4 min read

How Does Ransomware Work? The Ultimate Guide to Understanding Ransomware - Part II

Alexandra GHEORGHE

May 28, 2015

How Does Ransomware Work? The Ultimate Guide to Understanding Ransomware - Part II

Now that we`ve been introduced to ransomware, let`s see how it spreads and infects machines.

How does it enter systems?

Common penetration techniques include:

  • Spam and social engineering
  • Direct drive-by-download or malvertising
  • Malware installation tools and botnets

When ransomware first hit the scene a few years ago, computers predominantly got infected when users opened e-mail attachments containing malware, or were lured to a compromised website by a deceptive e-mail or pop-up window. Newer variants of ransomware have been seen to spread through removable USB drives or Yahoo Messenger, with the payload disguised as an image.

article-2b

CTB Locker, the ransomware making headlines and victims right now, spreads through aggressive spam campaigns. The email poses as a fax message which carries a .zip archive as an attachment. If the executable file inside the zip file is accessed, the data on the system is encrypted and the victim is asked to pay a ransom to receive the decryption key. Read more about CTB Locker.

But the latest variants can be re-engineered to propagate themselves without human action. We`ve recently seen an increasing number of incidents involving the so-called “drive-by” ransomware. Drive-by download attacks are launched from compromised websites or through malicious ads and usually exploit vulnerabilities in browser plugins like Flash Player, Java, Adobe Reader or Silverlight. The tools used for such attacks have the functionality to achieve privilege escalation. Privilege escalation exploits allow attackers to execute malware programs with administrator or system-level privileges instead of using the victim’s local user account, which might be restricted.

Modus Operandi

Each ransomware variant can be engineered to operate differently. However, common traits include fairly complex obfuscation and covert launch mechanisms meant to avoid early antivirus detection. This means the malware wants to stay hidden and thus, uses techniques to thwart detection and analysis”including obscure filenames, modifying file attributes, or operating under the pretense of legitimate programs and services. The malware`s additional layers of defense leave the data unreadable, which make the process of reverse engineering very difficult.

article-2c

It`s worth adding that ransomwareËœs communication protocols have been upgraded from plain text (HTTP) to Tor and HTTPS, making encrypted calls to C&C servers almost impossible to track through network traffic monitoring. File encryption has also been revamped to use crypo-libraries that perform strong, asymmetric cryptography rather than using short-length keys or hard-coded ones. Earlier samples such as Cryptolocker and Cryptowall first contact the server and perform encryption afterwards, for instance.

To get a better idea of how ransomware works, let`s examine Cryptolocker. Cryptolocker ransomware gets installed by a Zbot variant (Trojan used to carry out malicious tasks). After execution, it adds itself to Startup under a random name and tries to communicate with a command and control server. If successful, the servers sends a public key and a corresponding Bitcoin address. Using asymmetric encryption (a public key to encrypt and a private key for decrypting files) Cryptolocker begins encrypting more than 70 types of files that might be present on the victim`s device.

article-2a

Here’s how encryption works, briefly:

encryption

Source: Microsoft

Meanwhile, a variety of messages and instructions ” often localized – are displayed on the user`s home screen.

cryptolocker

Infected users are instructed to pay a fee for the private key stored on their servers – without it, decryption is impossible. When the ransom is paid, decryption will start and a payment verification screen will be displayed. After decryption ends, the Cryptolocker files are deleted.

Note: Don`t take hackers` word for it, paying the ransom does not guarantee that you can recover your files.

Who are the victims?

Ransomware doesn`t just impact home computers. Businesses, financial institutions, government agencies, academic institutions and other organizations can and have been infected with ransomware. Such incidents destroy sensitive or proprietary information, disrupt daily operations and, of course, inflict financial losses. They can also harm an organization`s reputation. Attackers aim at targeted files, databases, CAD files and financial data. For example, Cryptolocker was used to target more than 70 different file extensions, including .doc, .img, .av, .src, .cad.

“Ransomware is a very challenging threat for both users and antimalware companies, boosting impressive capabilities and an unprecedented success rate in extorting money from its victims,” says Cătălin CoÈ™oi, Bitdefender Chief Security Strategist.

Stay close for Part III, to learn about the best ways to protect your data from ransomware.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Do Mobile Security Solutions Really Work or Are They a Scam? Do Mobile Security Solutions Really Work or Are They a Scam?
Filip TRUȚĂ

September 17, 2021

2 min read
Microsoft Drops Password Authentication for Most Products Microsoft Drops Password Authentication for Most Products
Silviu STAHIE

September 16, 2021

1 min read
Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS
Filip TRUȚĂ

September 14, 2021

2 min read