Skip to main content

Will You Be The Next Victim Of Ransomware?

Ben Wuest September 11, 2017

Ransomware is malicious software that has been covertly installed on a device, such as your laptop or phone, which encrypts your private data and demands a monetary ransom for restoring the data to its original format. If the data is highly sensitive, the ransom may be the threat of public disclosure of the private data. The ransomware enters the computer system through a malicious executable known as a Trojan and may be disguised as a document, image or compressed file (zip).

Ransomware was first observed late last century and its proliferation has been on the rise the last few years. Ransomware is a popular tool of hackers because it resides “under the radar” of malicious activities. The best and most expedient solution for an infected system is to pay the ransom, which for most attacks, is less than $100. Compare this with calling your anti-virus vendor, spending hours on the phone, only to realize that they can do nothing to restore your data. In fact, I have witnessed professionally managed security services pay the ransom for their customer to avoid disclosing that their protection systems were compromised.

For ransomware to infect a system, a malicious application must be executed on the targeted host with the privileges to observe and encrypt the file system. The initial target of the attack is enticed using an email, social networking site, instant message, freeware or malvertising with an embedded URL pointing to the malicious site. Freeware sites are the largest propagators of ransomware, followed by malvertising, email, social networking and instant messaging. A disguised executable is downloaded by the target that may conduct a useful service such as converting a video from one format to another, but also replaces an existing executable, such as a text editor. This replacement is key in that it gives the executable the appropriate privileges to observe and modify the file system. When the target executes the replacement application, it may simultaneously perform the intended function and spawn the malicious application that begins to encrypt the files. This diversion tactic allows the ransomware enough time to crawl the files system and encrypt the private information undetected. Upon completion of the encryption, the ransomware informs the target system that the files have been encrypted and gives instructions for payment.

Signature-based detection of downloaded malware is unreliable due to the new polymorphic nature of their design. Attackers are disguising their software by obfuscating the code creating multiple unique versions of the same executable. Attackers also detect the inspection of their code by sandboxing, known as anti-research malware, which cloaks key execution paths from discovery. The best and most effective method for for avoiding ransomware is an educated end user who is cognizant of their actions. Everything you needed to know to avoid being taken ransom you learned in grade school.

  • Don’t take candy from a stranger.
  • Stranger danger.
  • When alone, you are responsible for your own safety.
  • If it’s too good to be true, it’s probably not true.
  • There is no such thing as free.
  • There is no such thing as free.

Let’s look examples of ransomware and how you can detect and prevent an infection. The most common infection mechanism is freeware—a quick fix to a problem that is free. For example, a website that converts .wav files to mp3 files. The attacker will actually convert your .wav files to .mp3 files. The target will download the converted files on their system and try out a few of the mp3s to see if it worked. The first few converted files may be clean, but additional files will contain embedded malware. The target eventually double-clicks on an infected .mp3 and instead of the music playing; an error message may appear that states it could not convert this particular file. The ransomware is now beginning the encryption.

Let’s look examples of ransomware and how you can detect and prevent an infection. The most common infection mechanism is freeware—a quick fix to a problem that is free. For example, a website that converts .wav files to mp3 files. The attacker will actually convert your .wav files to .mp3 files. The target will download the converted files on their system and try out a few of the mp3s to see if it worked. The first few converted files may be clean, but additional files will contain embedded malware. The target eventually double-clicks on an infected .mp3 and instead of the music playing; an error message may appear that states it could not convert this particular file. The ransomware is now in beginning the encryption.

Malvertising advertises something that is too good to be true. It usually comes in the form of free items—free fonts, free music, free templates, etc.—items that have mass appeal and may be useful. The user clicks on the advertisement and is taken to a deceptive webpage that is constructed to look like a brand name. The free items are downloaded with embedded executables and the ransomware is off and running

How can you avoid being a victim of malware?

You cannot rely solely upon your anti-virus software. The most effective mechanism is training and education that allow you to recognize and discover ransomware. You are responsible for you own safety when it comes to ransomware. Apply the following rules to determine if the website or software may be malicious:

  1. Is it a website that you have used before and downloaded software from? If no, then you should raise your suspicion.
  2. Does the website domain contain a name brand embedded within the domain? For example, www.ibm.com is a valid and recognizable domain. However, ibm.myadminexperts.com and www.ibm_experts.com are suspicious domain names. They contain the brand, IBM, within the base domain or as a sub-domain. When you recognize this, you should treat the website as suspicious. If the base domain is recognizable, such as admin.ibm.com, then treat is as less suspicious.
  3. Did you get to the site for a free download through an advertisement? If so, then raise your suspicion.
  4. Did you receive the download request or request to visit a website via email? Have you received email from the individual before? Does the domain of the email contain embedded brands as described above? If you answered yes to any of these questions, raise your suspicion.
  5. Is there a sense of urgency in the messages from the website or email? If so, raise your suspicion.
  6. Is the service free with no offers for a paid upgrade later? If so, raise your suspicion.
  7. Are you downloading a .pdf or Word document? If so, be sure to turn off auto-execute macros in your application. If the document asks you to execute a macro after opening it, say no.
  8. Check for oddities in spelling or grammar in the email or web content. If there are frequent errors, raise your suspicion.
  9. No matter what, when you receive a link from what you think is a trusted site you subscribe to (reset password, subscribe to a new service, download a new update, etc.), close the email, log into the site and perform the action or look for the described content.
  10. Finally, you can submit the website domain, URL, document or downloaded executable to a free virus scanner such as www.virustotal.com.

Ransomware is a commoditized attack and pervasive in the industry. Typical signature based anti-virus systems are not foolproof and can be obfuscated by the attacker by constantly changing signatures. Educating end users in how ransomware infects a system, how to recognize ransomware and what the key indicators are of a threat that may compromise a system are essential in thwarting the attacks.

Related Articles See more

Articles

Copy That: A Quick Cautionary Tale About Data Transfers

Rob McNelly

May 1, 2024

Press Releases

Kisco Systems Acquires DXR Security

May 1, 2024

Articles

Preparing for DORA: Is Your Enterprise Resilient?

Mark Wilson

April 15, 2024