Ransomware inspires fear in the hearts of those who have experienced its tenacious grip, and curiosity in the souls of those who haven’t.
To Pay Or Not To Pay
Over the past few years, malefactors have added yet another sinister twist to the crimeware game — cyber extortion.
End users panic (specifically those who have never backed up their system), while many security experts say “never pay the ransom.” Government entities like the Department of Homeland Security also discourage victims from paying ransom because “paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
In Struts CryptoWall 3.0
Launched in January of this year, CryptoWall 3.0 (Crowti) is distinct from previous versions because it now utilizes I2P (anonymous peer-to-peer network), simplifying the process while making for a much friendlier user experience. It also provides an easier-than-pie installation in comparison to a novice user attempting to communicate with the attackers via TOR. Another drastic difference that sets CryptoWall 3.0 apart from the rest is that the attackers appear to be highly reliable in returning the victims encryption key to unlock the encrypted files — once the ransom is paid.
In nutshell: CryptoWall 3.0 can be spread by email, an infected website, or the vector of infection may be unknown. But, once it gets into your network it will begin to establish network connections to random C&C (Command and control) servers that are hidden on the Tor and I2P anonymous network. It will then upload all of the workstation system information and generate a random 2048-bit RSA key pair, register the workstation, and copy the public key back to the victims computer.
Next, it will copy and encrypt each file on the victims computer (the files to be encrypted are predetermined by the C&C file extension list). After each copy is created, it then deletes the original file from the computer. It continues on its merry way until every file has been copied, encrypted, and the original file has been deleted. Once it has run through the predetermined list of extensions (like .pdf, .doc, .png, .JPG) on the computer, it will also attack every mapped network drive, external drive, or USB flash drive until it’s mission is complete.
Once the encryption process is done, CryptoWall will stop the Volume Shadow Copy Service (VSS) – making your backup and restoration service completely null. On Windows 7 and above it will also stop file versioning and delete the cache. Once all system protection and volume shadow images become disabled — they inject their code into a newly spawned svchost.exe process. The Dell Sonicwall Threats Research team provides a far more technical peek here.
They Leave Instructions Too
At the root of every directory (that was attacked) these three files will appear:
DECRYPT_INSTRUCTION.txt
DECRYPT_INSTRUCTION.html
DECRYPT_INSTRUCTION.url
These miscreants are clever little buggers and exceptionally generous in leaving myriad step-by-step instructions on how to pay out the ransom.
Five Hacking Generations
Security freelance writer, Drew Robb lists five hacking generations in his KnowBe4 whitepaper, Your Money or Your Life Files:
- Gen One [sneaker-net viruses]: Teenagers sitting in dark, damp basements writing viruses in order to gain notoriety. They just wanted to show the world that they could do it and were relatively harmless.
- Gen Two [malicious viruses and worms]: Students that created malicious-type viruses that spread quickly around the globe (Sasser & NetSky), and were capable of causing multi-million dollar losses. This generation also desired to show off their ‘elite skills’ in order to gain notoriety.
- Gen Three [amateur cybercrime, botnets] : This generation shifted from recognition to remuneration, where easy money became the name of the game. This generation invested in botnets to control thousands of computers to send spam, attack websites, steal identities, and create havoc while indulging in all types of nefarious activities.
- Gen Four: [professional cybercrime, rootkits, extortion]: This generation became better organized, hired coders that were capable of creating higher quality malware, and introduced malware that could hide itself. This is also the generation that spiked the interest and entrance of traditional mafias.
- Gen Five [Underground economy]: Stolen goods and illegal services are now bought and sold and all the tools of the trade are available for sale. Inexperienced green cybercriminals now have the opportunity to learn the trade and get to work quickly. This underground economy operates just like professional businesses and services do: with social networks, escrow services, along with licensed malware that receives high-end tech support, botnet rental by the hour, and seller reviews.
Undoubtedly, Gen Five will continue to add alarming and sinister twists to the global cyber-threat landscape.
The State of Contingency
In overall security planning, leave no stone unturned. The latest variant of crypto-ransomware, CryptoWall 3.0 is a unique threat. This version maliciously encrypts your data and holds it hostage. If you do not have a working backup and you can’t or won’t pay the ransom, your data becomes irrecoverable (like ashes in the wind) and is lost forever.
A layered security approach may be in the best interest of any organization that desires to be proactive — maintaining a reactive approach may be obsolete at this stage in the game.
4 ransomware lessons you need to learn before it snags you
1- Backup is Crucial: Use more than one back-up solution (such as an external drive and cloud storage). After backup is complete disconnect external drives and mapped cloud network drives from the ransomware vulnerability chain. Be sure to test backups weekly.
2- Use Proactive Security Scanning: Use antivirus/antimalware suites that are consistently updated with the latest definitions. Stop malicious process activities; block network connections to malicious sites. Implement ad-blocking and anti-spam filters.
3-Increase Endpoint Security: Read this ESG whitepaper (commissioned by RSA Security) on Rethinking Endpoint Security.
4- Use Security Awareness Training: End users are generally the weakest link. Teach employees about safe Internet practices and how to identify social engineering and spear phishing attacks. Test your employees security awareness with in house phishing attacks and interactive security activities.
Have you been a victim of ransomware? How did you deal with it. Did you have a solid backup or did you pay the ransom? Are there more ransomware lessons to be learned?
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Leave a Reply