What is Ransomware?

Ransomware is a generic term for a family of malware, which, once active on your systems, searches for documents and pictures then encrypts them. Once encrypted the malware leaves a note with instructions on how to pay the attacker to receive a key allowing decryption of your files. These tools encrypt not only your local files, but can also attack any network mapped drives and sometimes connected cloud storage solutions.

Some notable examples of ransomware are:

Reveton – One of the first examples of ransomware to hit the scene, this malware didn’t encrypt files but rather blocked internet access with a fake law enforcement warning demanding payment to restore access.

CryptoLocker – One of the most recognizable versions of this type of attack, it was first was reported in late 2013 and was one of the first to employ the encryption/ransom technique. Originally, it also claimed to only allow 72 hours before the decryption key was permanently deleted.

Cryptowall – One of the most recent variants in this family, Cryptowall first appeared in 2014. Employed more sophisticated attack methods and techniques to hide itself from anti-malware engines. Cryptowall also attempts to delete volume shadow copies of files which is a common method of recovery.

To decrypt your files, most of these tools require payment using either cash cards or bitcoins. Many operate out of TOR websites in an effort to obfuscate their identities. Payments typically range from $200 to $500, though there are many variations that require different amounts of money. Once paid, a decryption key should be sent that can be used to recover your files.

Ransomware is a growing avenue for criminal enterprise. The FBI reported in January 2015 that over 1000 cases had been reported in the United States, with estimated losses nearing 18 million. There are certainly many more who didn't report their infections and the overall losses are probably much higher.

How does Ransomware Work?

Ransomware packages are delivered just like many other types of malware. They can enter your system through email, malicious websites, malicious packaged software, etc. There's also been a trend of droppers - a malicious program that doesn’t have any payload of its own, but rather infects a system and then downloads a payload via command and control servers. These infect a system and may lay dormant for some time before downloading and installing the ransomware payload.

Once the software has infected the system, it begins to systematically crawl the file system, typically looking for documents (word, excel, powerpoint) and images (jpeg, gif, png). When these files are found, it then encrypts them and deletes the originals. Once a directory is completed, the notice is dropped in the form of a text file with instructions on how to send payment to decrypt the files. Each folder that's encrypted will receive one of these instruction files.

Depending on the variant of ransomware you are infected with, they can also do a variety of other malicious activates. These activities can include, but aren't limited to: disabling of anti-malware software, altering firewall rules, deleting backups and volume shadow copies of files, browser hijacking and Bitcoin theft.

According to reports, most victims who pay the ransom do receive the keys they paid for, and many are able to pay past a deadline and still receive keys. There's never any guarantee when dealing with a criminal element, but ultimately these thieves require a certain level of trust to continue making money. Many have even gone as far as to set up support portals and have online staff to assist victims in paying and recovery.

How can I Protect Myself?

As with any malware defense, there are a few basic techniques that will help prevent infection. There are also some specific steps you can take for Cryptowall/Cryptolocker that will help prevent infection. Some of these steps may impact other applications on your systems, so always be sure to fully test new policies before enterprise-wide enforcement.

Ensure current anti-malware/anti-virus software is installed on your computers and regularly updated

Enable E-mail filters to inspect and block suspicious messages

Don't download and run programs from unknown sources. If possible in your environment, centrally manage software installation

Clean up known malware infections quickly even if they appear to be less important. Many times a dropper infection can be leveraged into a ransomware attack

Utilize Windows local security policy or Group Policy to restrict software execution. Bleeping Computer has an excellent guide on how to implement this approach on your assets. You can review this guide here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#manual.

How can I Recover after a Successful Attack?

If you have a system that has been compromised by Ransomware, there are a few steps you can take to recover the encrypted data. Having quality backups is always the first/best prevention for this sort of attack. Here are a few other techniques for recovery outside of paying the ransom: