Proofpoint researchers identify a new ransomware variant known as Hades Locker sent via the same spam botnet as recent CryptFile2 and MarsJoke campaigns.
Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever.
History of Ransomware
Ransomware can be traced back to 1989 where the “AIDS virus” was used to extort funds from recipients of the ransomware. Payments for that attack were made by mail to Panama, at which point a decryption key was also mailed back to the user.
More recently, ransomware is tied to cryptocurrencies such as Bitcoin, which enable anonymous payments to the criminal driving the attack. The rise in popularity of cryptocurrencies and bitcoin, in particular, have gone hand in hand. In 2016, Proofpoint discovered the Locky Ransomware virus, which became the dominant ransomware for that year.
Ransomware has attacked organizations in nearly every vertical, with one of the most famous being the attacks on Presbyterian Memorial Hospital. This attack highlighted the potential damage and risks of ransomware, as labs, pharmacies, and emergency rooms were hit.
Earlier this year, Proofpoint researchers discovered Locky ransomware. Most notably, the same actors behind many of the largest Dridex campaigns were involved in distributing Locky and were doing it at a scale we'd previously only associated with the Dridex banking Trojan. We have also observed the actors behind these campaigns varying their delivery strategies to evade security defenses. For example, we are seeing:
- Additional junk files to help evade detections
- Mangled “Content-Type” headers to help evade detection
Watch the Locky Demo Video
How Ransomware Works and How to Protect Against it
Ransomware is a type of malware designed extorts money from it victims who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are encryptors and screen lockers. Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers, on the other hand, simply block access to the system with a “lock” screen, asserting that the system is encrypted.
Figure 1: Ransomware Screen Notification
Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying success of decryption after paying ransoms, sometimes never receiving the keys. Some attacks install malware on the computer system even after the ransom is paid and data released.
While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users as business will often pay more to unlock critical systems and resume daily operations than individuals.
Enterprise ransomware infections usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL of a website that is malicious or has been compromised.
At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises, they’ll get a code to unlock their data.
Preparation for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email gateways are the first line of defense, while endpoints are a secondary defense. IDS systems are sometimes used to detect ransomware command-and-control to alert against a ransomware system calling out to a control server. User training is important, but user training is one of several layers to protect against ransomware, and it comes into play after the delivery of ransomware via an email phish.
A fallback measure, in case other ransomware defenses fail, is to stockpile bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected firm. Hospitals and Hospitality markets are at particular risk of ransomware, as patients’ live could be affected or people could be locked in or out of facilities.
Before you’re infected
- Defend your email. Email phishing and spam are the main way that ransomware is distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents and URLs in emails being delivered to user computers.
- Defend your mobile devices. Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools can analyze apps on your users devices and immediately alert users and IT to any apps that might compromise your environment.
- Defend your web surfing. Secure web gateways can scan your user’s web surfing traffic to identify malicious web ads that might lead them ransomware.
- Monitor your server, network and back up key systems. Monitoring tools can detect unusual file access activities, network C&C traffic, and CPU loads—possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.
If you’re already infected
- Call federal and local law enforcement. Just as you would call a federal agency for a physical-world kidnapping, you need to call the same bureau for ransomware. Their forensic technicians can ensure your systems aren’t compromised in other ways, gather information to better protect you going forward, and try to find the attackers.
- Restore your data. If you’ve followed best practices and kept system backups, you can restore your systems and resume normal operations.
Ransomware Survival Guide
Ransomware attackers collected more than $209 million from victims during the first three months of 2016 alone, with the volume of attacks 10 times higher than all of 2015. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.
Hades Locker Ransomware Mimics Locky
MarsJoke Ransomware Mimics CTB-Locker
Proofpoint researchers uncover a new ransomware variant called MarsJoke in a large campaign targeting government and educational institutions.
CBS News: The Big Business of Cyber Ransom
Proofpoint's Ryan Kalember talks to CBS News about the latest cybersecurity threats.