ransomware variants

Ransomware & the Latest Variants

Earlier this year, deadly ransomware variants were detected infecting computers of businesses and individuals. The main offenders being Locky and Samas. The victims included healthcare facilities and hospitals from around the globe.

This Alert was provided by The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC). It’s purpose is to inform people the specifics of ransomware. This information will divulge the characteristics,  its predominance, its variants that are rapidly growing and some helpful advice to users on how they can avert and reduce the threat of ransomware.

What is Ransomware?

Ransomware is a malicious type of malware that infects a computer system and blocks users from accessing the infected files. The only way the user can regain access to the infected files is by paying a ransom fee, usually in a virtual currency called bitcoin. The user is generally notified by an on-screen alert stating that the users system has been locked and that a ransom must be paid in order to restore the infected files.

How Can I Become a Victim of Ransomware?

Most of the time ransomware is embedded in an attachment or link of a phishing email. By clicking on either an attachment or through drive-by downloading you can trigger ransomware. Drive-by downloading is when a user unknowingly clicks on a link to a rouge website that contains ransomware. The ransomware is usually installed on the system without the user’s knowledge.

One variant of malware is Crypto ransomware. Crypto encrypts files through similar methods and is also known to spread through social media channels, such as web-based instant messaging applications like What’s App or Facebook Messenger. Furthermore, newer and more advanced versions of ransomware infections are beginning to surface. For instance, vulnerable web servers have been utilized as an access point to gain entry into an organizations network.

How Does This Work so Well?

The people that develop ransomware use social engineering tactics to manipulate victims into their trap, generally by implanting fear and panic into the mind. Examples of ransomware messages would be similar to the ones below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

The Rise of Ransomware

Ransomware is incredibly profitable for cyber criminals. In 2012, Symantec’s research from a command and control (C2) server uncovered that 5,700 computers were infected in one day and that 2.9% of users paid the average ransom fee of $200, which meant the profit made by the cyber criminals was $33,600 per day or $394,400 per month all from one C2 server. The estimates provided by Symantec just show how ransomware might appeal to cyber criminals based on the considerable profits that can be made in such a short space of time.

The success stories for ransomware criminals has led to the rapid increase of ransomware variants. The following year saw more advanced and lucrative ransomware variants surface, such as Xorist, CryptorBit, and CryptoLocker. A number of variants are known to not only encrypt the user’s files but also the contents of shared or networked drives. The variants responsible for this kind of ransomware are considered pernicious as they encrypt users and organizations files and cause them to become futile leaving the user very little choice but to pay the ransom.

Earlier this year, another deadly variant called Locky, targeted healthcare facilities and hospitals with ransomware in the United States, New Zealand, and Germany. The root of it stems from spam emails which incorporate compressed zip/rar attachments. The attachments held JavaScript or macros files that download Ransomware-Locky files.

Healthcare facilities and hospitals also fell victim to another variant called Samas. Samas is different from Locky such that it spreads through vulnerable web servers. Once compromised, the uploaded Samas files were used to infect an organizations’ networks.

Links to Other Types of Malware

When a system has been infected with ransomware, it can also be infected with other types of malware. A prime example being CryptoLocker. Opening a malicious attachment from an email is typically how a system is infected. CryptoLocker carries a downloader called Upatre. Upatre infects the system with GameOver Zeus. GameOver Zeus hijacks bank account details along with obtaining other types of important data. Once GameOver Zeus has infected the system, CryptoLocker is downloaded. CryptoLocker finally encrypts important files on the system and demands a ransom fee.

The relationship between ransomware and varies types of malware have been shown in a botnet disruption operation against GameOver Zeus. GameOver Zeus also proved itself to be sufficient against CryptoLocker. In the summer of 2014, an international law enforcement operation was successful in managing to humble the framework of CryptoLocker and GameOver Zeus.

Damaged Caused

The home user is not the only one affected by ransomware, businesses also fall victim to ransomware. Damaged caused by a ransomware email can include the following,

  • Financial loss
  • Loss of crucial data
  • Damaged reputation
  • Upset flow of operations

It might be assumed that paying the ransom fee is the only solution to retaining your systems working order. In a lot of cases, the malicious actor will not decrypt the files after paying the ransom fee.

“Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organisation might inadvertently be funding other illicit activity associated with criminals.”

FBI Cyber Division Assistant Director James Trainor,

The Solution

Unfortunately, there is no technical solution to phishing emails that contain ransomware. Social engineering is how it works so it is impossible for any software to identify a good phishing email. The only solution is training. Having the ability to acknowledge all the elements of a phishing email when it presents it self could save you or your company great financial/data loss.

To learn more about how can protect you, visit our Full Stack Email Security page here.



Comments are closed.