A Short Histroy & Evolution of Ransomware

What Is Ransomware?

Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach.

There are many different variants; some are designed to attack windows PCs while other strains infect Macs and even mobile devices. This type of malware is highly effective because the methods of encryption or locking of the files are practically impossible to decrypt without paying ransom.

September 2013 is when ransomware went pro. It typically gets installed on a user’s workstation (PC or Mac) using a social engineering attack where the user gets tricked in clicking on a link or opening an attachment. Once the malware is on the machine, it starts to encrypt all data files it can find on the machine itself and on any network shares the PC has access to.

Next, when a user wants to access one of these files they are blocked, and the system admin who gets alerted by the user finds two files in the directory that indicate the files are taken ransom, and how to pay the ransom to decrypt the files. New strains and variants come and go as new cyber mafias muscle into the "business". Some examples are CryptoLocker, CryptoWall, Locky and TeslaCrypt. This is a very successful criminal business model. As an illustration, CryptoWall has generated over 320 million dollars in revenue.

Ransomware Threat Survey Infographic

Once these files are encrypted, the only way to get them back is to restore a recent backup or pay the ransom. Problem is, backups often fail. Storage Magazine reports that over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed.

Paying the criminals is usually an amount of about $500 within the first deadline, and when that deadline expires, the ransom doubles. They require to be paid in untraceable crypto-currencies like Bitcoin. Bitcoin is a new kind of money, (call it a digital currency) here is a link with more about it.

Here is a link to a page with a Bitcoin 101 that can help you get going if you need to pay Ransom. Recently, sophisticated cyber gangs penetrate a whole network, infect all machines at the same time, and extort tens of thousands of dollars.

Many more strains are expected. This is only the early days, and as we said, it’s a very successful criminal business model with many copycats. New strains regularly get spotted in the wild, cybercrime is furiously innovating in both the technical and social engineering areas.

 

Timeline

Since 1989, ransomware has become the number one security risk to businesses and users. Here is a full history and how it has evolved:

 

1989

The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp. It was called the AIDS Trojan, also known as the PC Cyborg. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. The AIDS Trojan was “generation one” ransomware malware and relatively easy to overcome. The Trojan used simple symmetric cryptography and tools were soon available to decrypt the file names. But the AIDS Trojan set the scene for what was to come.

2006

17 years later, another strain was released but this time it was much more invasive and difficult to remove than its predecessor. In 2006, the Archiveus Trojan was released, the first ever ransomware virus to use RSA encryption. The Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to purchase items from an online pharmacy to receive the 30-digit password.

June 2006 - the GPcode, an encryption Trojan which spread via an email attachment purporting to be a job application, used a 660-bit RSA public key.

2007

At the same time GP Code and it’s many variants were infecting victims, other types of ransomware circulated that did not involve encryption, but simply locked out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive the unlocking code.

2008

Two years after the initial GP Code virus was created, another variant of the same virus called GPcode.AK was unleashed on the public using a 1024-bit RSA key.

2011

Mid 2011 - The first large scale ransomware outbreak, and ransomware moves into the big time due to the use of anonymous payment services, which made it much easier for authors to collect money from their victims. There were about 30,000 new samples detected in each of the first two quarters of 2011.

July 2011 - During the third quarter of 2011, new ransomware detections doubled to 60,000.

2012

January 2012 - The cybercrime ecosystem comes of age with Citadel, a toolkit for distributing malware and managing botnets that first surfaced in January 2012. Citadel makes it simple to produce ransomware and infect systems wholesale with pay-per-install programs allowing cybercriminals to pay a minimal fee to install their ransomware viruses on computers that are already infected by other malware. Due to the introduction of Citadel, total infections surpassed 100,000 in the first quarter of 2012.

Cyber criminals begin buying crime kits like Lyposit—malware that pretends to come from a local law enforcement agency based on the computer’s regional settings, and instructs victims to use payment services in a specific country—for just a share of the profit instead of for a fixed amount.

March 2012 - Citadel and Lyposit lead to the Reveton worm, an attempt to extort money in the form of a fraudulent criminal fine. Reveton first showed up in European countries in early 2012. The exact “crime” and “law enforcement agency” are tailored to the user’s location. The threats are "pirated software" or "child pornography". The user would be locked out of the infected computer and the screen be taken over by a notice informing the user of their "crime" and instructing them that to unlock their computer they must pay the appropriate fine using a service such as Ukash, Paysafe or MoneyPak.

April 2012 - Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are responsible for Police Ransomware scams that have spread throughout North and South America since April of 2012.

July 2012 - Ransomware detections increase to more than 200,000 samples, or more than 2,000 per day.

November 2012 - Another version of Reveton was released in the wild pretending to be from the FBI’s Internet Crime Complaint Center (IC3). Like most malware, Reveton continues to evolve.

2013

July 2013 - A version is released targeting OSX users that runs in Safari and demands a $300 fine. This strain does not lock the computer or encrypt the files, but just opens a large number of iframes (browser windows) that the user would have to close. A version purporting to be from the Department of Homeland Security locked computers and demanded a $300 fine.

July 2013 - Svpeng:  This mobile Trojan targets Android devices. It was discovered by Kaspersky in July 2013 and originally designed to steal payment card information from Russian bank customers. In early 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for Lookout, a San Francisco-based mobile security firm, 900,000 phones were infected in the first 30 days. 

August 2013 - A version masquerading as fake security software known as Live Security Professional begins infecting systems.

September 2013 - CryptoLocker is released. CryptoLocker is the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments that were made to look like customer complaints controlled through the Gameover ZeuS botnet which had been capturing online banking information since 2011.

Cryptolocker uses a 2048-bit RSA key pair, uploaded to a command-and-control server, and used it to encrypt files with certain file extensions, and delete the originals. It would then threaten to delete the private key if payment was not received within three days. Payments initially could be received in the form of Bitcoins or pre-paid cash vouchers.

With some versions of CryptoLocker, if the payment wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to get their files back. Ransom prices varied over time and with the particular version being used. The earliest CryptoLocker Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices were initially set at $100, €100, £100, two Bitcoins or other figures for various currencies.

November 2013 - The ransom changes. The going ransom was 2 Bitcoins or about $460, if they missed the original ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and control servers. After paying for that service, the first 1024 bytes of an encrypted file would be uploaded to the server and the server would then search for the associated private key.

Early December 2013 - 250,000 machines infected. Four Bitcoin accounts associated with CryptoLocker found that 41,928 Bitcoins had been moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other payment methods.

Mid December 2013 - The first CryptoLocker copycat software emerges, Locker, charging users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number.

Late December 2013 - CryptoLocker 2.0 – Despite the similar name, CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a different programming team. Among other differences, 2.0 would only accept Bitcoins, and it would encrypt image, music and video files which the original skipped. And, while it claimed to use RSA-4096, it actually used RSA-1024. However, the infection methods were the same and the screen image very close to the original.

Also during this timeframe, CryptorBit surfaced. Unlike CryptoLocker and CryptoDefense which only targets specific file extensions, CryptorBit corrupts the first 212 or 1024 bytes of any data file it finds. It also seems to be able to bypass Group Policy settings put in place to defend against this type of infection. The cyber gang uses social engineering to get the end-user to install the ransomware using such devices as a rogue antivirus product. Then, once the files are encrypted, the user is asked to install the Tor Browser, enter their address and follow the instructions to make the ransom payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware developer’s digital wallet.

2014

February 2014 - CryptoDefense is released. It used Tor and Bitcoin for anonymity and 2048-bit encryption. However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the infected computer. Despite this flaw, the hackers still managed to earn at least $34,000 in the first month, according to Symantec.

April 2014 - The cyber criminals behind CryptoDefense release an improved version called CryptoWall. While largely similar to the earlier edition, CryptoWall doesn’t store the encryption key where the user can get to it. In addition, while CryptoDefense required the user to open an infected attachment, CryptoWall uses a Java vulnerability. Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and many others led people to sites that were CryptoWall infected and encrypted their drives. According to an August 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, with 5.25 billion files being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 paid $500, but the amounts ranged from $200 to $10,000.

Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, 3⁄4 in the US, who were searching for porn and wound up downloading the software. Since Android requires permission to install any software, it is unknown how many people actually installed it after download. Users were required to pay $100 – $300 to remove it.

May 2014 - A multi-national team composed of government agencies managed to disable the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy Bogachev who operated the botnet from his base on the Black Sea. 

iDevice users in Australia and the U.S. started seeing a lock screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring payment of $50 to $100 to unlock. It is unknown how many people were affected, but in June the Russian police arrested two people responsible and reported how they operated. This didn’t involve installing any malware, but was simply a straight up con using people’s naiveté and features built into iOS. First people were scammed into signing up for a fake video service that required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a stolen phone, to lock the owners out of their own devices.

July 2014 - The original Gameover ZeuS/CryptoLocker network resurfaced no longer requiring payment using a MoneyPak key in the GUI, but instead users must to install Tor or another layered encryption browser to pay them securely and directly. This allows malware authors to skip money mules and improve their bottom line.

Cryptoblocker – July 2014 Trend Micro reported this new strain that doesn’t encrypt files that are larger than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. It uses AES rather than RSA encryption.

On July 23, Kaspersky reported that Koler had been taken down, but didn’t say by whom.

August 2014 - Symantec reports crypto-style ransomware has seen a 700 percent-plus increase year-over-year.

SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was designed for Synology network attached storage devices. And unlike most encryption ransomware, SynoLocker encrypts the files one by one. Payment was 0.6 Bitcoins and the user has to go to an address on the Tor network to unlock the files.

This was discovered midsummer 2014 by Fedor Sinitisyn, a security researcher for Kaspersky. Early versions only had an English language GUI, but then Russian was added. The first infections were mainly in Russia, so the developers were likely from an eastern European country, not Russia, because the Russian security services quickly arrest and shut down any Russians hacking others in their own country.

Late 2014 - TorrentLocker – According to iSight Partners, TorrentLocker “uses components of CryptoLockerand CryptoWall but with completely different code from these other two ransomware families.” It spreads through spam and uses the Rijndael algorithm for file encryption rather than RSA-2048. Ransom is paid by purchasing Bitcoins from specific Australian Bitcoin websites.

2015

Early 2015 - CrytoWall takes off, and replaces Cryptolocker as the leading ransomware infection. 

April 2015 - CrytoLocker is now being localized for Asian countries. There are attacks in Korea, Malaysia and Japan.  

May 2015 - It's heeere. Criminal ransomware-as-a-service has arrived. In short, you can now go to this TOR website "for criminals by criminals", roll your own ransomware for free, and the site takes a 20% kickback of every Bitcoin ransom payment.  Also in May 2015 a new strain shows up that is called Locker and has been infecting employee's workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way.

May 2015 - New "Breaking Bad-themed ransomware" gets spotted in the wild. Apart from the Breaking Bad theme, CryptoLocker.S is pretty generic. It is surprising how fast ransom Trojans have developed. A year ago every new strain was headline news, now it's on page 3. This version grabs a wide range of data files, encrypts it using a random AES key which then is encrypted using a public key.

June 2015 - SANS InfoSec forum notes that a new version of CryptoWall 3.0 is in the wild, using resumes of young women as a social engineering lure: "resume ransomware".

June 2015 - The FBI, through their Internet Crime Complaint Center (IC3), released an alert on June 23, 2015 that between April 2014 and June 2015, the IC3 received  992 CryptoWall-related complaints, with victims reporting losses totaling over  $18 million. Ransomware gives cybercriminals almost 1,500% return on their money. 

July 2015 - An Eastern European cybercrime gang has started a new TorrentLocker campaign where whole websites of energy companies, government organizations and large enterprises are being scraped and rebuilt from scratch to spread ransomware using Google Drive and Yandex Disk.

July 2015 - Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types.

September 2015 - An aggressive Android ransomware strain is spreading in America. Security researchers at ESET discovered the first real example of malware that is capable to reset the PIN of your phone to permanently lock you out of your own device.  They called it LockerPinand it changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom. 

September 2015 - The criminal gangs that live off ransomware infections are targeting Small Medium Business (SMB) instead of consumers, a new Trend Micro Analysis shows. The reason SMB is being targeted is that they generally do not have the same defenses in place of large enterprise, but are able to afford a 500 to 700 dollar payment to get access to their files back.  

The Miami County Communication Center’s administrative computer network system was compromised with a CryptoWall 3.0 infection which locked down their 911 emergency center. They paid a 700 dollar Bitcoin ransom to unlock their files.

October 2015 - A new strain called LowLevel04 spreads using remote desktop and terminal services attacks. It encrypts data using RSA-2048 encryption and the ransom is double from what is the normal $500, demanding four Bitcoin.  Specifically nasty is how it gets installed: brute force attacks on machines that have Remote Desktop or Terminal Services installed and have weak passwords.

October 2015 - The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom. “The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.  “To be honest, we often advise people just to pay the ransom.”

October 2015 - Staggering CryptoWall Damage: 325 Million Dollars. A brand new report from Cyber Threat Alliance showed the damage caused by a single criminal Eastern European cyber mafia. The CTA is an industry group with big-name members like Intel, Palo Alto Networks, Fortinet and Symantec and was created last year to warn about emerging cyber threats. 

November 2015 - CryptoWall v4.0 released and displays a redesigned ransom note, new filenames, and now encrypts a file's name along with its data. In summary, the new v4.0 release now encrypts file names to make it more difficult to determine important files, and has a new HTML ransom note that is even more arrogant than the last one. It also gets delivered with the Nuclear Exploit Kit, which causes drive-by infections without the user having to click a link or open an attachment (sic). 

November 2015 - A new strain is spotted with a very short 24-hour deadline, researchers crack the Linix. Encover strain and British Parliament computers get infected with ransomware. 

December 2015 - Kaspersky reports that ransomware is doubling year over year, and Symantec reports that TeslaCrypt attacks moved from 200 to 1,800 a day.  

2016

January 2016 - First Javascript-only Ransomware-as-a-Service Discovered, Cybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015. However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the "write-once-infect-all" threat, which is something to be aware of.

January 2016 - A stupid and damaging new strain called 7ev3n encrypts your data and demands 13 bitcoins to decrypt your files. A 13 bitcoin [almost $5,000] ransom demand is the largest we have seen to date for this type of infection, but that is only just one of the problems with 7ev3n. In addition to the large ransom demand, the 7ev3n crypto-ransom malware also does a great job trashing the Windows system that it was installed on. DarkReading reports on a Big Week In Ransomware.

February 2016 - Ransomware criminals infect thousands with a weird WordPress hack. An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering TeslaCrypt to unwitting end-users. Antivirus is not catching this yet.

February 2016 - It's Here. New Ransomware Hidden In Infected Word Files. It was only a matter of time, but some miscreant finally did it. There is a new strain somewhat amateurishly called "Locky", but this is professional grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment which has malicious macros in it, making it hard to filter out. Over 400,000 workstations were infected in just a few hours, data from Palo Alto Networks showsBehind Locky is the deadly Dridex gang, the 800-pound gorilla in the banking Trojan racket.

March 2016 - MedStar receives a massive ransomware demand. A Baltimore Sun reporter has seen a copy of the cybercriminal's demands.  "The deal is this: Send 3 bitcoins — $1,250 at current exchange rates — for the digital key to unlock a single infected computer, or 45 bitcoins — about $18,500 — for keys to all of them."

April 2016 - News came out about a new strain that does not encrypt files but makes the whole hard disk inaccessible. As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. It's called Petya and clearly Russian.

April 2016 - The Ransomware That Knows Where You LiveIt's happening in the UK today, and you can expect it in America tomorrow [correction- it's already happening today]. The bad guys in Eastern Europe are often using the U.K. as their beta test area, and when a scam has been debugged, they go wide in the U.S. So here is what's happening: victims get a phishing email that claims they owe a lot of money, and it has their correct street address in the email. The phishing emails tell recipients that they owe money to British businesses and charities when they do not.  

April 2016 - Hello mass spear phishing, meet ransomware! Ransomware is now one of the greatest threats on the internet.  Also, a new strain called CryptoHost was discovered, which claims that it encrypts your data and then demands a ransom of .33 bitcoins to get your files back (~140 USD at the current exchange rate) . These cybercrims took a shortcut though, your files are not encrypted but copied into a password protected RAR archive .

April 2016 - CryptoWorms: Cisco's Talos Labs researchers had a look into the future and described how ransomware would evolve. It's a nightmare. They created a sophisticated framework for next-gen ransomware that will scare the pants off you. Also, a new strain called Jigsaw starts deleting files if you do not pay the ransom. 

April 2016 - Ransomware On Pace To Be A 2016 $1 Billion Dollar BusinessCNN Money reports about new estimates from the FBI show that the costs from so-called ransomware have reached an all-time high. Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. At that rate, ransomware is on pace to be a $1 billion a year crime this year.

Late April 2016 - Scary New CryptXXX Ransomware Also Steals Your Bitcoins. Now here's a new hybrid nasty that does a multitude of nefarious things. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton follows suit and tries to muscle into the ransomware racket with an even worse criminal malware multitool. At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now ads professional grade encryption adding a .crypt extension to the filename. Here is a graph created by the folks of Proofpoint which illustrates the growth of new strains in Q1, 2016:

Ransomware_Growth_Q1_2016_Source_Proofpoint-1.png

Here is a blog post that looks at the first 4 months of 2016 and describes an explosion of new strains

May 2016 - Petya comes loaded with a double-barrel ransomware attack. If the initial overwriting the master boot record does not work, they now have an installer that offers Petya and a backup "conventional" file-encrypting strain called Mischa. ProofPoint Q1-16 threat report confirms that Ransomware and CEO Fraud dominate in 2016.  A new Version 4 of DMA Locker comes out with weapons-grade encryption algorythms, and infects machines through drive-by downloads from compromised websites. In a surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. 

June 2016 -  CryptXXX becomes UltraCrypter and targets data stored on unmapped network shares along with local HDD volumes, removable drives, and mapped network repositories.  The Jigsaw strain morphs into new branding and now uses an Anonymous skin - asks for a very high $5,000 ransom. The RAA ransomware goes after Russian victims, which is rare considering that most cyber mafia are based there.  A new strain called BART (duh!)  locks files by archiving them, is a Locky spinoff, and gets spread by email attachments.  The hybrid Satana strain both encrypts files and replaces the Master Boot Record (MBR)  as Petya/Misha does.  EduCrypt demonstrates what happens when employees open infected attachments.  Tripwire has a more detailed write-up here. The upshot? Everyone and their cybercrime brother has jumped on the bandwagon.

Knowledgebase

We've put together the background, history and inner-workings of all widespread ransomware strains and families that have appeared over the last few years. Criminal malware continues to grow at an explosive rate, and employees need to be given effective security awareness training so that they know before they click.

Click here to access our complete and expansive up-to-date knowledgebase


Ransomware Simulator

Free Simulator Tool

How vulnerable is your network against a ransomware attack?

Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 infection scenarios and show you if a workstation is vulnerable to infection.

Get Started

 

Frequently Asked Questions

Email Vector By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives an email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.

Drive-by-Download Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third party application can infect a machine. The compromised website runs an exploit kit (EK) which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.

Free Software Vector Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! An example is a ransomware attack which exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.

One method cybercriminals will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser all the way to an unpatched, outdated operating system.

The main event that created the fifth and current generation of cybercrime was the formation of an active underground economy, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly.

Some examples of this specialization are:
• Cybercrime has its own social networks with escrow services
• Malware can be licensed and receive tech support
• You can rent botnets by the hour, for your own crime spree
• Pay-for-play malware infection services have appeared that quickly create botnets
• A lively market for zero-day exploits (unknown software vulnerabilities) has been established

The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five increases malware quality, speeds up the criminal ‘supply chain’ and effectively spreads risk among these thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems.

Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like the miscreants have done over the last 10 years.

There is a new website called ID Ransomware that allows you to upload your ransom note and a sample encrypted file. The tool will identify the particular strain you are dealing with and if available, download decryption tools to recover your files and/or whole network shares if your backups have failed. It's a good idea to know which type you have as there is no 'one-size-fits-all' method to get rid of ransomware.

Bitcoin is an untraceable crypto-currency network that uses peer-to-peer technology to handle transactions with no central authority - that means no banks or government agencies either. All transactions are public, however the people holding these digital wallets remains completely anonymous. This makes Bitcoin very attractive to cybercriminals and is therefore the payment method most often requested to get files decrypted.

We have seen certain actors demand ransom in things like Amazon and iTunes gift cards, but the vast majority ask for Bitcoin.

It is important to note that just because a person pays to unlock the computer; it doesn’t mean that the malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of malware, which includes password stealers and which can also disable security software.

If you are infected you should always report it to the FBI’s Internet Crime Complaint Center (IC3). You will need to provide all relevant information including the e-mail with header information and Bitcoin address if available.

Since most ransomware is delivered via malware found in phishing emails, users need to be trained to not click on those emails. We have seen the percentage of 'phish-prone users' decrease from an average 15.9% to 1.2% over the course of a year of using our training platform.

We are so confident our method works, we are willing to bet our own money on it. KnowBe4's Kevin Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their workstation, KnowBe4 pays your crypto-ransom.

Prevention

The best way to prevent an infection is to not rely on just one solution, but to use multiple, layered solutions for the best possible protection.

1. Security Awareness Training
It’s easier to prevent malware infections if you know what to look for. If you understand the latest techniques cybercriminals are using, the easier it will be to avoid. Know your enemy! Take an active approach to educating yourself by taking a security awareness training course.

2. Internet Security Products
There are many commercial products that will help you avoid all malware infections, but understand that none of them are 100% effective. The cyber criminals are always looking for weaknesses in security products and promptly take advantage of them.

3. Antivirus Software
While antivirus is highly recommended, you should have multiple layers of protection in place. It is not wise to solely rely on antivirus software to keep your PC secure, as it cannot prevent infections from zero-day or newly emerging threats.

The list of antivirus products below was proven the most effective at preventing malware from AV-Test.org 

Avira Antivirus Pro 2015
Kaspersky Internet Security 2015
Bitdefender Internet Security 2015
Norton Security 2014 & 2015
Trend Micro Internet Security 2015

4. AntiMalware Software
Most anti-malware software like MalwareBytes is designed to run alongside Antivirus products, and it’s recommended you have both in place.

5. Whitelisting Software
Whitelisting offers the best protection against malware and virus attacks. Whitelisting software allows only known good software that you approve to run or execute on your system. All other applications are prevented from running or executing.

6. Backup Solutions
In the event of a catastrophic attack or complete system failure, it’s essential to have your data backed up. Many have been able to quickly and fully recover from an attack because their data was backed up and safe. We recommend using one of the following online storage services and an external hard drive (that you disconnect after the backup) at the same time as the best possible backup solutions like:


Ransomware Hostage Rescue Manual

Hostage Rescue Manual

This free manual is packed with actionable info that you need to prevent infections, and what to do when you get hit.

You will also receive an Attack Response Checklist and a Prevention Checklist. You will learn more about:

  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources

Don’t be taken hostage. Download your free rescue manual now.

Get The Manual


Removal Instructions

Because all strains are different, there isn’t one set of removal instructions that works across the board. Below are steps to take to begin the removal process from a Windows PC, which may work completely for some but not all if you have a really nasty infection. However, if you don't remove it, you will be unable to decrypt your encrypted files so they will be gone forever!

1. Malware Scan. It’s recommended to use MalwareBytes to detect and remove the malware. First download the free version of MalwareBytes. If you are unable to run a MalwareBytes scan, restart your PC in safe mode and try to run the MalwareBytes scan this way.

To enter safe mode: as your computer restarts but before Windows launches, press F8. Use the arrow keys to highlight the appropriate safe mode option, then press ENTER.

2. System Restore. Some strains will prevent you from entering Windows or running programs, if this is the case you can try to use System Restore to roll Windows back in time before the infection. Restore your system using the System Restore settings by restarting your PC and hitting the F8 key when the PC begins to boot up.

3. Recovery Disk. Use your Windows disc to access recovery tools by selecting “Repair your Computer” on the main menu. If you don’t have your Windows disc, you can create one from another PC running the same version of Windows.

4. Antivirus Rescue Disc. If a system restore doesn’t help and you still can’t access Windows, try running a virus scan from a bootable disc or USB drive. You could try using creating a Bitdefender Rescue CD.

5. Factory Restore. If the above steps have not worked, the last resort is a Factory Restore. PC World has comprehensive instructions for performing a factory restore.
If you manage to remove the infection from your PC using any of the steps above (except the factory restore) your next task will be to recover your files.

Unhiding Files
If you are lucky, hopefully your data didn't get encrypted but instead hid your icons, shortcuts, and files, you can easily show hidden files: Open Computer, navigate to C:\Users\, and open the folder of your Windows account name. Then right-click each folder that’s hidden, open Properties, uncheck the Hidden attribute, and click OK. You should be good to go from here.

Encrypted Files
If you followed the steps above to unhide your files and this didn’t work and you still can’t find any of your data, this means that your files have been malware-encrypted. This is not good. Unfortunately it isn’t possible to decrypt or unlock your hostage files, because the decryption key is typically stored on the cybercriminal’s server. From here you have 2 options:

Option 1: Restore your files from a backup. If you have a backup system in place, and they haven’t been encrypted as well, you should be able to restore all your files this way. If you don’t have a backup system in place, you might be able to recover some of your files from Shadow Volume Copies, but most definitely not all your personal files. To use shadow volume copies, right-click Select files/folders and open Properties to view the Previous Versions list, or use a program called Shadow Explorer.

Option 2: Pay the Ransom. Most authors will deliver the decryption key and return your files once you pay, but keep in mind, there is no guarantee. You may pay the ransom and get nothing in return, after all you are dealing with thieves.


Free Decryptors

Ransomware decryption is an uphill battle for security professionals. As new strains are discovered, decryptors are created, then cybercriminals update their malware to get past decryption methods. It's a never-ending cycle!

Click here to see our list of known free ransomware decryptors.


Hostage Rescue Checklist

Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach.

Wouldn’t it be great to have an actionable checklist of what to do when you get hit and how to prevent it in the future? Now you do! Included in this download:

  • Attack Response Checklist
  • Prevention Checklist

Download your rescue checklist now.

Ransomware Hostage Rescue Checklist

Our Guarantee

We are so confident our security awareness training program works, we’ll pay your ransom if you get hit with ransomware while you are a customer.”

– Stu Sjouwerman, Founder and CEO, KnowBe4, Inc.

  • Coverage up to $1,000 per 12 months 
  • Must use KnowBe4 Security Awareness Training
  • Must report infection to us immediately

Learn more about this guarantee!

Pay My Ransom!

 

 

Ransomware victim: "We made their security training mandatory"

According to one KnowBe4 customer: “We made their security training mandatory after we were infected with CryptoLocker and our backup failed. We continue to reinforce good habits by sending KnowBe4's simulated phishing messages to our employees and addressing any clicks that may occur. Continued education using KnowBe4 has empowered our users and the ability to “spot check” employees on-the-go definitely helps keep our systems safe.”  - R.B.

 

The Latest In Ransomware News


 


Find out how affordable this is for your organization. Get a quote now!

 
Get A Quote
Request A Demo
 

 


Get the latest about social engineering

Subscribe to CyberheistNews