Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the user’s files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system or hostaged files.
Ransomware Virus Infection and Behaviour
Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.
Once executed in the system, ransomware can either lock the computer screen, or, in the case of crypto-ransomware, encrypt predetermined files. In the first scenario, a full-screen image or notification is displayed on the infected system’s screen, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware prevents access to files to potentially critical or valuable files like documents and spreadsheets.
Ransomware is considered “scareware” as it forces users to pay a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to FAKEAV malware, but instead of capturing the infected system or encrypting files, FAKEAV shows fake antimalware scanning results to coax users into purchasing bogus anti malware software.
It’s obvious when your device has been infected with ransomware, since you most likely won’t be able to access your computer. Make use of your antivirus software’s ransomware removal tool, which should scan for and wipe out any ransomware attempts found on your computer.
How Does Ransomeware Works
In late 2013, a new type of ransomware emerged that encrypted files, aside from locking the system. The encrypted files ensured that victims are forced to still pay the ransom even if the malware itself was deleted. Due to its new behavior, it was dubbed as “CryptoLocker”. Like previous ransomware types, crypto-ransomware demands payment from affected users, this time for a decrypt key to unlock the encrypted files.
Evolution To CryptoLocker and Crypto-Ransomware
CryptoLocker only specifies “RSA-2048” as the encryption method used, analysis shows that the malware uses AES + RSA encryption.
RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data (one key, called the public key, is made available to any outside party; the other is kept by the user and is called the private key.) AES uses symmetric keys, which uses the same key to encrypt and decrypt information.
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it.
Further research revealed that a spam campaign was behind the CryptoLocker infections. The spammed messages contained malicious attachments belonging to TROJ_UPATRE, a malware family characterize by its small file size and simple downloading function. It downloads a ZBOT variant, which then downloads the CryptoLocker malware.
Near the end of 2013, a new variant of CryptoLocker emerged —with propagation routines. This variant, detected as WORM_CRILOCK.A, can spread via removable drives, a routine unheard of in other CRILOCK variants. This means that the malware can easily spread compared to other variants. The new variant doesn’t rely on downloader malware like CRILOCK to infect systems; rather, it pretends to be an activator for software used on peer-to-peer (P2P) file sharing sites. Technical differences have led some researchers to believe this malware was produced by a copycat.
Another file-encrypting ransomware type soon came into the picture. The crypto-ransomware known as CryptoDefense or Cryptorbit – detected as TROJ_CRYPTRBIT.H encrypts database, web, Office, video, images, scripts, text, and other non-binary files, deletes backup files to prevent restoration of encrypted files, and demands payment for a decrypt key for the locked files.
The Angler Exploit Kit
In 2015, the Angler exploit kit was one of the more popular exploit kits used to spread ransomware, and was notably used in a series of malvertisement attacks through popular media such as news websites and localise sites. Angler was constantly updated to include a number of Flash exploits, and was known for being used in notable campaigns such as the Hacking Team leak and Pawn Storm. Because of its easy integration, Angler remains a prevalent choice as a means to spread ransomware.
POSHCODER: PowerShell Abuse
A new variant of Ransomware and Cryptolocker threats surfaced that leverages the Windows PowerShell feature to encrypt files. Trend Micro detects this as TROJ_POSHCODER.A. Windows PowerShell is a built-in feature in Windows 7 and higher. Cybercriminals often abuse this feature to make threats undetectable on the system and/or network.
POSHCODER uses AES encryption and an RSA 4096 public key to encrypt the said AES key. Once all files on the infected system are encrypted,
Ransomware Infects Critical Files
While crypto-ransomware may have become popular with cybercriminals, this doesn’t mean that other types of ransomware disappeared from the landscape. Police ransomware was still observed locking screens of infected computers with this screen:
What makes this particular ransomware different from other police ransomware is that it rides on patched malware to infect systems. Patched malware is any legitimate file that has been modified (via addition or injection) with malicious code. Modifying a legitimate file can be advantageous to cybercriminals as the rate of execution of malicious code will depend on the infected file’s frequency of use.
This ransomware is also notable for infecting user32.DLL, a known critical file. Infecting a critical file can be considered an evasion technique as it can help prevent detection by behavioral monitoring tools due to whitelisting.
Ransomware Evolved: Modern Ransomware
After the shift to crypto-ransomware, the extortion malware has continued to evolve, adding features such as countdown timers, ransom amounts that increase over time, and infection routines that enable them to spread across networks and servers. The latest developments show how threat actors are experimenting with new features, such as offering alternative payment platforms to make ransom payments easier, routines that threaten to cause potentially crippling damage to non-paying victims, or new distribution methods.
Ransomware Removal Tools
These tools will remove ransomware viruses from your computer and decrypt any files that have been encrypted in the attack. They’ll also inform you about the types of ransomware.
- Alcatraz Locker
- CryptoMix (Offline)
Alcatraz Locker is a ransomware strain that was first observed in the middle of November 2016. For encrypting user’s files, this ransomware uses AES 256 encryption combined with Base64 encoding.
Encrypted files have the “.Alcatraz” extension.
After encrypting your files, a similar message appears (it is located in a file “ransomed.html” in the user’s desktop)
Apocalypse is a form of ransomware first spotted in June 2016. Here are the signs of infection:
Apocalypse adds .encrypted, .FuckYourData, .locked, .Encryptedfile, or .SecureCrypted to the end of filenames. (e.g., Thesis.doc = Thesis.doc.locked)
Opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt, or .Where_my_files.txt (e.g., Thesis.doc.How_To_Decrypt.txt) will display a variant of this message
BadBlock is a form of ransomware first spotted in May 2016. Here are the signs of infection:
BadBlock does not rename your files.
After encrypting your files, BadBlock displays one of these messages (from a file named Help_decrypt.html)
Bart is a form of ransomware first spotted at the end of June 2016. Here are the signs of infection:
Bart adds .bart.zip to the end of filenames. (e.g., Thesis.doc = Thesis.docx.bart.zip) These are encrypted ZIP archives containing the original files.
After encrypting your files, Bart changes your desktop wallpaper to an image like the one below. The text on this image can also be used to help identify Bart, and is stored on the desktop in files named recover.bmp and recover.txt.
Crypt888 (also known as Micro P) is a form of ransomware first spotted in June 2016. Here are the signs of infection:
Crypt 888 adds Lock. to the beginning of filenames. (e.g., Thesis.doc = Lock.Thesis.doc)
After encrypting your files, Crypt 888 changes your desktop wallpaper to one of the following:
CryptoMix – Offline
CryptoMix (also known as Crypt File2 or Zeta) is a ransomware strain that was first spotted in March 2016. In early 2017, a new variant of Crypto Mix, called CryptoShield emerged. Both variants encrypt files by using AES 256 encryption with a unique encryption key downloaded from a remote server. However, if the server is not available or if the user is not connected to the internet, the ransomware will encrypt files with a fixed key (“offline key”).
Important: The provided decryption tool only supports files encrypted using an “offline key”. In cases where the offline key was not used to encrypt files, our tool will be unable to restore the files and no file modification will be done.
Encrypted files will have one of the following extensions: .CRYPTOSHIELD, .rdmk, .lesli, .scl, .code, .rmd or .rscl.
CrySiS (Johnny Cryptor, Virus-Encode, Aura, Dharma) is a ransomware strain that has been observed since September 2015. It uses AES-256 combined with RSA-1024 asymmetric encryption.
Encrypted files have many various extensions, Including
After encrypting your files, one of the following messages appears (see below). The message is located in “Decryption instructions.txt”, “Decryptions instructions.txt”, “README.txt”, “Readme to restore your files.txt” or “HOW TO DECRYPT YOUR DATA.txt” on the user’s desktop.
Encrypted files will have the .mcrypt extension.
After encrypting your files, several files are created on the user’s desktop, with name variants of: DECRYPT.txt, HOW_TO_DECRYPT.txt, README.txt.
Globe adds one of the following extensions to the file name: “.SCRYPT”, “.Support[0-9]”, “.blackblock”, “.dll 555”, “.dust”, “.exploit”, “.frozen”, “.globe”, “.support”, “.kyra”, “.purged”, “.raid[0-9]”, “.firstname.lastname@example.org”, “.xtbl”, “.zenda”, “.zendra[0-9]”, or “.year”. Furthermore, some of its versions encrypt the file name as well.
After encrypting your files, a similar message appears (it is located in a file “How to restore files.hta” or “Read Me Please.hta”):
Encrypted files will have one of the following extensions (but not limited to): .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed.
After encrypting files, a text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML) appears on the user’s desktop.
Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .pay, .pays, .payment, .payments, .payments, .payment, .payments, .payments, .payments, .pay btcs, .fun, .hush, .email@example.com, or .gefickt.
Legion adds a variant of .firstname.lastname@example.org$.legion or .$email@example.com$.cbf to the end of filenames. (e.g., Thesis.doc = Thesis.firstname.lastname@example.org$.legion)
Filename changes: Noob Crypt doesn’t change file name. Files that are encrypted are unable to be open with their associated application, however.
After encrypting your files, a similar message appears (it is located in a file “ransomed.html” in the user’s desktop):
Stampado adds the .locked extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look either as document.docx.locked or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked
SZF Locker adds .szf to the end of filenames. (e.g., Thesis.doc = Thesis.doc.szf)
When you try to open an encrypted file, SZF Locker displays the following message (in Polish):
The latest version of Tesla Crypt does not rename your files.
After encrypting your files, TeslaCrypt displays a variant of the following message
How To Prevent Ransomware
- Make sure all software on your computer is up to date, including your operating system, browser and any toolbar plugins you use.
- Ensure that your antivirus software and firewall protection is up to date.
- Avoid opening unverified emails or clicking links embedded in them.
- Back up important files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location.
- Regularly update software, programs, and applications to protect against the latest vulnerabilities.
Anti-Ransomware Tools and Solutions
Trend Micro offers free tools such as the Trend Micro Lockscreen Ransomware Tool, which is designed to detect and remove screen-locker ransomware. The Trend Micro Crypto-Ransomware File Decryptor Tool can decrypt files locked by certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Also Read :