10 Extensions That Make Browsing Cool | 2018 | Tech In 2.0

RANSOMWARE ATTACKS

Ransomware attacks 

       Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. 

 

First ransomware in history emerged in 1989. It was called the AIDS Trojan, whose modus operandi seems crude nowadays. It spread via floppy disks and involved sending $189 to a post office box in Panama to pay the ransom. Then it initially popular in Russia, the use of ransomware scams has grown internationally; in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012. IT worker whose company has paid out in total around £80,000 to ransomware attackers over 2016. 

There are two types of ransomware :  

Encrypting ransomware : It has advanced encryption algorithms which is block system files and demand payment decrypt the blocked content. 

Locker ransomware : It locks the operating system and making it impossible to access PC completely. The files are not encrypted, but the attackers still ask for money to unlock the infected computer.

The ransomware may also encrypt the computer's Master Boot Record (MBR). MBR is the information in the first sector of any hard disk that identifies how and where an operating system is located so that it can be boot into the computer's main storage or random access memory. When MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen.

Basically it has some properties :

  •     It has unbreakable encryption, so we can’t decrypt the files on your own;
  •     It encrypt all kinds of files, documents, pictures, videos, audio files and other things on your PC;
  •     It scramble your file names, so you can’t know affected files;
  •     It will add a different extension to your files;
  •     It display an image or a message to lets you know your data has been encrypted and you have to pay sum of money to retrieve;
  •     It requests payment in Bitcoins, because it cannot be tracked by cyber security or law enforcements agencies;
  •     The payments has a time-limit, after the deadline demand will increase, but in sometimes the data will be destroyed and lost forever;
  •     It can't be undetected by traditional antivirus;
  •     It easily spread to other PCs connected in a local network;
  •     It also has data exfiltration capabilities, which means it can extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals;

Targets for ransomware creators

At first newly created ransomware is tested with some home user and evaluate results. Then it moved on targets like police departments, city councils, schools, hospitals, organizations, etc,.

They target home users because:

  •     Mostly they don’t have data backups;
  •     they have little or no cyber security education and online safety awareness, so they’ll click on almost anything;
  •     they lack on cyber protection, cyber security solutions;
  •     they don’t keep their software and antivirus up to date;
  •     they don't use safe online browsing;
  •     Due to volume of Internet users that can become potential victims (more infected PCs = more money).

They target businesses because:

  •     That’s where the money is;
  •     Attackers know that ransomware can cause major business disruptions, which will increase their chances of getting paid;
  •     Ransomware can affect not only computers, but also servers and cloud-based file-sharing systems, going deep into a business’s core;
  •     Cyber criminals know that business would rather not report ransomware attacks for fears of legal or reputation-related consequences;
  •     Small businesses are often unprepared to deal with advanced cyber attacks and have a lax BYOD (bring your own device) policy.

They target public institutions because:

  •     Public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;
  •     These institutions ofttimes lack appropriate cyber defenses that can protect them against ransomware;
  •     The staff is not trained to spot and avoid cyber attacks;
  •     Ransomware has a big impact on conducting usual activities, causing huge disruptions;

Mobile ransomware

With the increased popularity of ransomware on PC platforms, ransomware targeting mobile operating systems have also proliferated. Typically, mobile ransomware payloads are blockers, as there is little incentive to encrypt data since it can be easily restored via online synchronization. Mobile ransomware typically targets the Android platform, as it allows applications to be installed from third-party sources. The payload is typically distributed as an APK file installed by an unsuspecting user; it may attempt to display a blocking message over top of all other applications, while another used a form of clickjacking to cause the user to give it "device administrator" privileges to achieve deeper access to the system.
Different tactics have been used on iOS devices, such as exploiting iCloud accounts and using the Find My iPhone system to lock access to the device. On iOS 10.3, Apple patched a bug in the handling of JavaScript pop-up windows in Safari that had been exploited by ransomware websites.

History and types

A history time line is shown below (Source : https://www.carbonblack.com )

 

As cyber criminals moved from cyber vandalism to cyber crime as a business, ransomware emerged as the go-to malware to feed the money-making machine.
The advent of Bitcoin and evolution of encryption algorithms favored made the context ripe for ransomware development too.

›› Ransomware is on track to be a $1 billion crime in 2016
›› 25+ variants of ransomware families have been identified
›› 4,000+ ransomware attacks happened daily
›› Phishing is the most popular ransomware attack vector

The most notorious variants of ransomware families are

WannaCry 

Wannacry is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack was launched using it, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency Bitcoin in 28 languages. The attack has been described by Europol as unprecedented in scale. ( source : wikipedia )

 

 Uiwix 

As a recent development, another type of ransomware tries to replicate the impact that WannaCry had. However, it improves by not including a killswitch domain, while keeping its self-replicating abilities. 

Reveton

In 2012, the major ransomware strand known as Reveton started to spread. It was based on the Citadel trojan, which was, in turn, part of the Zeus family.

This type of ransomware has become known to display a warning from law enforcement agencies, which made people name it “police trojan” or “police virus“. This was a type of locker ransomware, not an encrypting one.

Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn.

The graphic display enforced the idea that everything is real. Elements like the computer IP address, logo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that everything is actually happening.

CryptoLocker

Encrypting ransomware reappeared in September 2013 with a Trojan known as CryptoLocker, which generated a 2048-bit RSA key pair and uploaded in turn to a command-and-control server, and used to encrypt files using a whitelist of specific file extensions. The malware threatened to delete the private key if a payment of Bitcoin or a pre-paid cash voucher was not made within 3 days of the infection. Due to the extremely large key size it uses, analysts and those affected by the Trojan considered CryptoLocker extremely difficult to repair. Even after the deadline passed, the private key could still be obtained using an online tool, but the price would increase to 10 BTC which cost approximately US$2300 as of November 2013.

CryptoWall 

Another major ransomware Trojan targeting Windows, CryptoWall, first appeared in 2014. One strain of CryptoWall was distributed as part of a malvertising campaign on the Zedo ad network in late-September 2014 that targeted several major websites; the ads redirected to rogue websites that used browser plugin exploits to download the payload. A Barracuda Networks researcher also noted that the payload was signed with a digital signature in an effort to appear trustworthy to security software. CryptoWall 3.0 used a payload written in JavaScript as part of an email attachment, which downloads executables disguised as JPG images. To further evade detection, the malware creates new instances of explorer.exe and svchost.exe to communicate with its servers. When encrypting files, the malware also deletes volume shadow copies, and installs spyware that steals passwords and Bitcoin wallets. 

Source

CryptoLocker.F and TorrentLocker 

In September 2014, a wave of ransomware Trojans surfaced that first targeted users in Australia, under the names CryptoWall and CryptoLocker (which is, as with CryptoLocker 2.0, unrelated to the original CryptoLocker). The Trojans spread via fraudulent e-mails claiming to be failed parcel delivery notices from Australia Post; to evade detection by automatic e-mail scanners that follow all links on a page to scan for malware, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded, preventing such automated processes from being able to scan the payload. Symantec determined that these new variants, which it identified as CryptoLocker.F, were again, unrelated to the original CryptoLocker due to differences in their operation. A notable victim of the Trojans was the Australian Broadcasting Corporation; live programming on its television news channel ABC News 24 was disrupted for half an hour and shifted to Melbourne studios due to a CryptoWall infection on computers at its Sydney studio.

Another Trojan in this wave, TorrentLocker, initially contained a design flaw comparable to CryptoDefense; it used the same keystream for every infected computer, making the encryption trivial to overcome. However, this flaw was later fixed. By late-November 2014, it was estimated that over 9,000 users had been infected by TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.

Locky

One of the newest and most daring ransomware families to date is definitely Locky.

First spotted in February 2016, this ransomware strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000.

Fusob

Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomwares was Fusob.
Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well.

In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob.

When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively.

Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.

How do ransomware threats spread

Source

Ransomware and any other advanced piece of financial or data stealing malware spreads by any available means.

Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.
Nevertheless, these are the most common methods used by cybercriminals to spread ransomware:

  •     Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
  •     Security exploits in vulnerable software;
  •     Internet traffic redirects to malicious websites;
  •     Legitimate websites that have malicious code injected in their web pages;
  •     Drive-by downloads;
  •     Malvertising campaigns;
  •     SMS messages (which apply to ransomware that targets mobile devices);
  •     Botnets;
  •     Self-propagation (spreading from one infected computer to another);
  •     Affiliate schemes in ransomware-as-a-service (earning a share of the profits by helping further spread ransomware).

 For example, here’s how online criminals find vulnerable websites, inject malicious JavaScript code in them and use this trigger to redirect potential victims to infected websites.

Though the infection phase is slightly different for each ransomware version, the key stages are the following:



  •     Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
  •     If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
  •     The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
  •     The contacted C&C server responds by sending back the requested data, in our case, the ransomware.
  •     The ransomware starts to encrypt the entire hard disk content, personal files and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected in the local network.
  •     A warning pops up on the screen with instructions on how to pay for the decryption key.  
Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.

Ransomware often goes undetected by antivirus because
  1.     Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
  2.     It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
  3.     It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
  4.     It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored);
  5.     It features Fast Flux, another technique used to keep the source of the infection anonymous;
  6.     It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
  7.     It has polymorphic behavior that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
  8.     It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer it at its most vulnerable moment and take advantage of that to strike fast and effectively.
Rescue your PC from ransomware

Curing from ransomware is very very complex thing, but prevention is better than cure.
To prevent from this attack you must do something before it hits your data.


  • Backup important data regularly
  • Cloud storage are not turned on by default. Only open them when they need
  • Try to maintain important software up to date
  • Update antivirus and firewall regularly
  • Remove unwanted plugins and also set the browser to ask you to activate plugins when needed
  • For unwanted uses open PC by guest account
  •  Increase the browser protection and privacy level by firewalls
  • Use good adblockers to avoid malware ads
  • Don't open and see spam emails
  • Never download attachments from spam and unknown emails
  • Never click links on unknown emails
  • Use good anti-virus which can find ransomware infection possibilities 
Some good ransomware removal tools are
  1. AVG ransomware decryption tools
  2. BitDefender Anti-ransomware
  3. Kaspersky NoRansom
  4. Avast Free Ransomware Decryption Tools
  5. Trend Micro Ransomware File Decryptor
  6. McAfee Anti-Malware Tools
  7. Heimdal Security
  8. Symantec Norton AntiVirus
  9. Wondershare Data Recovery
  10. CryptoPrevent - anti ransomware


Comments