Ransomware, a Billion Dollar World Wide Threat

Every day I hear that a company has solved the network and file security war with a new security widget. Yet every day there are more announcements of breaches, stolen identities, etc. According to the Identity Theft Resource Center (ITRC) in 2015 there were 781 data breaches in the U.S. As of July 12, 2016 ITRC report there were 522 U.S. breaches with 12,983,562 exposed records, which looks to surpass 2015.

What are the source of these breaches? 

In 2016 the major threat is Ransomware, which attributes to a 20% increase in reported attacks. 

Ransomware 101

Trend Micro’s definition of Ransomware is simple:
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

Ransomware is a billion dollar worldwide threat. The first viable Ransomware, Cryptowall, cost people over $325M in 2015. For the the first quarter of 2016 the costs are running over $209M which was given by CNBC and the FBI in April. The Q1 2016 number is alarming and could possibly reach the 1-2 Billion dollar level in 2016.

Although there are hundreds of variations of Ransomware, with new variants emerging daily, there are five signatures that define that your malware fits into the Ransomware family.

The four $ignatures of Ransomware Attacks

1. Unsuspecting download of the crypto key program and infection. 
2. The encryption of your files starts.  Encrypting and compressing the computer files, Master Boot Record, OS., etc. and sending an encryption key to your encrypted data to the criminals command and control server. 
3. Threat and payment details with a deadline for payment are sent to you, the victim. 
4. You pay and the criminals send you the decode key for restoring your files and computer OS, although this does not always happen.

The Evolution of Ransomware

Ransomware is evolving at a rapid pace. In the beginning, it only attacked through computer browsers. It has evolved and is now attacking all operating systems (yes, Apple too) as well as mobile devices including android, iPhones and tablets.

Thanks to BleepingComputer.com we know that in July 2016 we have seen many new and dangerous variants.

Below is a list of the variants, for additional details, including fixes visit our friends at Bleeping Computer.

• New Alfa Ransomware, or Alpha Ransomware, from the developers of Cerber.
• A new version of the CryptXXX
• CryptoFinancial
• Bitstak
• PizzaCrypts
• PadCrypt
• APOCALYPSE
• NEW Jigsaw variant
• Flocker
• RAA
• New EDA2 ransomware called Ded Cryptor
• dr. jimbo
• Russian Crypt38
• CryptoShocker

Everyday there are more attacks and variants found. Most costing the victim between $300 to several thousands dollars to decrypt. The alarming news is sometimes you pay and your data cannot be decrypted.

According to the FBI’s Cyber Division Assistant Director James Trainor, Ransomware attacks are on the rise in 2016 and will continue to grow. “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

So far in 2016 we have seen a number of new and much more sophisticated ransomware versions. Overall attacks up about 50%.

One has to remember that Ransomware is not just encrypting your data and getting you to pay to get it back.  It is also a data thief method and in most cases it permanently corrupts your system allowing the hackers an easy permanent backdoor to your systems.

Three Basic Types of Ransomware

Some ransomware will do all three of these in one operation.

Encryption or Crypto-Ransomware

• Encrypts personal files, like your documents, spreadsheets, pictures, etc.
• The user may use the computer but cannot get access the encrypted files.
• Files are usually deleted once encrypted. 
• Usually there is a text file in the same folder where the files were taken from with instructions for payment.
• Crypto based ransomware most often sets a time limit for payment. If not paid in time the decryption key may be permanently deleted.
• A lock screen may appear, but not all variants show one.

 Lock Screen or WinLocker Ransomware

• Locks the screen and demands payment to open.
• Usually a full screen lock image that blocks all other windows.
• No personal files are encrypted the system is just locked up.

 Master Boot Record Ransomware (MBR)

• The Master Boot Record (MBR) is a section of the computer’s hard drive that allows the operating system to boot up.
• This ransomware alters the computer’s MBR so the normal boot process is interrupted.
• A ransom demand is displayed on screen instead.

New ransomware is constantly changing, and will actually play a game with you, meet Jigsaw:

The serial file killer, “Jigsaw” targets over 120 file extension types to encrypt and sets a timer for payment. Jigsaw than starts deleting the encrypted files every hour that the victim does not pay. At some point, usually 72 hours, it deletes all files that were encrypted. There is a fix if you act quickly.

How to Protect Yourself from Ransomware

• ALWAYS backup your data at regular intervals on separate devices. Cloud backups are very vulnerable to attacks. A separate isolated device is best, like a hard drive backup.
• Use application and website whitelisting to help prevent malicious software and unapproved programs from running.
• Keep your operating system and software up-to-date with the latest security patches.
• Use a quality anti-virus and anti-malware software and keep it up to date.
• Scan all downloads before opening, especially e-mail downloads.
• Keep access to all systems and services in the network VERY LIMITED and only as needed. This will help reduce the spread of the malware and internal “stupid user” borne attacks.
• Never enable macros especially if an e-mail tells you to enable. Store the file, scan it and see if it has a known origin. Even then I would call the originator and ask if they sent it. Telling the receiver to turn on macros is the way malware gets it hooks into your computers and systems.

If You are a Victim of Ransomware

Even the with the best defenses and common sense in place, you could still become a victim of ransomware. The FBI's official policy is to not pay. However, we've individuals and the business sector give into demands. Healthcare in particular has been hard hit with ransomware attacks.

Here's the problem with paying in response to a ransomware attack:

“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.” said James C. Trainor, Jr. FBI Assistant Director.