A blog post from one of our Security Consultants, Del Brazil.
Ransomware first appeared in the early part of latter 20th Century, with the first reported version being the AIDS Trojan Horse which was created and released in the USA. Since then the development has rapidly increased, resulting in over 250,000 variants of Ransomware identified as of 2013. There are currently both encrypting and non-encrypting versions of Ransomware circulating and/or infiltrating systems. Although there are some subtle differences between the two versions the main difference is that non-encrypting Ransomware causes minor restrictions/access to services or systems by displaying undesirable images or inaccurate system re-activation alerts requiring the user to pay a ransom to have the images removed. Encrypting Ransomware as the name implies, encrypts your hard drive and demands a ransom be paid in order for you to receive the de-crypt key and be able to access your data freely again, more of that later.
For Ransomware to infect a system it must be introduced by either an infected downloaded file or a highlighted vulnerability in a network. One method is via the Angler exploit kit and/or landing page which is designed to inspect a user machines for the presence of virtual machines and antivirus products. The Ransomware is then able to exploit a previously unknown Flash Player vulnerability although this was patched by Adobe in February 2015. (This highlilghts the need to ensure you keep software updated and patched properly.)
Once a system is infected by Ransomware the files and/or hard drive are then encrypted using public key cryptography thus rendering them inaccessible to the user resulting in an information extortion attack. A cryptovirus, cryptotrojan, or cryptoworm hybrid encrypts the victim’s files using the public key of the author and the victim must pay (with money, information, etc.) to obtain the required session key; although a very successful use of encryption it is still against the law to extort from an individual.
Ransomware is used by numerous criminal organisations and individuals as a means or extorting monies from individuals or organisations. The method of collecting the extorted funds varies from online payment systems such as Paysafecard, the digital currency Bitcoin or via premium text or telephone calls.
The impact to a user and/or system can depend upon the systems and/or service’s use within the organisation or by the individual user. It can be as frivolous as commissioning a series of pop-up windows with inaccurate system re-activation alerts or advertisements for pornographic sites; or as serious as fully encrypting the user’s hard drive thus rendering the system inaccessible or unusable.
The TelsaCrypt Ransomware is of particular interest to the gaming industry as it targets not only the users photos, videos and/or documents it also encrypts user’s online gaming profile, saved games, game maps and any extra in game modification that the user may have made. Users engaged in games such as Call of Duty, World of Warcraft, Minecraft and World of Tanks and game developers should also be aware that files associated with Unity3D, Unreal Engine and RPG Maker are also being targeted. In total there are approximately 185 file extensions that are currently being targeted by the Ransomware which includes iTunes related files.
Research by Webroot have shown that users are also presented with a ‘Free Decrypt Button’ which if selected redirects the user to an online payment system where they are required to make payment in order to release their data/information.
Although there are various security software vendors on the market claiming to monitor, detect and defeat any attempted Ransomware encryption, not one is able to correctly identify and either quarantine or delete zero day variants of Ransomware. The main reason for this is that a Ransomware is consistently being developed and released resulting in unknown versions being included as a payload and delivered within some other compressed or encrypted file which the user has intentionally downloaded. Only after the user has accessed the encrypted or compressed download does the payload deploy and the Ransomware infiltrate the system.
It is well known that the treatment of a Ransomware infection is somewhat difficult due to the encryption method it deploys once an infection has taken place; however there are software products that are available that may be able to identify and defeat known versions of Ransomware. It may also be possible to halt or prevent any encryption during the installation phase as it would take time for any encryption to be fully implemented; although this may defeat the ongoing encryption process it may not prevent any potential data loss. It is therefore imperative that users regularly back-up their information and/or services to ensure that any possible Ransomware infection/attack is removed/defeated by reverting to a systems previous known ‘good state’. There are numerous back-up solutions available to users including but not limited to cloud based services, a local back-up to an external hard drive or to CD/DVD etc.