The wave of ransomware that is currently flooding computers all over the world could well mean problems for many a company's security policies. Although these attacks are increasing in number and virulence by the day, the ransomware forecast is far from gloomy. So to help you keep your head above water, Stormshield has taken a look at current developments and profiled the six most recent examples of ransomware. We'll help you better understand how they work and give you some free tips so you can protect yourself against Locky and his friends CTB-Locker, TeslaCrypt, Petya and SamSam.
What is ransomware?
Ransomware is a particular type of malware that restricts access to the infected computer, blocking all or some of its functions, and demanding that the user pay a ransom within a given period, usually using the bitcoin digital currency. Basically, not only is your PC taken hostage… but in no way does paying the ransom guarantee that you'll be able to get back control of your machine and be able to access its contents, safe and sound. In most cases, data that falls into the hands of an attacker is irreversibly lost. Take also a look to a short history of ransomware.
Various types of ransomware
There are two types of ransomware. The first is the more traditional "police" ransomware which latches onto your browser (hence the name "Browlock") or completely paralyses your computer. The second category – which is becoming increasingly widespread and is probably the more harmful – is "encrypting ransomware" or "cryptoware". The malware encrypts all of your computer's contents, rendering it unreadable without the decryption key, which the pirate will only give you in exchange for a ransom.
How your PC can become infected with ransomware
- A fraudulent email (containing an infected attachment)
- A compromised or malicious website
- Installing software from a non-reliable source
- Social networks (which make social engineering easier)
The last-born ransomware to emerge
No one is safe from Locky
Locky is a type of cryptoware that has been very much in the spotlight since February. It is currently spreading like wildfire throughout Europe, mainly through malicious macros in Word documents: victims become infected when they download attachments from malicious emails. It encrypts files on their workstation… sometimes on an entire network.
Furthermore, it evolves on a weekly basis, using new propagation methods. Some groups, for example, like to propagate malware by paying people who are specialised in exploiting security flaws. They make use of these vulnerabilities – zero-day in particular – to take control of computers and install Locky on them.
CTB Locker – a new bespoke adversary
CTB-Locker is another example of cryptoware. It was discovered in February and targets all versions of Windows (from Windows XP).Its preferred means of propagation is via booby-trapped emails. But it also uses compromised or malicious websites. Fraudulent email campaigns are effective since they target particular groups of users for whom the messages have been customised (they are in the users' language, in particular). This makes them more impactful than standardised emails sent in bulk.
Once triggered, it silently roams your computer in the background. It gets onto all of your hard drives and network shares, compiling a list of files (office documents, images, text files, etc.). It then moves them into a password-protected encrypted archive.
In order to avoid detection by companies' security experts, CTB-Locker has an anti-debugging mechanism: this way, it can identify virtual machines that are used by security experts for the purposes of analysing malware and ensure that it does not execute on them. This particular ransomware is worryingly versatile: it has several variants, including the most recent – a server variant – which was discovered by one of our Stormshield experts.
TeslaCrypt – the ransomware trojan that keeps its cards close to its chest
In February 2016, we published a detailed article about TeslaCrypt.
It analyses all of the drives on your computer, looking for data files. It ignores Windows itself and your applications so your computer remains operational. That way it can still access the Internet and you can pay the ransom. The data files are encrypted using AES encryption. Since AES encryption is among the most robust, it gives hackers complete control of victims' files – they stand absolutely no chance of being able to recover them unencrypted. Some versions of this malware target gamers' PCs in particular. It can infect computers in a variety of different ways, but mainly uses emails and exploit kits.
Petya – even more aggressive than Locky
This ransomware is even more aggressive than Locky: as well as encrypting files, Petya encrypts the first few sectors of the system disk, preventing the PC's operating system from loading. The result is that the targeted machine is completely inoperable. This highly aggressive attack strategy shows once again just how lucrative this type of malware can be.
The pretext used for getting onto hard drives can be, for example, a CV emailed to a company's human resources department.
If the network becomes infected, the computer is completely unusable. Until the ransom is paid – which by no means guarantees the end of the affair – the company's data is locked.
SamSam digs up the Hash-chet
The distinctive feature of this new cryptoware is the way in which it uses a new technique referred to as "Pass the Hash". This is a major threat for network security in companies. PC pirates use this technique to bypass server authentication systems so they can access confidential information and critical applications. Once the attacker has compromised a targeted workstation, they can extend their grip over all of a company's machines and its whole IT system. Since it can't be blocked by anti-virus software, companies need to know how serious this type of attack can be and adopt a whole new attitude to the risks to which their IT infrastructure is exposed.
Samsam recently hit MedStar Health, an organisation that manages ten or so hospitals in Maryland and Washington. The hackers demanded a total of 45 bitcoins to unlock all of the affected systems – around US$18,500.
Cerber – the latest pet peeve of the cybersecurity community
Cerber is what is known as Ransomware As A Service (RaaS). Although it is not alone, RaaS is a trend that is just starting to rear its head and looks set to become much more widespread. Fraudsters can now purchase the malware and deploy it as and when they want. So the cyber criminal network is no longer just a small circle of programming experts and software writers. With all these dazzling ransomware innovations, the cybercrime black market is gradually becoming more fragmented and elaborate. in fact, cybercrime is becoming far more structured and is undergoing widespread commercialisation.
Essential advice for protecting yourself against ransomware
- Keep your computer up-to-date (your operating system, software and plug-ins)
- Keep backups of your most important files
- Don’t click on links from unknown sources
A new generation of “Super Cryptoware”?
We can most likely expect to see a surge in new ransomware, as well as cryptoware continuing to evolve over the months to come, becoming increasingly complex. This is just the start of ransomware – and its evolution will still be making the news for some time to come. To find out more, read about the 2016 cybersecurity trends.
One of the changes to look out for will be the increasingly innovative means that ransomware uses to propagate itself. For example, Locky and Cerber sometimes exploit a zero-day vulnerability to spread; this can have a far greater impact in terms of numbers of infected machines than email. This trend shows just how incredibly lucrative ransomware can be, encouraging attackers to go to even more malicious lengths in order to get as many victims as possible. As pirates’ profiles become more varied, this new generation of ransomware is also helping them to become more powerful.
No, anti-virus software is not enough
Because pirates are devising increasingly complex and intelligent attack scenarios and malware, simply installing anti-virus software is no longer effective enough to protect your workstation. Malware can easily outsmart the signature analysis system, so proactively identifying malicious behaviour – which is what Stormshield Endpoint Security is able to do – is now vital for being able to counter both known and unknown threats. Stormshield Endpoint Security’s technology can control all of the ransomware mentioned in this article – most of it before it’s even been identified by the cybersecurity community. To help you understand how our technology differs from your standard anti-virus software, have a look at our infographic here.
You need a watchdog for your network
In some cases – such as with Locky – your workstation isn’t the only thing you have to lock down in order to protect yourself against the dangers of ransomware. Although Stormshield Endpoint Security will prevent malware from executing on your computer and/or will prevent a vulnerability from being exploited (via an exploit kit), a new-generation firewall – such as Stormshield Network Security – will provide an additional layer of protection at server level.
So if your PC ends up being infected by Locky because you’re using a less-than-effective anti-virus programme, Stormshield Network Security will prevent the ransomware from obtaining an encryption key from the Internet server, so it can’t encrypt your documents. And if it can’t scramble your documents, it won’t be able to hold you to ransom.