For the first time since Proofpoint researchers discovered CryptXXX, the ransomware is being distributed via malicious documents attached to email messages.
What is Ransomware?
Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever.
Earlier this year, Proofpoint researchers discovered Locky ransomware. Most notably, the same actors behind many of the largest Dridex campaigns were involved in distributing Locky ransomware and were doing it at a scale we'd previously only associated with the Dridex banking Trojan. We have also observed the actors behind these campaigns varying their delivery strategies to evade security defences. For example, we are seeing:
- Additional junk files to help evade detections
- Mangled “Content-Type” headers to help evade detection
Watch the Locky Demo Video
Figure 1: Ransomware Screen Notification
Other attacks install malware on the computer system even after the ransom is paid and data released.
While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users as business will often pay more to unlock critical systems and resume daily operations than individuals.
Enterprise ransomware infections usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL of a website that is malicious or has been compromised.
At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises, they’ll get a code to unlock their data.
How to prevent ransomware
- Defend your email. Email phishing and spam are the main way that ransomware is distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents and URLs in emails being delivered to user computers.
- Defend your mobile devices. Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools can analyse apps on your users devices and immediately alert users and IT to any apps that might compromise your environment.
- Defend your web surfing. Secure web gateways can scan your user’s web surfing traffic to identify malicious web ads that might lead them ransomware.
- Monitor your server, network and back up key systems. Monitoring tools can detect unusual file access activities, network C&C traffic, and CPU loads—possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.
If you’re already infected with ransomware
- Call federal and local law enforcement. Just as you would call a federal agency for a physical-world kidnapping, you need to call the same bureau for ransomware. Their forensic technicians can ensure your systems aren’t compromised in other ways, gather information to better protect you going forward, and try to find the attackers.
- Restore your data. If you’ve followed best practices and kept system backups, you can restore your systems and resume normal operations.
Ransomware Protection Survival Guide
Ransomware attackers collected more than $209 million from victims during the first three months of 2016 alone, with the volume of attacks 10 times higher than all of 2015. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.
Spam, Now With a Side of CryptXXX Ransomware!
Doh! New "Bart" Ransomware from Threat Actors Spreading Dridex and Locky
Proofpoint researchers identified a new ransomware called "Bart" from actors who have been spreading Dridex and Locky.
CBS News: The Big Business of Cyber Ransom
Proofpoint's Ryan Kalember talks to CBS News about the latest cybersecurity threats.