Ransomware is big business

Most ransomware uses public key cryptography to scramble victims’ files: one key encrypts files and a second key decrypts files. The public key allows anyone to encrypt files, but only the private key can unlock them.

Hackers generate a public-private key pair on their own servers and send the public key to ransomware running on your computers. CryptoLocker is encrypting ransomware that generates a 2048-bit RSA key pair used to encrypt files with specific file extensions. Due to the extremely large key size it uses, it is extremely difficult to repair.

Once “activated” the ransomware scrambles your data and the key to unlocking it is in the hacker’s—not your—possession. The only way to get the key is to pay the ransom. That is, unless you’ve backed up your files. If your files are backed up, (and files should always be backed up) restoring files from a date before computer(s) were infected is simple.

In a recent article in Dark Reading:

Keeping files backed up is the best way to mitigate the threat posed by ransomware. That way, even if data gets locked up or encrypted, it is easy to retrieve a backup copy. In the article, an expert warns: Be also careful with your DropBox (or other [sync/share] cloud services). If you have folders synchronized with an online storage – malware will get to them too.

Smarter, better (or worse) ransomware

In addition to lockscreen and file-encrypting ransomware, hackers are breaking ground with new ransomware. In March 2015, researchers identified two new ransomware families:

Virlock is noteworthy because it not only locks the screen of compromised systems like other ransomware, but also infects files on the device. First noticed by security firm ESET in December, Virlock is also polymorphic, meaning the code changes every time it runs making it hard to detect using standard malware detection tools.

Once on a system, the malware creates and modifies registry entries to obfuscate itself and then locks the screen and disables several critical functions on the compromised system. Virlock checks for specific file types on the infected system, including executable files and document types such as “.doc”, “.xls” and “.pdf”. It also looks for archive files like “.zip” audio and video files with extensions like “.mp3” and image files such as “.jpg” and “.gif.” After Virlock locates such files it encrypts them and then embeds them in the body of the malware itself, the researchers said. Infected systems can be hard to clean and even a single infected file that remains undetected in a system can cause the malware to respawn the infection all over again. “Once Virlock gets into a system network, it will be all over the place; it can infect a whole network system without notice,” the researchers said.

The second new variety of ransomware targets gamers’ related files:

TeslaCrypt encrypts your files using AES encryption and then demands a ransom payment in order to decrypt your files. What makes TeslaCrypt different than other ransomware is its attempt to cash in on the $81 billion game market by placing a strong emphasis on encrypting video game related files. Unlike other ransomware that typically target images, documents, videos, and applications databases, TeslaCrypt also targets over 40 different video game-related files. The game files being targeted belong to games such as RPG Maker, Call of Duty, Dragon Age, StarCraft, MineCraft, World of Warcraft, World of Tanks, and Steam.

Three bits of advice: backup every endpoint, prohibit known bad network addresses and train end users to treat email with greater care, more information and a degree of mistrust.

Leave a Reply

Your email address will not be published. Required fields are marked *