Ransomware: surprising champions

Locky and Petya ransomware strains took the world by storm when they shouldn’t be successful at all.

5:50 pm, Friday, late Spring; as usual the atmosphere in the office is somewhat relaxed: people will soon go home or to some more entertaining places, and no one expects any trouble. But trouble comes uninvited – some accountant calls out for admin saying they cannot open their files and the filenames start looking weird. And what is that announcement pop-up saying something about a ransom?

At this moment, you don’t want to be that admin, the accountant, or the company owner, especially if it is a small or medium business, because someone made a mistake and let something bad in.

“Creepy, crawly…”

Every month, it seems, we have to talk about ransomware. It’s barely surprising, given that new strains arrive in troves. Businesses of all kinds are targeted, and SMBs are threatened in particular because they may already have financial resources attracting the criminals, yet still tend to save on security and IT staff for various reasons.

The once dreaded Cryptolocker and Teslacrypt may no longer make headlines, but they are still around and as dangerous as before. There are some surprising newcomers, such as Locky and Petya.

God of no-jokes

“Locky” (Trojan-Ransom.Win32.Locky) is a nasty ransomware that inflicts a lot of damage worldwide. It’s not much different from other ransomware families in regards to internal arrangement or its principles of operation, but it uses strong encryption algorithms and is very active and widespread: Kaspersky Lab’s products have blocked its attacks in over 100 countries around the world. No other ransomware Trojan has attacked so many countries at once – successfully attacked, by the way.

Its success is, in fact, a very weird thing. Locky’s main attack vectors are nothing new. Successful infections in most cases are the result of victims’ mistakes and basic cybersecurity rules violations.

Shouldn't be that way

Shouldn’t be that way

…Of thing that should not be

Locky gets around via spam. Perhaps, it’s the exact reason for its success: it’s being seeded around vehemently. Its attack is two-staged: a malicious letter with downloader, then the Trojan itself.

In the early stages (i.e. around February this year) the Trojan downloader was delivered in a .doc file with a macro which downloaded the Trojan. And that’s where it becomes somewhat ridiculous: Microsoft has long deactivated the automatic execution of macros in Microsoft Office for security reasons. But users often enable the macros manually, including for files arriving from unknown sources.

Now, attackers have changed tactics. Instead of mass-mailing .doc files they now serve .zip archives containing .js scripts.

Not ridiculous in fact

For experienced users a .doc file from an unknown source which “requires” macros to be enabled is an immediate red flag. A javascript file with a “run me” label is a red flag as well. But, again, it takes an employee to know what files have .js extension, and why macros can be dangerous.

Then imagine there’s a small company where at least some employees (accountants, for instance) have little to no passion about all of that computer stuff, and no interest in cybersecurity whatsoever. They might have heard something about how macros shouldn’t be enabled. Or they might not. Anyway, .js extension is only familiar to advanced PC users. For the rest, it only takes a smartly crafted letter to fall into a criminal’s trap.

Most likely, this was the Locky author’s primary idea: technically-advanced PC users would delete suspicious letters on sight, whether they have .doc, .zip or .js attachments. But when you are targeting users with little knowledge about file types and substandard cybersecurity awareness, it makes little difference in what form the malicious payload is delivered.

Un-saint Petya

Another dreaded spawn of ransomware pandemonium caused a lot of trouble in Germany earlier this year. Codenamed Petya, this one encrypted not specific files, but the very master file table on compromised machines, and then demanded $400 in Bitcoin.

It was also spammed out – mostly to human resources organizations across Germany. The emails contained a link to a Dropbox file that, if clicked, loads a dropper which installs Petya. Dropbox has long since removed the link and several others that were associated with the same malware.

In a sense, Petya (a pet form of Russian name “Pyotr”, a counterpart to Western “Peter”), is a bit more technically advanced than Locky (and its authors are definitely more inventive).

Again, it would only inflict damage if a victim cooperates, and does that in a hardcore way. Have you ever heard of an applicant CV in the form of an executable file which demands administrator privileges?

https://cdn.securelist.com/files/2016/04/petya_eng_1.jpg

Petya’s dropper would only go on if the users click “Yes” on a UAC pop-up window.

And this is in fact possible if the user isn’t experienced enough… or too tired to pay attention to pesky UAC warnings.

With HR workers who have to sift through literally hundreds of unexciting CVs per day, this is a very possible scenario – especially on Friday at 5:50 pm…

Still Petya isn’t as terrible as it is painted: its encryption algorithms proved to be vulnerable to decryption (unlike those of Locky). We’ve covered this recently.

If you can’t beat it, prevent it

As with many other threats, preventing ransomware from getting in is the way to go for businesses of all kinds. Ransomware’s damage is extremely hard to fix, unless you’re willing to have a budget for a “rainy day” when the only remaining option for retrieving files is paying the ransom.

There are a number of safety preventive measures to be taken against ransomware.

First and foremost, educate employees about social engineering, kinds of threats, the perils of infected websites, types of files, etc. They must know that .exe and .js are by no means document files, and that even .doc files coming from uncertain sources aren’t to be launched without a thorough check-up.

Second, it is useful to limit the possibility of launching anything at the endpoints. Unless a given employee knows exactly what he or she is doing, administrative privileges shouldn’t be accessible.

And of course there should be a full-range security solution that is capable of stopping ransomware attacks before the encryption happens; this would include anti-spam and modern security tools for both workstations and file servers capable of proactive defense against known and unknown threats. Check out Kaspersky Lab’s offerings for small and small-to-medium businesses, as well for the larger entities.

More details about Locky are available here

A detailed analysis of Petya is available via this link.

Tips