July 15, 2015

The ransomware epidemic: why you should be more concerned

Interviews Malware

The problem of ransomware isn’t getting better. Recent examples of wide-spread ransomware attacks, including CoinVault, CryptoLocker, and others indicate that cybercriminals are increasing their use of these types of attacks. However, despite the increase in ransomware attacks, a recent Kaspersky Lab survey found that only 37% of companies consider ransomware a serious danger.

Kaspersky Lab expert Andrey Pozhogin answers questions about ransomware

Andrey Pozhogin, cybersecurity expert at Kaspersky Lab, provides his expertise on the growing trend of ransomware attacks, how a ransomware attack operates, consequences associated with paying the ransom, and what home users and companies can do to protect themselves.

1. What is ransomware?

Ransomware is a type of malware used as a digital mechanism for extortion. It is a type of software to block access to a computer system until a ransom is paid. CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault, TeslaCrypt and CTB-Locker are all examples of ransomware.

2. Who are the victims of ransomware?

The average consumer and both large and small businesses can be victims of ransomware. Cybercriminals do not discriminate, and often times are looking to impact as many users as possible to reap the highest financial gain.

3. How does a ransomware attack work?

A ransomware attack is typically delivered via an email that includes an attachment that could be an executable file, an archive, or an image. Once the attachment is opened, the malware is deployed on the user’s system. Ransomware could also launch on a user’s machine by visiting a website that has planted malware. Once on the site, a user unknowingly executes unsafe script (sometimes by clicking a link or downloading a file) and the malware is deployed to the system.

When a user’s machine is infected, nothing visible happens right away. The malware silently operates in the background until the system or data locking mechanism is deployed and engaged. Cybercriminals are becoming more and more skilled at developing ransomware that can operate without being noticed, and they have many tools and techniques at their disposal to ensure that the ransomware isn’t discovered by the victim. Then a dialogue box appears, that notifies the user of the data lock and demands that a ransom be paid to retrieve access to the data.

When a user sees the dialogue box it is already too late to attempt to save data through security countermeasures. The cost demanded by cybercriminals during these attacks varies, but we have seen asking prices in the hundreds and sometimes thousands of dollars to decrypt the victim’s data.

4. Could you provide an example of a ransomware attack?

One example is TorLocker. This ransomware starts its infection by decrypting its data section with a 256-bit AES key – an encryption mechanism that is nearly impossible to crack – and launching on the user’s system. The first four bytes of this key are used as a unique sample ID, added to the end of the encrypted files. Then the malware is copied to a temporary folder, and a registry key for that copy’s autorun is created. Next, the malware conducts the following:

  • It searches for and terminates crucial system processes.
  • Deletes all system recovery points.
  • Encrypts the user’s Office documents, video and audio files, images, archives, databases, backup copies, virtual machine encryption keys, certificates and other files on all hard and network drives.
  • Launches a dialogue box that demands that the user pay a ransom to decrypt the data.

What’s troubling is that TorLocker infects each system in a unique way, so even if somehow a key to decrypt data is found, the key is not useful to decrypt data on other systems. The cybercriminals give users a certain number of days (typically 72 hours) to pay for a key to decrypt the data or their data will be lost. Cybercriminals typically offer many different payment methods, including Bitcoins and payment through third-party sites.

5. What are cybercriminals after when they execute a ransomware attack?

A key motivation for cybercriminals executing a ransomware attack is to extort money from victims; however, we are seeing that the average case of a ransomware attack against a business is quite damaging given that the target of an attack is typically the company’s intellectual property.

6. How prevalent are mobile ransomware attacks?

Mobile ransomware attacks are becoming much more prevalent. Mobile malware is moving toward monetization as more cybercriminals create malware capable of stealing and extorting money. In fact, the Kaspersky Lab Q1 Threat Report found that 23% of the new malware threats that were detected were created to steal or extort money.

In addition, Trojan-Ransom malware demonstrated the highest growth rate of all mobile threats. The number of new samples detected in Q1 was 1,113, which is a 65% increase in the number of mobile ransomware samples in our collection. This is a dangerous trend since ransomware is designed to extort money, damage personal data, and block infected devices.

7. What should users do if the system is already infected?

Unfortunately, in many cases, once the ransomware is launched, unless there is a backup or preventive technology in place, there is very little a user can do. However, sometimes it’s possible to help users  decrypt their data that has been locked by the ransomware without having to pay the ransom. Kaspersky Lab recently partnered with the National High Tech Crime Unit of the Netherlands’ police to create a repository of decryption keys and a decryption application for victims of the CoinVault ransomware.

In addition, I caution victims about using uncredited software that they’ve found on the Internet that claims to fix encrypted data. In the best case, this software is a useless solution and the worst case scenario is the software distributes additional malware.

8. If attacked, should one pay the ransom?

Many of victims are willing to pay to get files back. According to a survey conducted by Interdisciplinary Research Centre in Cyber Security at the University of Kent in February 2014, more than 40% of CryptoLocker victims agreed to pay. CryptoLocker has infected tens of thousands of machines and generated millions of dollars in revenue for the cybercriminals behind it. Moreover, a Dell SecureWorks report shows that the same malware rakes in up to $30 million every 100 days.

Paying the ransom is unwise; primarily because it does not guarantee that the corrupted data will be decrypted. There are also a number of ways things can go wrong even if one decides to pay the ransom, including bugs in the malware itself that make encrypted data unrecoverable.

In addition, if the ransom is paid, this validates to the cybercriminals that the ransomware is effective. As a result, cybercriminals will continue to find new ways to exploit systems and could lead to additional infections targeting that individual user or company.

9. How do users prevent a ransomware attack? Is backup enough to protect the data against cybercriminals?

It is impossible to decipher files encrypted with properly implemented and strong cryptography, so it is an important best practice to employ comprehensive security together with a robust backup solution as part of a sound cybersecurity strategy.

In addition, some ransomware variants are smart enough to also encrypt every backup they are able to locate, including those residing on network shares. That is why it is important to make “cold” backups (read and write only, no delete/full control access) that cannot be deleted by the ransomware.

Kaspersky Lab has also developed a countermeasure called the System Watcher module. System Watcher is able to keep local protected copies of files and revert changes made by crypto malware. This enables automated remediation and saves administrators the trouble of having to restore from backups and the burden associated with downtime. It’s important to have security technology installed and to make sure that users have this module running.

10. How do Kaspersky Lab solutions protect from unknown threats?

Our security solutions include the Kaspersky Security Network (KSN), which provides a response to suspected threats much faster than traditional methods of protection. KSN has more than 60 million Kaspersky Security Network volunteers worldwide. This security cloud processes over 600,000 requests every second.

Kaspersky users around the globe provide real-time information about threats detected and removed. This data and other research are analyzed by an elite group of security experts — the Global Research and Analysis Team. Their main focus is the discovery and analysis of new cyberthreats, along with predicting new types of threats.

While today’s threats are becoming more sophisticated, we have found that too many users – both on the corporate and consumer side – could improve their cybersecurity practices. What’s worse is that some are using either outdated or unreliable security solutions that do not provide them with the necessary protection.

As a result, it is important to choose the most effective protection available. In fact, just last year Kaspersky participated in 93 independent tests and of all the vendors taking part in these tests, Kaspersky Lab achieved the best results. Sixty-six times Kaspersky Lab was named in the Top 3 and 51 times was rated first place. Information security is in Kaspersky Lab’s DNA and we are always working to improve the effectiveness of our technology so our users are provided with the most reliable security solutions.