How do ransomware infections happen?

How do ransomware infections happen?

Though the infection phase is slightly different for each ransomware version, the key stages are the following:

simple ransomware infection chain

  1. Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
  2. If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
  3. The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
  4. The contacted C&C server responds by sending back the requested data, in our case, the ransomware.
  5. The ransomware starts to encrypt the entire hard disk content, personal files and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected in the local network.
  6. A warning pops up on the screen with instructions on how to pay for the decryption key.

CTB locker 1

Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.

Most of them feel betrayed, because they can’t seem to understand one thing:

But I have antivirus! Why didn’t it protect me from this?

Why ransomware often goes undetected by antivirus

I’ve mentioned the evasion tactics that ransomware uses more than once. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar and:

  • Not get picked up by antivirus products
  • Not get discovered by cyber security researchers
  • Not get observed by law enforcement agencies and their own malware researchers.

The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.

So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors:

  1. Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
  2. It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
  3. It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
  4. It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored);
  5. It features Fast Flux, another technique used to keep the source of the infection anonymous;
  6. It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
  7. It has polymorphic behavior that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
  8. It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer it at its most vulnerable moment and take advantage of that to strike fast and effectively.

If you’re keen on reading more about why your antivirus has trouble detecting ransomware and other advanced malware, we actually created a guide on that exact topic.

The most notorious ransomware families

By now you know that there’s plenty of ransomware out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of.

So while newcomers may want to get a share of the cash, there are some ransomware families that have established their domination.

If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.

Reveton

fbi department of justice virus1 1
Image source.

In 2012, the major ransomware strand known as Reveton started to spread. It was based on the Citadel trojan, which was, in turn, part of the Zeus family.

This type of ransomware has become known to display a warning from law enforcement agencies, which made people name it “police trojan” or “police virus“. This was a type of locker ransomware, not an encrypting one.

Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn.

The graphic display enforced the idea that everything is real. Elements like the computer IP address, logo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that everything is actually happening.

Brian Krebs published larger analysis on Reveton, indicateding that security exploits have been used by cybercriminals and that:

insecure and outdated installations of Java remain by far the most popular vehicle for exploiting PCs.

Four years later, Java is the same pain in the proverbial backend.

 

CryptoLocker

global infection rate cryptolocker 1
Image source

In June 2014, Deputy Attorney General James Cole, from the US Department of Justice, declared that a large joint operation between law agencies and security companies employed:

traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.

He was talking about Operation Tovar, one of the biggest take-downs in the history of cyber security, which Heimdal Security also participated in.

Operation Tovar aimed to take down the Gameover ZeuS botnet, which authorities also suspected of spreading financial malware and CryptoLocker ransomware.

As Brian Krebs mentioned in his take on this ransomware family:

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption…

CryptoLocker infections peaked in October 2013, when it was infecting around 150,000 computers a month!

infections per month 1
Image source

Since then, we’ve reported sightings of CryptoLocker in numerous campaigns spoofing postal or delivery services in Northern Europe.

 

CryptoWall

lrg.intelligence.threats.cryptowall ransomware.5 1

source

Though the CryptoLocker infrastructure may have been temporarily down, it doesn’t mean that cybercriminals didn’t find other methods and tools to spread similar ransomware variants.

CryptoWall is such a variant and it has already reached its third version, CryptoWall 4.0.

This number alone shows how fast this malware is being improved and used in online attacks!

In 2015, even the FBI agreed that ransomware is here to stay. This time, it wouldn’t stop to home computers, but it will spread to infect:

Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information.

Until then, this prediction became reality and now we understand the severity and impact of the crypto-ransomware phenomenon.

In the similar manner to CryptoLocker, CryptoWall spreads through various infection vectors since, including browser exploit kits, drive-by downloads and malicious email attachments.

CTB Locker

CTB Locker stats 1
Image source

CTB Locker is one of the latest ransomware variants of CryptoLocker, but at a totally different level of sophistication.

Let’s take a quick look at its name: what do you think CTB stands for?

  • C comes from Curve, which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key;
  • T comes from TOR, because it uses the famous P2P network to hide the cybercriminals’ activity from law enforcement agencies;
  • B comes from Bitcoin, the payment method used by victims to pay the ransom, also designed to hide the attackers’ location.

What’s also specific to CTB-locker is that is includes multi-lingual capabilities, so attackers can use it to adapt their messaging to specific geographical areas.

If more people can understand what happened to their data, the bigger the payday.

CTB-Locker was one of the first ransomware strains to be sold as a service in the underground forums. Since then, this has become almost the norm, but two years ago it was an emerging trend.

Now, potential cyber criminals don’t really need strong technical skills, as they can purchase ready-made malware which include even dashboard where they can track their successful infections and return on investment.

In 2014, malware analyst Kafeine managed to access one of these black markets and and posted all the information advertised by online criminals.

By taking a quick look at the malware creators’ ad, we can see that the following support services are included into the package:

  • instructions on how to install the Bitcoin payment on the server;
  • how to adjust the ransomware settings in order to target the selected victims;
  • details such as the requested price and the localized language that should be used;
  • recommendations on the price that you can set for the decryption key.

Heimdal Security specialists noticed that CTB Locker spreads through spam campaigns, where the e-mail message appears as an urgent FAX message.

This is a sample of the e-mail content:

From: Spoofed / falsified content
Subject:
Fax from RAMP Industries Ltd
Incoming fax, NB-112420319-8448
New incoming fax message from +07829 062999
[Fax server]= +07955-168045
[Fax server]: [Random ID] Content:
No.: +07434 20 65 74
Date: 2015/01/18 14:56:54 CST

For those who want to explore this strain further, I can recommend this extensive presentation on this advanced piece of ransomware.

TorrentLocker

This file-encrypting ransomware emerged in early 2014 and its makers often tried to refer to it as CryptoLocker, in order to piggyback on its awareness.

Since then, TorrentLocker relied almost entirely on spam emails for distribution. In order to increase effectiveness, both the emails and the ransom note were targeted geographically.

Attackers noticed that attention to detail meant that they could trick more users into opening emails and clicking on malicious links, to they took it a step further. They used good grammar in their texts, which made their traps seem authentic to the unsuspecting victims.

torrentlocket infected computers by country sophos
Source: Sophos analysis

TorrentLocker creators proved that they were attentively looking at what’s going on with their targeted “audience” when they corrected a flaw in their encryption mechanism. Until that point, a decryption tool created by a malware researcher had worked.

But soon they released a new variant which featured stronger encryption and narrowed the chances for breaking it to zero.

Its abilities to harvest email addresses from the infected PC are also noteworthy. Naturally, these emails were used in subsequent spam campaigns to further distribute the ransomware.

 

TeslaCrypt

teslacrypt-payment-options-100573479-large.idge
Image source.

When it first emerged, TeslaCrypt focused on a specific audience: gamers. Not all of them, but actually a segment that player a series of specific games, including Call of Duty, World of Warcraft, Minecraft and World of Tanks.

By exploiting vulnerabilities mainly in Adobe Flash (a serial culprit for ransomware infections), TeslaCrypt moves on to bigger targets, such as European companies.

Cyber security experts managed to find flaws in TeslaCrypt’s encryption algorithm twice. They created decryption tools and did their best so that the malware creators wouldn’t find out.

But, as you can guess, TeslaCrypt makers corrected the flaws and released new versions that featured stronger encryption and enhanced data leakage capabilities.

We announced TeslaCrypt 4.0 in March 2016, but only two months later, the ransomware was shut down!

teslacrypt_closed

To everyone’s surprise, the cyber criminals even apologized.

ESET researchers managed to get the universal master decryption key from them and built a decryptor that you can use if you happen to be a victim of TeslaCrypt ransomware.

No one knows why the guys behind TeslaCrypt quit, but we can only hope to see more of that in the cyber crime scene.

 

Locky

locky-ransomware-100645181-primary.idge
Image source.

One of the newest and most daring ransomware families to date is definitely Locky.

First spotted in February 2016, this ransomware strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000.

But they weren’t the only victims. In fact, two days after we published the Locky alert, we received the following comment from one of our readers:

We were attacked tuesday by this ransomware. 150 Emails spoofed to our mailserver. 149 Mails were blocked by the Barracuda spamfilter. One slipped through and was initialised by a coworker from the saledepartment. In half an hour our fileserver, applicationserver and shared maps on local PC’s was encrypted.

After locating the PC where it all started, we took that one from the network and started to restore everything from the backup. In one hour the fileserver and applicationserver was back working.

Except one local folder with lots of data in that wasn’t on the fileserver was completely destroyed. We succeeded in fixing this as follows.

First we installed RECUVA on this PC and tried to recover the lost map.The fact that the user kept working on it, had as result that most files were’nt recoverable because they were overwritten by cookies and temporary internetfiles. (So when noticing the LOCKY files … stop working).

Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus … but … we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files !

But as someone said before …. nothing helps to prevent it so backup, backup and backup…

Since then, Locky has has a rampant distribution across the world. Here is the geographical distribution of this ransomware family in April 2016:

locky ransomware infection rates geographical
Source: Securelist analysis

As you’ve seen, things never stop changing in cyber crime, so Locky’s descendant, Zepto, made its debut in early July 2016.

What will come next?

Although I can’t guess future ransomware names, there is one trend that cyber criminals seem to be pursuing: attacks that are more targeted, more carefully prepared and which require a smaller infrastructure to be deployed.

We finally got to the best part, where you can learn what to do to stay protected against appalling ransomware attacks.