Saving Private Files: a no-movie

Encrypting ransomware is a relatively new, but extremely pesky, threat that is evolving at a rapid pace, becoming a more advanced problem for end-users and businesses alike. What can be done about it?

Encrypting ransomware is a relatively new, but extremely pesky, threat that has gone almost epidemic since 2013. Despite the formidable counter-attack from the security vendors and law-enforcement agencies, encrypters are still around and they are evolving at a rapid pace, becoming a more advanced problem both for end-users and businesses alike. What can be done about it?

It all began in 2013

Encrypting malware wasn’t much of a problem until the second half of 2013, when the now notorious Cryptolocker emerged. Then became a wholesale problem: it spread quickly, the systems attacked were next to defenseless, not all antimalware suites were able to detect it, and IT workers took their time to figure out how to fight it.

“…The company boss all but ignored me when I sounded alarm – he thought I cried wolf. Guess, he regretted that later, ‘coz we’ve lost lotsa files. Dunno, whether they paid to the bad guys, but no fun, you know…” a consulting system administration, who requested to stay anonymous, told us about his first encounter with this threat.

Unfortunately, criminals have managed to give businesses a “quick scare” that was converted into profit. They viewed this as hitting the jackpot, even if not many people actually paid for decryption.

So, Cryptolocker and its variants started multiplying like rabbits and evolving like Zerg from a renown videogame – Cryptolocker 2.0, CryptoWall, ACCDFISA, Tor-enabled Onion malware, Xorist, Scatter, etc.

There is a large article on the sorts of encrypters on Securelist – a reference documents of sorts, describing the flavors and variations of encrypting ransomware, evolving from its earliest to current advanced forms.

Evolving badness

The first encrypters were more-or-less simple, albeit effective. The IT worker we spoke with says:

“Our CTO has disassembled one such piece. It doesn’t look like a malware at all, just, you know, a VB script that launches encryption. Once we’ve managed to catch the file with encryption key in the system before it got away and managed to recover everything. But the only sure way to stop it is to cut the power to servers at the first suspicion. ‘Tis hardcore but it works. Also, if you don’t have backups, may God have mercy on your soul.”

But after the fabulous Operation Tovar, which resulted in dismantling Gameover ZeuS botnet along with Cryptolocker infrastructure, cybercriminals decided they need an extra safety level for their malicious tools – and employed the TOR networks to conceal their C&C infrastructure. This elevated the problem to a whole new level for the IT security researchers and law enforcement agencies.

Target: A human-being

What slightly offsets ransomware in relation to other threats is that its primary target is not a computer system, but a human operator. As a matter of fact, most antivirus companies have already integrated advanced anti-ransomware tools into their suites, but what can a security solution do if it is turned off?

“During… investigations we often come across instances of the encryption of files in organizations as a consequence of their employees working with the antivirus program switched off.  And these are not isolated cases, our technical help service encounters such cases several times a week,” wrote Kaspersky Lab’s expert Artem Semenchenko at Securelist earlier this year.

He also wrote that the reason for such carelessness is… security advancements. Sounds like a paradox, but in fact there is none.

The improved defences of browswers and operating systems has led to a state where today users encounter the threats of malicous programs less often than previously.  As a result some of them, not thinking, switch off individual components of their antivirus products or don’t use them at all“, Semenchenko wrote.

And that’s what criminals are happy about. They are counting on mistakes such as launching executable files from emails coming from unconfirmed sources, or clicking dubious links. The availability of ‘advanced’ systems of defense does not relieve the user of the need to follow the security policy and basic rules of safety.

With encrypting ransomware, frightening and taking victims by surprise are the primary means of extortion. They could probably do without it, but a recurring story with ransomware is that the targeted user or entity receives an intimidating letter ostensibly coming from law enforcement agencies – police, investigative bodies, even courts and/or debt collectors. The combination of an official emblem, a menacing header with lots of CAPS LOCK for added formidability – this mesmerizing “cocktail” works astonishingly well, with amusing incidents such as this one: The person, scared by an encrypter, turned himself over to police, and got charged with committed crimes.

In most cases, however, innocent people get attacked. And the intimidating pictures, headers, and messages either conceal a common phishing letter purposed to infect the user, or a notification from the malefactors who demand “their share” of your profits after the files have been already encrypted.

What do they want?

Money, of course. It’s all about cash. Several dozens or a couple of hundreds from the end-users and five times more from corporate bodies (there are reports of a case where attackers demanded as much as 5,000 euros for decryption).

They tend to obfuscate their communications using Tor, and in order to further ensure their anonymity, malefactors often demand payments in Bitcoin, which is way harder to track down than the movement of real-world currency.

Occasionally, they get money. As a matter of fact, chances of recovering the encrypted files by decrypting them are slim. In the aforementioned Securelist doc there are examples of encrypting ransomware that can be cracked (Xorist, for instance, yields relatively easy), but the most advanced -and thus the most widely used encrypters – use assymetric encryption, sometimes even with more than one key pair. There is no algorithm to decrypt files encrypted with the RSA with a key length of 1024 bits in an acceptable time. When it is down to a single key pair, acquiring (buying) the private key allows for the decryption of files for all victims of the same modification. When there are many modifications and many key pairs – you’d better have a Plan B.

Saving files: not always possible, prevention is easier

This Plan B is actually Plan A, and it happens to be prevention.

First of all, backup is a must, and the backed up files should be stored “cold” (i.e. the unpowered storage media is required). Encrypters can crawl all over the mapped drives, but they still need a processing power to do their job.

Antivirus products must be kept up-to-date always, and it is strongly recommended that antimalware bases be updated before the employees even start reading their e-mails in the morning.

Also, the employees (the main target) should be informed and educated on phishing, on launching suspicious files, and other threats associated (and not necessarily associated) with encrypting ransomware.

Getting attacked by an encrypter is easy, while recovering from it may be very problematic if at all possible. Securelist’s article carries a number of links to the anti-encrypters utilities, but they only help against certain types.

Preventing the files from being encrypted is a much better way to put criminals’ noses out of joints.