Home / Blog / Combatting Ransomware

Combatting Ransomware

Posted on 07/15/2015, by Manuel López y Jesús Arnáiz
Ransomware

Given the widespread use of Information and Communications Technology (ICT) in all areas of society, a series of threats against Society have appeared in cyberspace, and they occur in different forms: cybercrime, cyberterrorism, and cyberwarfare, amongst others.

Within these cyber threats, those with the generic name Ransomware are evolving quickly and with a major impact. We will explain Ransomware in more detail later on in this article. We will also analyse the efficiency of antimalware systems against this type of threat after explaining the defensive measures that we propose.

Illustrations courtesy of Alejandro Cuenca

Illustrations courtesy of Alejandro Cuenca.

What is ransomware?

The word is a portmanteau of “ransom” and the suffix “ware” commonly used to refer to a computer component (such as hardware, software, etc.).

We will use the definition of the NIST in its malware report of June 2011, to define ransomware:

“The use of malware to block access to computers or data until a payment is made, also continues to be used for extortion purposes.”

In our own words, we describe it as:

Software (or a computer application) designed with malicious intent (that is, malware), which blocks access to computers or data, until a payment requested as a ransom has been received.

Below, we present the defensive measures that we recommend, and finish the article with a classification and a more detailed explanation about these types of threats.

How can we protect ourselves from Ransomware?

Illustrations courtesy of Alejandro Cuenca

Illustrations courtesy of Alejandro Cuenca.

We will present, by way of a guide, the technological measures and best practices that we can apply in accordance with our profile (private users, companies with low dependence on technology, or companies with medium-high dependence on technology).

As a reader, you can skip to the part that best applies to you, although we recommend reading the whole article, since many of the measures are compatible and can be adapted for different profiles.

If I am a private user…

  • I must make backups of data, on one, or better still, several removable storage drives (pendrives, external USB drives, etc.) that I should not connect to the computer beyond the time it takes to make a backup or recover data from it. This is normally the only way of recovering it in the event of infection, and no matter how many preventive measures we may take, we cannot rule out this happening, since this type of malware is continually evolving.
  • I must be very careful with the E-mails that I open, and never run any program or open links that I receive that I did not request previously, since this is the most common infection technique. The deception techniques used by these threats are very sophisticated, and can appear as legitimate E-mails, such as certified letters from the post office, invoices or requests, bank transfers, etc., and as such we must not trust the appearance or origin directly. As such, it is also recommended to analyse attachments before opening them, or in the case of links, use a links or url analyser beforehand.
  • To elaborate further on the previous measure, we also believe that a defensive attitude must be maintained, that is, it is necessary to be suspicious at first, when we browse, and try to avoid running software that was downloaded automatically onto our computer or installing applications recommended on downloads pages or on other pages to improve the performance of our PC, fake antivirus software, etc., since this is another common route of infection.
  • I must use antivirus/antimalware software: there are various applications, many of which are free or are low-cost home versions, such as Avast, spybot, lavasoft adware, and many others.
  • I can try to prevent infection with tools such as Antiransom from the investigator Yago Jesús.
  • Use online antivirus software to analyse files that we consider to be suspicious, such as Virustotal, which provides the result of the analysis after passing the sample sent by us through different antivirus engines, including those of the most reputable vendors. Nevertheless, we want to highlight that this measure is not 100% effective, since they are not always detected (particularly when it involves a new variant that has recently appeared).
  • Try to keep the operating system (such as Windows) up-to-date, as well as the applications installed, such as the browser, flash player, java, and others. Vulnerabilities in these applications can be exploited by third parties to infect us and then encrypt our data.
  • Avoid paying the ransom: we advise against paying ransoms since we will be collaborating with this cybercrime industry, allowing it to prosper, and we will never have guarantees that we will be able to recover the computer or information after payment.
  • If I get infected, I should report it to the State Security Forces and Agencies, the Technological Investigation Squad of the Spanish Police, or the Civil Guard’s Cybercrime Group.

Ransomware Correos

Example of a deception message (phishing) used to propagate CryptoLocker.

If I am a company with low dependence on technology.

We can apply all of the measures presented in the foregoing section in addition to the following:

  • Use a security backup system that is not directly connected, such as a server on the local network or on the cloud, or an external device that is temporarily connected to make the backup, employing programmed tasks or security backup tools for the latter, such as those provided by numerous software companies.
  • Limit the privileges of organisation users to the minimum necessary, based on user needs (for example: depending on the department or area in which each of them work, or the roles that they perform).

If I am a company with medium high dependence on technology.

In addition to that mentioned in the sections above, in a setting of this type, we can:

  • Use resources to improve the training and awareness-raising of staff in terms of computer security and, in particular, these types of threats: how they are spread, what we can do to avoid them, etc. More specifically, experts in IT security should have knowledge about these threats and how they function, propagation campaigns and early detection through honeypots or other methods, contact with official organisations, etc.
  • Use corporate antivirus/antimalware systems with centralised management that make it mandatory for all users of the network to have an updated version, such as those offered by the various vendors of this type of software (Mcafee, Symantec and many others).
  • Use specific prevention tools designed for corporate settings, such as CryptoLocker prevention kit or Cryptoprevent.
  • Use specific applications and policies for the maintenance of software updates including the operating system, its components, and applications.
  • Planning and execution of an auditing plan (carried out by internal auditing teams or specialised third parties), both of the systems and policies of the organisation, so that we may detect potential vulnerabilities.

Research method

Various study avenues were used in the preparation of this article, including:

  • Forensic analysis of a CryptoLocker sample: we also present this published study in the references.
  • Sample analysis of this type of threat on Virustotal.
  • Study of technical reports on this threat, which describe their functioning and prevention measures, such as those which we include in the References section, provided by vendors, specialised blogs, and also state organisations such as INCIBE.
  • Study of the evolution of viruses in general, to better understand ransomware and better predict its potential evolutions.
  • Consulting the State Security Forces and Agencies about the impact of this type of threat and its progress.
  • Monitoring of related news published in specialised media and also in mass media.

Classification of Ransomware

The two main ransomware families that we can currently find are:

  • Encrypting Ransomware: where encryption mechanisms are used to kidnap the user’s data.
  • Locker Ransomware: it somehow blocks the device (PC, mobiles, tablets, etc.) or a component of the latter (such as the browser).

Encrypting Ransomware

In this first category there are many different variants, with the best known being CryptoLocker, but it includes others with similar behaviour, such as TeslaCrypt, TorrentLocker, and many others.

At the moment of infection, this malware, searches all accessible drives (including network drives or connected external drives), and then encrypts each of the files, provided that they match the characteristics searched for, which are normally known extensions, such as images (.jpg, .png, .gif, etc.), office documents (.doc, .docx, .ppt, .pdf), CAD files (.dwg), and many others.

After the encryption, it presents a message to the user (sometimes this message is inserted in a text file in affected folders, and/or as a wallpaper for the user), indicating that their data have been encrypted and that it is necessary to pay for their ransom, normally using bitcoin addresses or other currencies or payment methods that are difficult to trace, such as ukash.

It is assumed that once the payment is made, the private RSA key is obtained, which is commonly used to encrypt the keys and/or initialisation vectors of symmetric encryption methods such as AES-CBC.

* We emphasise that payment will not necessarily result in the recovery of information.

cryptolocker

CryptoLocker screen.

The amount of money requested varies between the different types, and is around €100-€500. In some cases, this amount is studied in accordance with who the malware propagation campaign is aimed at (for example: the amounts requested in different countries varies, and is usually higher in richer countries).

For further information on how this type of threat works, we recommend the following article, published by the authors of this article in the specialised IT security blog: SecurityByDefault, in which we break it down through a forensic investigation of how a CryptoLocker variant functions:

SecurityByDefault: análisis de un ransomware de cifrado.

Locker Ransomware

This malware prevents the use of the device or its components until the ransom has been paid.

There are extremely varied specimens in this category, with Reveton being the best-known, commonly called: “The police virus”.

One of the manipulation techniques to make the victim pay is to use a screen that indicates to the user that they have committed a crime (usually related to the downloading of illegal pornography), and they must therefore pay a fine.

As this technique has improved, the message has been adapted for different countries, using the local language and displaying the identification of the competent state forces, as well as the image of the victim captured with the webcam if they have one.

reveton

Screen presented by a Reveton variant.

In this category, we are seeing the introduction of new variants aimed at smartphones and tablets, such as that illustrated on the screen below:

Screen image of a Reveton version for mobile devices

Screen image of a Reveton version for mobile devices.

We believe that the trend could be to extend this type of threat to all types of devices of what is known as the Internet of Things (IoT), which could affect elements of daily life, such as smart TVs and Internet appliances as they increase in popularity, or others.

Analysis of the behaviour of antivirus software in the event of this threat.

We analysed 50 samples of known ransomware, launched against the VirusTotal detection platform.

The samples belong to the different families of Reveton, CryptoLocker, Cryptowall, etc. Some variants were very recent at the time of analysis, and therefore, there were very few detections; we cannot determine it, but most would have been detected by heuristics.

The executions have different dates from February 2012 to the end of May 2015, according to when they were obtained.

The data displayed in this analysis do not intend to measure the quality of this type of product, since this involves many other parameters (detection of another type of threat, performance, ease of use, etc.).

The following table shows the number of threats scanned and the detection percentage.

Percentage of detection and the number of samples scanned in different antivirus software.

Percentage of detection and the number of samples scanned in different antivirus software.

Final Conclusions

Ransomware is a threat that is in full swing and there is nothing to indicate that this situation will not continue as it is (or worsen) in the future, due to the proliferation of increasingly more devices with an Internet connection (tablets, telephones, televisions, etc).

The introduction of Ransomware as a service is also detrimental; here, creating threats of this type becomes a simple task, involving payment of a fee for each payment made by the victims.

It is necessary to follow best practices that include awareness-raising and also the use of prevention measures. Although, as we have seen, having up-to-date antivirus software does not guarantee immunity from infection.

For larger settings or those with a greater dependence on technology, there are very effective tools for combatting these threats, but nothing can replace the need for a security backup, since this is the most effective and almost the only method of recovering your data.

In more specialised settings and groups that detect and respond to incidents, the strategy may include early detection measures, such as machines and honeypots, in conjunction with (manual and/or automatic) analysis systems.

References

We include some relevant references that the reader may use to increase their knowledge about this study.

ANÁLISIS DE UN RANSOMWARE DE CIFRADO (ANALYSIS OF AN ENCRYPTING RANSOMWARE). Manuel López Hidalgo, Jesús Arnáiz, Marcos Gómez Hidalgo, (published as collaborators in SecurityByDefault) (18/05/2015).

Ransomware, herramienta de la ciberextorsión (Ransomware, a cyber extortion tool). David Cantón (INCIBE) (12/11/2013).

RANSOMWARE IV: Métodos de infección, protección y recuperación (RANSOMWARE IV: Methods of infection, protection, and recovery). David Cantón (INCIBE) (23/01/2014).

Cómo eliminar el virus de la Policía en dispositivos móviles (How to eliminate the Police virus on mobile devices). OSI – Oficina de Seguridad del Internauta (Internet User Security Office) (19/06/15).

About the authors

This study was developed as part of a Master’s thesis in the UNIVERSITY MASTER’S DEGREE IN SECURITY IN INFORMATION AND COMMUNICATIONS TECHNOLOGIES of the European University of Madrid.

The following authors participated:

  • Manuel López Hidalgo. Engineer specialising in computer security. beat.ransomware @ gmail.com.
  • Jesús Arnáiz Calvo. Engineer specialising in computer security. jesusarnaizcts @ gmail.com.
  • Marcos Gómez Hidalgo. Specialist in computer security with a Bachelor’s in Mathematics, project tutor. marcos.gomez @ incibe.es.

Lastly, we would like to thank Alejandro Cuenca Merchán, our designer, for generously providing his cartoons. cuencamerchan @ outlook.com.