Ransomware – Network Security

Ransom ware is malware for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment for the decryption key.

Ransom ware spreads through e-mail attachments, infected programs and compromised websites. (This can even be hidden in a website that comes up in a Google search. Once you click on the site thinking it is what you searched for, the ransom ware is launched.) A ransom ware malware program may also be called a crypto virus, cryptotrojan, or crypto worm. Some of the common names are Crypto locker, Crypto Defense, Power Locker, Tor Locker and Crypt orbit

Attackers may use one of several different approaches to extort money from their victims:

*After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.

*The victim is duped into believing he is the subject of a police inquiry. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.

*The malware surreptitiously encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransom ware software on legitimate websites.

To protect against data kidnapping, we urge that you backup data on a regular basis. If an attack occurs, do not pay a ransom. Instead, wipe the disk drive clean and restore data from the backup. (Cloud based backups should be safe unless you are using a service that backs up to your cloud automatically. In that case, your cloud based files will be infected the same time as the ones on your computer.)

By far the most common ransom ware is Crypto locker, a Trojan that infects Windows XP, Vista, 7, and 8. It disguises itself as a ZIP or PDF attachment, but is also transmitted by remote if a PC has been previously infected by a Trojan style “botnet,” which leaves the door open for remote control and external infections.

When executed, Crypto locker is installed in the program folder and starts to encrypt Libre Office and Office documents, PDF files, photos or illustrations, making them inaccessible. Files are encrypted with a key that only the authors of Crypto locker have, making recovery impossible.
At the same time, Crypto Locker discloses its threat: if the owner fails to pay a sum of money within three or four days, the key to the files will be deleted forever, and the files can no longer be recovered.

If the user agrees to pay the sum of money, which can be up to three hundred dollars, Crypto locker decrypts the files, but not always. Payment is usually requested made via MoneyPak, Ukash, and most recently, through Bit coin, a virtual currency whose transactions are made without control.

The system devised by these criminals is pretty close to perfect: if the user doesn’t pay, the files cannot be recovered. The encryption used is too strong, and even a sophisticated cryptographic attack would take a very long time to decipher any of the locked files.

Bottom line is if you haven’t backed your files up, or can’t find an encryption key that works, you will end up paying if you want your files back.

If you see the Crypto locker screen, disconnect the device from the network so that the virus cannot encrypt more files or communicate with the creators. Disconnecting the internet connection also keeps your files in Drop box or Google Drive from being overwritten with infected copies.

Then, you have to ask yourself what you want to do: either pay the ransom, or remove the virus and attempt to recover the files. If you opt for payment, you are at the mercy of criminals, and recovery is not guaranteed. While there are many reports that say that the decryption occurs within hours of payment, others say that the recovery process is full of bugs.

The manual option to find out what files are infected is to open the Windows’ Registry Editor (Start > Run > Regedit) and type in HKEY_CURRENT_USER\Software. There, you will see a folder with a numbered subfolder containing the names of the files: this is Crypto lockers. Some of these files may not yet be encrypted and can be recovered. For the rest, you can only search your backups.

In addition, Fire Eye has a web page where even if your Windows computer has been infected, they can send you the decryption key to unlock it without paying the ransom fee. To decrypt files locked by Crypto locker, you need a master decryption key. Go to https://www.decryptcryptolocker.com/, upload an email address and one of the encrypted files (one that should have no sensitive information). The service will analyze the file and email you back the master decryption key. You can take that key and the free decryptolocker.exe command line tool and decrypt your files. (Note that there are many Crypto locker variants with names like Crypto Defense, Power Locker, TorLocker and Crypt orbit, and the tool may not work against them.)

In the case of the Mac, if you see anything that says you’ve been infected with any type of ransom ware, it’s nothing more than a JavaScript loop on a web page that keeps you from backing out of that page and says you’re infected. (The files on your Mac are not susceptible to any of the known ransomeware malware currently in existence, which doesn’t mean the bad guys won’t figure out how to infect a Mac in the future.) That is a long way from a drive in Windows that is literally encrypted and you have to pay a ransom fee if you ever again hope to see important data you don’t have backed up. There are many such fake web pages that attempt to lock the user to a particular page, and it is very easy to defeat. Some may say it’s the FBI, the CIA, or other fake pages demanding you call you toll free number to “fix” it. (I have screenshot an example at the end of this article.)

To get your browser out of a JavaScript loop you can do either of the following fixes:

1. Open Safari’s preferences and turn off JavaScript. Then back out of the page, or close the tab. Turn JavaScript back on.

2. Newer versions of these scam pages block your ability to even open the preferences. If that’s the case, press Command+Option+Esc. Highlight Safari and click Force Quit. Then, hold the Shift key and relaunch Safari. That tells Safari not to reload any previously displayed web sites and will come up either blank, or to your selected home page.

Sample Pop-up that you may get if your browser has been put into a JavaScript Loop:

For more information about this and other Cyber Threats to consumers, please subscribe to Home Cyber Defense Weekly. This weekly newsletter is designed to teach you how to recognize and prevent cyber attacks, and informs you what to do if you have been attacked. A subscription to our newsletter is free and you can sign-up on our website at: HomeCyberDefense.net.

Home Cyber Defense Weekly will be delivered to your email inbox every Friday. You have the option to read it as an email or download the newsletter as a Pdf on your computer or mobile device.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learner's Only © 2017 Frontier Theme