Ransomware: Bigger and More Sophisticated than Ever

Ransomware has been around for decades. In 1989 the AIDS Trojan was used to hide directories and encrypt all files on the C drive of infected computers. Users were then asked to “’renew the license” which involved sending $189.00 to a Panama P.O. box. This is an example of “crypto-ransomware.” Then around 10 years ago, other families of crypto-ransomware such as Cryzip, Krotten and Gpcode appeared on the scene.

Crypto-ransomware is particularly dangerous because it encrypts files on computer systems using strong and often unique encryption algorithms. This means that if these files were not properly backed up, users could lose this information forever unless they agreed to pay the price asked by the extortionists. And even if proper backups were extant, users still faced the hassle of rebuilding their machines; a time-consuming task that many would happily pay to avoid.

Another type of ransomware (that has been with us for more than 15 years) uses “blockers” to render computers unusable. Blockers are windows that cover all other windows on your desktop. These blocker windows usually contain a message from the extortionists telling users how and where to send the ransom in order to get their computer screens or browsers unlocked. This type of ransomware was the first to reach “epidemic” proportions back in 2010. Both of these ransomware types were originally used to attack mostly user machines, but now attacks on businesses are increasing rapidly.

Recently, especially within the last 6 to 10 months, things have changed. In April of this year, Kaspersky Lab noted that more than half of all ransomware is now crypto-ransomware; a figure up from barely 10% just a year earlier. In addition, there are new, more insidious types of crypto-ransomware appearing on the scene.

In January of this year the first JavaScript ransomware, “Ransom32” was noted. This ransomware uses the NW.js framework to infect computers, and so can probably be used to attack not only Windows OS, but Linux and Mac OS as well. This type of ransomware is being sold on the dark web as ransomware-as-a-service in exchange for a 25% cut in the ransom profits.

Another recently noted ransomware is called “Cerber.” Cerber encrypts user files using AES encryption, and costs the victim 1.24 bitcoins ($500.00) in ransom. Cerber itself is easy to remove, but encrypted files that have not been backed up will be lost if users fail to pay.

Now, there are even more dangerous ransomware types appearing. ZCryptor acts like a worm and can be spread from machine to machine. It is distributed through spam and email infection vectors, but can also be spread through Macro malware, removable/network drives or fake installers. It encrypts a number of different file types on infected computers using strong AES encryption algorithms, and changes the file extension to “.zcrypt.”

The sophistication and variety of these newer ransomware types shows that cyber criminals are investing plenty of resources on this malware. Users (and businesses) should expect more and more of these types of attacks in the future, and should protect themselves accordingly. Suggestions include:

  • Backup your important files very regularly. You will still lose any files/documents created after the last backup, so adjust your backup frequency accordingly.
  • Ensure that all of your systems and software are current for security maintenance and are configured in a secure manner.
  • Train your personnel about ransomware and how it spreads.
  • Keep your security software up to date and employ pop-up blocker software.
  • Monitor file system activity and extensions.
  • Employ Honeypots (such as MSI HoneyPoint software) on your systems.
  • Employ User Behavior Analytics (UBA) on your network.
  • Employ anti-ransomware products and mechanisms.
  • Ensure your Incident Response and Disaster Recovery plans are up to date and well-practiced.