Ransomwares

Our network and security experts have spoken this week about ransomware:

Learn everything about this phenomenon that infects computers all over the world with sophistic crypto key.

What are the different methods and how to avoid being infected?

First, what is a ransomware?

It is a category of malware (malicious software) infecting a victim’s equipment (computer, phone, tablet, etc.). These programs are designed to block the access to the victim’s document without paying a ransom to the attacker.

 

The first referenced ransomwares appeared in 1989 and was called PC Cyborg Trojan. It used a symmetric encryption key, meaning, same key to encrypt and decrypt. For the last 10 years, new ransomwares have appeared, much more evolved, this time using asymmetric encryption keys, making their action more complex to stop.

Two main families of ransomwares can be considered:

-Ransomwares that attack the IS, making use of the equipment of this limited IS with usually an impossibility to connect to the Internet for example.

-Crypto-ransomwares attack the victim’s data by encrypting them which are then no longer accessible.

The attacker will only provide the decryption key or the unlocking software when the ransom is paid.

The difficulty here lies in the analysis of the attack and understand which encryption algorithms is used to set up the right incident response. In the best case, implementation errors or weak algorithms often make it possible to restore the victim’s files without paying any ransom.

In the case of data encryption, the ransomware encrypts the files and the hacker will only give the decryption key after receiving the ransom. This type of ransomware is called a locker.

Keep in mind that these malicious programs can infect any user, individual or employees of a company. It is not because one is in a company that one is sheltered … Indeed, the ransomwares exploit “the ignorance of the users”, to propagate and to cause damage.

 

In the case of ransomwares attacking the IT system, we can mention the so-called intimidating ransomwares and the lockers by publicity.

First, the intimidating ransomwares:

In this case, the authors of these malicious codes use most of the time use the logos of the police or official-public organization like ministries to demand the payment of a fine for example.

Points of attention and vigilance:

– The Police or even the FBI or the NSA do not have the right to block your computer remotely. They will never claim the payment of a fine by blocking your computer.

– The action to be taken in this case is to report.

 

Blocker by advertisement.

Another variant of the ransomwares is to block the victim’s equipment and invite them to click on advertisements. This in order to allow the author to earn revenue with each click.

 

Encryptors (crypto-ransomware)

This type of ransomware acts by encrypting the user’s documents. Access to documents is then made impossible until the decryption key is used. This key is obtained in exchange for a sum of money.

 

Some crypto-ransomwares change the wallpaper of their victim by displaying a message stating that the files have been encrypted (eg CTB-Locker). Unfortunately, once the files are encrypted, there is no way to recover them.

 

Top most famous crypto-ransomware :

2016 has been the year of the crypto-Ransomware with new variant every week. Below, we present to you few examples of the top most famous crypto-ransomware:

 

Locky Ransomware:

 

Ransomeware Cerber:

 

Ransome CryptXXX:

Note : There are other processes related to ransomwares but which do not use cryptographic products. In this case, they redirect the victim to free phone-numbers that is actually overtaxed or to fake Microsoft technician support who imitate an error page and block the computer with a remote control take through a Tools such as Team Viewer for example.

 

But how does crypto-ransomwares work?

These ransomware infect their victims in the exactly same way as most other malware. The most common case is downloading infected programs (visiting compromised sites, clicking on malicious advertisements, opening attachments in malicious emails, etc.) or exploiting browser’ vulnerabilities from visiting compromised sites, clicking on malicious advertisements, etc.

Generally, a crypto-ransomware’s attack follows the steps below:

From a technical perspective, a crypto-ransomware uses the features offered by data encryption. Usually, encryption allows data privacy, allowing only with a person knowing the secret key to retrieve or access the original content. But in the wrong hands, the encryption and decryption of the data is comparable to a hostage taking followed (eventually) by a release. In this situation, encryption is used as a means of capturing victims’ data and extorting a ransom in order to release the data captured. Once the crypto-ransomware is inside the target system, it first encrypts the critical files. The software relies on the use of a key only know by cybercriminals exploiting the malware. These malicious programs are typically associated with command and control  servers (C & C). To secure communication between the C & C and the infected equipment, encryption is used. The C & C will hold the key necessary to decrypt the data or to retrieve the decryption key needed to encrypted the data.

The main reasons for dual encryption are performance and convenience. Symmetric and asymmetric ciphers are combined to get the best of both methods.

In symmetric encryption, the same secret key is used in encryption and decryption methods. In the case of asymmetric encryption, two keys are used: a private key known only by the owner to decrypt the data and a public key known by everyone to encrypt the same data.

Symmetric encryption: 

Asymmetric encryption:

Symmetric encryption is useful for crypto-ransomware because it is very efficient in term of performance (less CPU usage to encrypt / decrypt compare to asymmetric encryption). This allows malicious software to be executed within a relatively short period of time.

On the other hand, asymmetric encryption has the advantage because it allows the attacker to overprotect a single private key regardless of the number of victims, otherwise the attacker should keep a record of a (symmetric) secret key to Each of the victims.

To achieve high performance and retain the benefits of asymmetric encryption, crypto-ransomwares generally use symmetric key to encrypt the victim’s  files of victims and asymmetric keys encryption to protect the symmetric secret key.

 

Does exist any protective tools?

Software tools developed by computer security companies exist such as:

  • Malwarebytes anti-ransomware,
  • Kaspersky Ransomware Decryptor,
  • McAfee Host Intrusion Prevention,
  • Cisco Ransomware Defense, etc.

Nevertheless, the best protection remains the anticipation: to regularly back up files and data offline on extern support and users’ training.

 

Finally, some information and good practices to protect against ransomwares:

  • Always back up your data. It is the simplest way to protect yourself against all types of attacks. In case of infection, reset the equipment and perform a complete restoration, off-grid.
  • On Windows platforms, it is recommended to enable the UAC (User Account Control) function. This prevents changes to the operating system made without the user’s permission.
  • Always ask yourself the question of the usefulness of a click. Do not open unexpected attachments and do not click on unverified links to websites. It is better to ignore an emails from unknown people who promises you great opportunities or easy money!
  • Secure your equipment: Ensure that you have up-to-date anti-malware solutions on your equipment.
  •  No official authority requests fine’s payment through paysafecard, Ukash, MoneyPak, WesternUnion etc.
  • Good insurance can also be helpful for possible compensation.

 

One last thing, never pay!!!

If despite all these precautions you are nevertheless victim of a ransomware, don’t panic, and especially don’t pay anything. Indeed, even if you pay, there is absolutely no guarantee that the attacker sends you the decryption key. The best thing to do in this case is to report the attack on social network or to web-security companies to adapt their response and pass the message to other users.