Understanding Ransomware: An Overview

Understanding Ransomware: An Overview

February 8, 2017 | Adeline Zhang

Author: Stephen Gates, Chief Research Intelligence Analyst

Ransomware: The Human Touch

As a security professional, I often get asked about the latest threats. Most consumers don’t understand the difference between viruses, worms, Trojans, spyware, adware, scareware, malvertising, phishing, etc. Sometimes, even those of us in the field see it all as malware. Basically, it’s all malicious code.

And then there’s Ransomware. For many people this one stands out, because even without knowing the technical details, they understand this strain of attack—they need a ransom to prevent their information from being stolen and misused.

So for all those concerned, here’s a short primer on the realities of Ransomware. Users are right to be concerned, but there are key aspects that need greater examination.

First, a user computer protected by a firewall cannot become infected by Ransomware. Thanks to Stateful Packet Inspection functionality, firewalls block all unsolicited inbound traffic. This means that it takes a human being to cause or initiate an infection.

Now, let’s acknowledge that all operating systems, applications, computing devices and even us humans have undiscovered vulnerabilities. Hackers and researchers alike spend countless hours looking for new ways to exploit them. Computer exploits are typically pre-packaged applications cleverly created to take advantage of known, and previously unknown, vulnerabilities. Researchers share these findings with the security community to protect unwitting victims, while hackers share their findings with other criminals.

One simple way of getting infected by Ransomware is unknowingly going to a malicious website. Phishing attacks are very successful; victims often report they clicked on a link in an email, social media site, popup, etc. This is when the process of infection begins. When a user clicks on a link, it redirects the browser to a malicious website where attackers have pre-installed an exploit pack. Some exploit packs are bought and sold through underground hacking sites; some can be had for free.

When you click on a link, the malicious website instantly knows which browser you’re using, which version it is, the media player with it, and many other attributes. That helps the site identify the best exploits to send you—basically, the ones that can do the most harm.

An exploit often includes additional code called remote code execution. This code often allows the attacker to gain remote access to your system, even while it’s protected by firewalls. The code can also instruct your computer to download additional malicious software—a key logger, an exploit pack, botnet command and control software, and even the dreaded Ransomware.

And remember, this is all happening behind the firewalls. The human activity allowed the entry.

Once your computer is compromised, the attacker begins moving laterally. The attacker exploits and compromises nearby computers, servers, databases, logging systems and even other security technologies. While the virus is inside the computer, it can install Ransomware not just on your machine but others that are similarly compromised. And since it’s happening behind the firewall, security personnel overlook it.

Another infection strain behind Ransomware is the dreaded Trojan. Remember the classic story behind this name? The people of Troy thought they were getting a gift from the defeated Greek soldiers; instead, it allowed Greek solders to get inside the city gates and cause mayhem. That’s how the Trojan virus performs too. Let’s say you’re surfing the Internet and a pop-up window shows up, telling you about some cool free software. You click, you get malware, and it features Ransomware.

Another tactic functions as ‘scareware.’ Again, you’re online and a popup window shows up. In this case, it says the computer is infected, or the anti-virus software is out of date, or the media player needs updating.  You click the link, and. . .you can guess the rest.

For the record, even tech-savvy pros working in security can fall for some these scams. Yes, I’m talking about me. I fell for the media player update tactic a few years ago, and it took me days to get rid of the malware. I hope this helps one critical aspect of Ransomware: We’re bringing it on ourselves. Good security software does a lot, but the human touch is vital too.

Avoiding Ransomware

Business and consumers are all looking for ways to protect themselves from Ransomware.  The first step involves education and training.  Knowing how a computer becomes infected with malware, goes a long way to avoiding these infections.  From the explanation above, the dreaded click is the catalyst that begins most infections.

Avoid going to questionable websites.  Remember, nothing is free.  If a website provides loads of free pictures, free content, free applications, and free downloads, it’s very likely the site is providing lots of free malware as well.  No one would buy a server, purchase internet access, build a website, and provide web content without having a way to make money from it.  Remember, malware infections often result in someone profiting.

Inspect every link before you click.  Do you know where the link is going?  Did the link come from someone who is reputable? Is the link misspelled? Is the link full of special characters?  Is the link longer than what is normal? I saw one in an email the other day that was going to www.yhoo.com.  Obviously the link did not come from Yahoo.

Protection & Recommendations

I know we’ve all heard it time and time again; update, update, update.  This is always good advice.  However, many people do not know what to update.  Updating the operating system and all applications is not completely automated in many cases.  I make a point to check for updates a least once a week for my operating systems, applications, browsers, media players, PDF reader, Java, and anti-virus. If you don’t update and you’re infected, then it’s really your own fault.  Drive-by downloads take advantage of those that don’t update.

Try to avoid using free Wi-Fi hotspots when traveling with your computer.  Many of them are completely unsecured. If you do connect to these hotspots, insure that your computer firewall is blocking all incoming traffic. Remember when traveling, your computer is no longer protected by your corporate firewalls.  If you’re not sure if your computer firewall is configured correctly, talk with a security professional or spend the time to insure it is.  Often, malware will attempt to disable your computer firewall, or open up holes you’re not aware of.

Avoid using computers in hotel lobbies, libraries, of any other places that have free computer access.  If you log into your email, airline website, or corporate network from a hotel computer, how do you insure that your login and password are not being captured by the hotel computer – or the hackers that are running it.

Use strong passwords on everything.  My passwords are huge.  They are often the length of a short sentence with special characters, capital and lower case letters, and numbers.  The longer a password, the longer it takes to crack it.  Never write your password down on a sticky note, and tape it to your computer.

Create and secure a restoration image of your new computer when you first purchase it; hopefully before you ever connect to the Internet. This will insure you have a default image of your computer if it ever becomes unusable.  I save my restoration images to an external hard drive and store the drive in a safe.

Backup your systems daily.  I use a cloud service that continuously backs up my computer when anything changes.  The process runs in the background and in most cases does not affect performance.  If my computer became infected with Ransomware, I would reinstall the restoration image and download my files and applications from the cloud.  The process would take a few hours, but I won’t have to pay the alternative.

Finally, if you are a victim of Ransomware, contact your local FBI office.  Their job is to help investigate these types of crimes.  The information they can gain from you, may make their job easier when tracking down these perpetrators.  The FBI is interested in finding patterns of criminal activity that help in their investigations.  Your problem may actually help with an ongoing analysis.