/connect/blog...er-imitator-ma
            kes-over-34000-one-month ]
            * Symantec, Cryptolocker: A Thriving Menace [
            http://www.symantec.com/connect/blog...hriving-menace ]
            * Symantec, Cryptolocker Q&A: Menace of the Year [
            http://www.symantec.com/connect/blog...qa-menace-year ]
            * Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network
            [
            http://www.symantec.com/connect/blog...ounds-gameover
            -zeus-cybercrime-network ]

            Revision History

            * Initial Publication, October 22, 2014
            Offtopic, but this is why I use Linux as my desktop as well. Less viruses for linux out there thank windows, and generally quicker with the fixes too.
            "It's evolution; every time you invent something fool-proof, the world invents a better fool."
            -Unknown

            "Preach the gospel, and if necessary use words." - Most likely St.Francis


            I find that evolution is the best proof of God.
            ---------------------------------------------------------------------------------------------------------------
            I support the :
            sigpic

            Comment


            • #7
              If infected, one may be able to also manually remove it using Process Explorer and Autoruns of the Sysinternals Suite:

              http://www.sysinternals.com/

              I had to use Process Explorer and Autoruns once long ago when first my computer, then mossy's computer, picked up some rogue antimalware from the web which MS Security Essentials didn't catch. They worked great in getting rid of it.

              (Of course, doing this with ransomware wouldn't decrypt files already encrypted, sadly. That's why it's still good to have backups handy.)
              ~ Russell ("MelMak")

              "[Sing] and [make] melody in your heart to the Lord." -- Ephesians 5:19b

              Fight spam!

              Comment


              • #8
                Originally posted by The Melody Maker View Post
                If infected, one may be able to also manually remove it using Process Explorer and Autoruns of the Sysinternals Suite:

                http://www.sysinternals.com/

                I had to use Process Explorer and Autoruns once long ago when first my computer, then mossy's computer, picked up some rogue antimalware from the web which MS Security Essentials didn't catch. They worked great in getting rid of it.
                I thought he was more of a mad scientist than a programmer.

                Comment

                Related Threads

                Collapse

                Topics Statistics Last Post
                Started by Ronson, 03-20-2024, 07:20 PM
                2 responses
                28 views
                0 likes
                Last Post rogue06
                by rogue06
                 
                Started by Christian3, 03-15-2024, 10:15 AM
                13 responses
                64 views
                0 likes
                Last Post QuantaFille  
                Working...
                X