Ransomware

/ January 27, 2016

Welcome to the Fast-Air Tech Talk newsletter. The Tech Talk newsletter is a free service for all Fast-Air customers. Please feel encouraged to suggest newsletter topics.

A relatively new breed of malware is fast becoming one of the more heart breaking and gut wrenching. Ransomware is now common and is malicious software that encrypts user data files and is designed to motivate the owner pay a ransom to decrypt the files.

Many computer security experts are predicting a significant increase in ransomware. All computer based products are expected to be targeted, including the Internet of Things, such as Smart TVs, baby monitors, or wireless thermostats. Life saving medical devices and wearables such as pacemakers or monitoring bracelets also are expected to be targeted.

Some ransomware writers not only demand a ransom, but threaten to publicly post data files if the ransom is not paid, thereby exposing various secrets of the owners. This breed of ransomware is designed as a deterrent to people who normally never would pay the ransom.

A new breed of ransomware are called sleepers. This malware remains dormant on a computer for weeks or months. This dormancy obscures the ability to determine when a system was infected or from where.

Another breed renames files in addition to encrypting, making restoration from backups difficult.

Another breed targets poorly secured servers and attempts to first harvest databases for passwords and user data before encrypting files.

Another new breed is being offered to criminals as a paid service.

Ransomware is different from other forms of malware. Unlike the malware from script kiddies, most ransomware is written by professional criminals. The motto is, “This is business.” This is a percentages approach for these criminals, but the percentages are sufficient to receive ransom payoffs totaling millions of dollars.

Outside the obvious of not getting infected with this malware, there are only two remedies for recovery: robust backups to restore files or paying the ransom. The latter remedy comes with no guarantees. There are no guarantees the ransomware software is coded properly to avoid bugs that affects data restoration, which sometimes is the case when script kiddies attempt to create ransomware. In summary, when not paying, without backups there is a 0% chance of recovery and there is only a greater than zero percent chance when paying.

While there are no guarantees with paying the ransom, because of the nature of this particular business model, usually the professional extortionists provide decryption keys upon receiving payment. Providing the decryption key is a sign of “good faith” and “good business.”

When not paying and not having robust backups the effect of ransomware is the same as malware that destructively deletes files. The files are unusable forever.

Commonly affected target data files includes but is not limited to:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif, *.qbw, *.qbb, *.qbm, *.qbi, *.qbr, *.qbo, *.qbp

Pay close attention to the file types. Targeted files include precious digital photos.

Some newer versions of ransomware target specific files unique to usage, such as encrypting data files of online gamers. Without paying the ransom this basically wipes the user’s gaming history forcing the gamer to start from scratch.

How does ransomware work? While there are variations the basic mechanism is the same.

  • The malware uses unique encryption keys with each victim.
  • Uses RSA-2048 encryption, which is not breakable in a lifetime even with the most powerful computers.
  • The software is not designed to encrypt the entire system but only data.
  • Usually installs in separate stages to cloak itself from detection.
  • Time delays are used to cloak when the malware was installed.
  • The software checks for being run inside virtual machines and sandboxes and will not execute inside those environments.
  • Works silently until all target files are encrypted.
  • Victims must pay a ransom to receive a decryption key.
  • Victims must pay within a specified deadline, otherwise the decryption key becomes obsolete.
  • Deadlines vary although 72 hours to 7 days is common.
  • Interrupting the encryption process automatically triggers the deadline countdown timer.
  • While waiting for the decryption key, further encryption continues.

The decryption process is composed of two keys — a public and a private key. The private key is generated by the ransomware and is stored on the infected computer. Victims paying the ransom receive the public key from a command and control server.

When choosing to pay the ransom the private key must not be deleted. This is the only copy of the key. This is important to remember when hoping to restore data files. Both the private and public key are required for decryption. That is, deleting the malware and private key without backups or receiving the public key renders decryption impossible.

Removing all ransomware related files is easy, but without paying the ransom or restoring files from backups, removing those files makes the problem worse. Not removing or moving the ransomware files is important to restoration if paying the ransom.

When not paying the ransom and the timer expires, the ransomware files self-uninstall. Purposely reinfecting with the hope of restoring files after expiration does not work because each public-private key pair is unique.

The decryption key is unlocked by paying the ransom in bitcoins or prepaid debit cards. Bitcoin is more popular because everything is digitally controlled. After paying the ransom, victims might not receive the decryption key for as long as 16 days. Decryption might not happen immediately and might need a long time to complete.

For Windows users, rebooting into safe mode does not decrypt files. Anti-virus software is useless. The solution is not reinstalling Windows because user data files are encrypted, not Windows system files. Typically Windows Security Center, Windows Defender, and Windows Update error reporting are disabled. Resetting the BIOS clock might help delay the expiration deadline, but the programmers are getting smarter — the timer clock might also be embedded into the public-private key pair or be controlled at an online server.

The developers of ransomware succeed because of certain presumptions:

  • Most users use an administrative account rather than a non administrative account.
  • Most users open email attachments without thinking.
  • Most users fall prey to dancing pigs.
  • Most users have no meaningful and tested backup strategy.

How do people typically get infected?

  • Fake email notices with a link to a parent ransomware server web site. The email subject can be about almost anything but is designed with social engineering to tempt users to select the link. The presence of words such as “Urgent!” is a nominal clue the email might be fake.
  • Email attachments such as a zip archive or PDF file, allegedly coming from legitimate people, such as UPS, Fedex, software vendors, etc.
  • Ransomware developers find ways to exploit social media sites and inject fake messages that look legitimate even from trusted friends.
  • Web browser Java plugins.
  • Web browser JavaScript exploits.
  • Flash exploits.
  • PDF exploits.

To avoid being infected, a healthy dose of skepticism and paranoia is the best strategy.

  • Use separate non administrative login accounts for every person using the computer.
  • Think before blindly opening email attachments. Suspicion is healthy.
  • Do not click on unknown or unreadable URLs.
  • Do not click on shortened or abbreviated URLs.
  • Use click-to-play to run Flash only on trusted web sites.
  • Learn to configure and control JavaScript in web browsers.
  • Windows users should enable viewing hidden file extensions.
  • Windows users should use Software Restriction (Group) Policies to limit the execution of some files.
  • Use a blocking mechanism such as an ad blocker or robust hosts file to prevent access to known malware sites.
  • Use plain text mail rather than HTML mail.
  • Implement and test a backup strategy, preferable one using “pull” technology.

Unlike enterprise systems, home and small business users typically run computers with full administrative privileges. Because ransomware attacks data files rather than system files, using a non administrative user account restricts damage but does not eliminate the problem.

In homes or small businesses with multiple users, using individual accounts for each person will limit the damage to one user rather than all users.

Ransomware recognizes network drives because the drive mapping is configured originally at the infected computer. Thus offline or remote backups get infected as well, which includes cloud services such as Dropbox, Microsoft OneDrive, and Google Drive.

Ransomware easily encrypts network and backup files because most people use a default administrative account and most backup software uses “push” technology rather than “pull.” The difference between push and pull technology is the location of the backup software with respect to the system being backed up. When using push technology the infected system knows the destination of the backup files because the backup software resides on the infected system. Pull technology works the opposite with a backup server or service hosting the backup software and pulling files from the target system.

When using an administrative account and push technology, the ransomware has direct access to the backup file storage location. This is not the case when using a non administrative account or pull technology.

When pull technology is not available then push backups must be secured in a manner to prevent the ransomware from encrypting those files. This can be done by using non administrative accounts, incremental backups, and rotation strategies.

For Windows users, the Volume Shadow Service is a built-in service providing a low level local mechanism for restoring files. Previous System Restore Volume Shadow (VSS) copies can be used to restore a system, but typically for many users these copies are old and not updated. Few people configure VSS in a robust manner. System Restore shadow copies are encrypted when users use an administrative account. Also, when using an administrative user account, the ransomware will delete shadow copy files. VSS is useful only when using a non administrative account.

Some forms of ransomware can be defeated without decryption keys. A good place to find such information is Bleeping Computer.

There is a variety of this malware that is little more than Scareware. The malware might hide files and folders and then demand a ransom. Another variety uses screen locking to prevent users from logging in. In both cases the user’s system and data files actually are safe and no decryption key is needed.

While not immune to the problem of ransomware, one option for many people to avoid ransomware is to use an operating system not yet affected by the problem: Linux.

Summary? Don’t get infected by ransomware. If you get infected you restore from backups, pay the ransom, or lose the data. This includes not only business records but all of those precious digital photos.

“Here be dragons.”

Technical trivia: In 1822 mathematician Charles Babbage conceived the idea of a steam-driven general purpose mechanical calculating machine, called the Analytical Engine. Babbage is considered the “father of the computer.”

Next issue: When Free is not Free.

Little people. Big dreams.

Video

Latest posts by Backwoods Geek (see all)

Related posts