Proofpoint researchers identify a new ransomware variant known as Hades Locker sent via the same spam botnet as recent CryptFile2 and MarsJoke campaigns.
Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever.
Ransomware attacks are all too common these days. Major companies in North America and Europe alike have fallen victim to it. Cybercriminals will attack any consumer or any business and victims come from all industries.
Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle, as does the No More Ransom Project. Furthermore, half of the victims who pay the ransom are likely to suffer from repeat attacks.
History of Ransomware
Ransomware can be traced back to 1989 when the “AIDS virus” was used to extort funds from recipients of the ransomware. Payments for that attack were made by mail to Panama, at which point a decryption key was also mailed back to the user.
In 1996, ransomware was known as “cryptoviral extortion,” introduced by Moti Yung and Adam Young from Columbia University. This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.
Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. For example, notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of normal currencies, like dollars.
Ransomware began to soar in popularity with the growth of cyptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin and Ripple.
Ransomware has attacked organisations in nearly every vertical, with one of the most famous being the attacks on Presbyterian Memorial Hospital. This attack highlighted the potential damage and risks of ransomware. Labs, pharmacies and emergency rooms were hit.
Social engineers have become more innovative over time. The Guardian wrote about a situation where new ransomware victims were asked to have two other users install the link and pay a ransom in order to have their files decrypted.
Examples of Ransomware
By learning about the major ransomware attacks below, organisations will gain a solid foundation of the tactics, exploits, and characteristics of most ransomware attacks. While there continues to be variations in the code, targets, and functions of ransomware, the innovation in ransomware attacks are typically incremental.
- WannaCry—A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a killswitch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the killswitch and in deconstructing the ransomware. Learn more about Proofpoint’s involvement in stopping WannaCry.
- CryptoLocker—This was one of the first of the current generation of ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. Cryptolocker was spread via an email with an attachment that claimed to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
- NotPetya—Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper, since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
- Bad Rabbit—Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake Flash player update that can impact users via a drive by attack.
How Ransomware Works
Ransomware is a type of malware designed to extort money from it victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are encryptors and screen lockers. Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.
Figure 1: How Ransomware tries to trick a victim into installing it
Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.
While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users, as businesses will often pay more to unlock critical systems and resume daily operations than individuals.
Enterprise ransomware infections or viruses usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL that is malicious or has been compromised.
At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.
Ransomware Prevention and Detection
Prevention for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defence, while endpoints are a secondary defence. Intrusion Detection Systems (IDSs) are sometimes used to detect ransomware command-and-control to alert against a ransomware system calling out to a control server. User training is important, but user training is just one of several layers of defence to protect against ransomware, and it comes into play after the delivery of ransomware via an email phish.
A fallback measure, in case other ransomware preventative defences fail, is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected firm. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.
Before / After
How to Avoid Ransomware Attacks
- Defend your email against Ransomware—Email phishing and spam are the main way that ransomware is distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents, and URLs in emails delivered to user computers.
- Defend your mobile devices against Ransomware—Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools, can analyse applications on users’ devices and immediately alert users and IT to any applications that might compromise the environment.
- Defend your web surfing against Ransomware—Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
- Monitor your server, network and back up key systems—Monitoring tools can detect unusual file access activities, viruses, network C&C traffic and CPU loads, possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.
How to Remove Ransomware
- Call federal and local law enforcement—Just as someone would call a federal agency for a kidnapping, organisations need to call the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organisations going forward and try to find the attackers.
- Learn about anti-ransomware resources—No More Ransom portal and Bleeping Computer have tips, suggestions and even some decryptors for selected ransomware attacks.
- Restore data—If organisations have followed best practices and kept system backups, they can restore their systems and resume normal operations.
The following ransomware statistics illustrate the rising epidemic and the billions it has cost victims. To stay up to date on the latest ransomware statistics, you can also check out the Proofpoint blog.
Ransomware Survival Guide
Ransomware attackers collected more than $209 million from victims during the first three months of 2016 alone, with the volume of attacks 10 times higher than all of 2015. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.
Hades Locker Ransomware Mimics Locky
MarsJoke Ransomware Mimics CTB-Locker
Proofpoint researchers uncover a new ransomware variant called MarsJoke in a large campaign targeting government and educational institutions.
CBS News: The Big Business of Cyber Ransom
Proofpoint's Ryan Kalember talks to CBS News about the latest cybersecurity threats.