SE Labs

Special Edition
Comment and analysis from SE Labs

Ransom-ware: Can pay, won’t pay

The FBI’s Joseph Bonavolonta had some shocking news about ransomware for Boston’s Cyber Security Summit last October. “To be honest,” he said, “we often advise people to just pay the ransom.”

Cyber-security blogs everywhere exploded at the advice, but a lot has changed in the past six months. A constantly-evolving array of ransomware campaigns roam free, “taxing” online life. One big problem is that there’s no way of knowing what the ransom payments are being used for.

Is the money funding a criminal’s easy life? The development of even worse malware? ISIS, perhaps? After further thinking the FBI is now telling people not to pay up.

The question for most of us is, what happens if you don’t pay? To find out, we infected a specially-prepared Windows test system.

Infection time

When we test anti-malware products we find the latest threats that we believe affect most people. These are often automatic ‘drive-by’ attacks, that use exploits to install malware such as ransomware on victims’ computers without requiring user interaction. You just have to visit the site and the attack starts and runs to completion. No clicking required.

reboot-3566666

For this demonstration we exposed our target, which was not running anti-malware software, to an infected website. After a few minutes of apparent inactivity a pop-up message explained that svchost.exe needed to be installed. We clicked to accept the change and… Bingo! An infection swiftly ensued, turning all of our important files to gibberish and leaving them sporting the dreaded .crypt file extension.

In the background the malware also scanned the local subnet for any other unprotected file shares. This being a test network, there were none, but in a real situation every file you can access on your local network can also potentially be accessed by ransomware. Your movie collections or business files stored on a Network Attached Storage (NAS) device are definitely at risk.

This knowledge is vital when assessing the extent of an attack. If your smartphone is plugged in, it could be at risk. Your carefully curated media server could also be affected, as could your cloud storage.

Reboot!

infected-6119093
Rebooting revealed the full horror of the machine’s plight. As soon as the Desktop appeared, so did a pop-up unexpectedly asking us to run an installation package. Running, cancelling or dismissing the installation always led to the same result: a ransom note displayed in both the web browser and Windows Photo Viewer. The note explained what had happened and threatened what will happen if we didn’t do exactly as instructed (spoiler: the price goes up!). It also contained a set of links to the data-nappers’ web site to read detailed instructions for how to pay.

Assessing the Damage

The object of the exercise was to find out what would happen if I were to simply ignore the ransom note and carry on using the machine, so it was time to take stock.
All of our files had been turned to cryptographic porridge. However, the operating system still seemed to be running smoothly. Screen dumps of the ransom note could still be saved and read, as could the other documents we created, implying that there was nothing in the background encrypting newly-created files.
The kidnapping part of the ransom operation was seemingly over.
Of course, there may have been a rootkit lurking somewhere, ready to spring into life if no ransom was paid after a certain date. To test this hypothesis, we set the system clock forwards several weeks and rebooted. Nothing new happened, but without running some forensic tests we’d never be sure.
All that seemed to be left was the demand for money, triggered from the Startup menu every time we logged in. Deleting the relevant Startup entries stopped the ransom note from appearing, but that still left us with no way to access any of the encrypted files, and we couldn’t truly trust the operating system any more.
Ransomware doesn’t have to hang around causing more trouble for its hapless victim. It’s done its foul work and the criminals behind the campaign simply had to wait for the Bitcoins to come rolling in. Other than paying up, our only hope would be that a researcher or anti-malware company has developed a decryption tool for our particular infestation. The development of decryption tools, however, is causing some ransomware developers to revert to locking the entire computer rather than allowing you to see the locked files for yourself.

Protect and Survive

The FBI is right to change its stance on ransomware. Paying up fuels the epidemic and the easy money is attracting criminals like flies around you-know-what. The number of ransomware domains, according to reports, increased by 3,500% in Q1 of 2016 alone and the situation looks like getting worse.
For example, in the past few days Microsoft announced the existence of a ‘ransomworm’ called ZCryptor. Its payload is contained within emailed Microsoft Office documents. Once delivered, it also installs itself on any USB devices it finds plugged into the victim’s computer and alters the autorun information on the device. It will then try to infect any system into which the USB drive is subsequently plugged.

10 ways to stay safe

As usual with online security, prevention is far better than trying to find a cure, but such measures only make sense if you take steps before the fact:
  1. Install a good anti-virus product. Our reports show which are the most effective for businesses and home users. Our work is independent and we only test against current threats, which we catch ourselves in-house.
  2. Educate yourself to treat everything in your inbox as a lie. Even if the sender is known to you, double-check with them before opening attachments.
  3. Switch on automatic updates for all software, including Windows, your antivirus software, your browser, Java, Adobe products, etc.
  4. Regularly download a boot-able rescue disk from your chosen anti-malware provider and let it run overnight to thoroughly examine your computer. Most rescue disks will boot from USB.
  5. Never install ‘updates’ just because a website tells you to. This type of trickery is a very common infection vector for ransomware.
  6. Consider installing a browser plug-in such as the excellent NoScript for Firefox to prevent JavaScript from automatically running from unknown domains without your explicit say-so. And consider disabling Java in your browser.
  7. Don’t download cracked copies of commercial software, ebooks or media. Again, this is a very common infection vector.
  8. Never use a USB drive you find in a public place. You simply can’t trust them or their content. 
  9. Ransomware will try to infect every share to which it can write. Only mount shares as and when needed, and always protect them with passwords. If you don’t need write access, mount as read only.
  10. Above all, get into the habit of performing regular backups to removable media. For a home user, a backup is as simple as dragging and dropping a folder structure (and ejecting afterwards!) onto a freshly quick-formatted USB drive. Use two USB drives and swap between them.
Author: Jon Thompson (Email: jon@selabs.uk; Twitter: @jon_thompson_uk)

Posted on June 3rd, 2016 by and tagged , ,

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press