In the hostage ransom consulting business, when a ransom request is made, the victim's family typically asks for a "proof of life." This is to ensure that if the ransom is paid, their loved one will be safely set free.
Unfortunately, when it comes to ransomware, there is no such "proof of life." There is no plea you can make to malware criminals that can safeguard your data from further loss or successfully restore encrypted files.
In this piece, we continue to look at cyber threats – the malicious activity that is sure to "rub you raw."
Today, cyber-crime is all the rage. One of the most significant and growing forms is "ransomware."
Ready or Not, Here Comes Ransomware
As children, we played hide and seek – closing our eyes and counting to 20, 50 or even 100. As the other kids went to hide, we would loudly shout out, “Ready or not, here I come.”
If you haven’t already played the ransom game on your computer, this article is intended to give you a "shout out" just like in that universal kid game.
So, “ready or not, here comes ransomware.”
Some of you may recall that I wrote a short article on this topic a little more than two years ago, just as there was a tremendous surge in the emergence of CryptoLocker. So now, you probably wondering why I'm doing it again.
The reason is simple – the vulnerability of ransomware attack is on the rise. And, there doesn’t seem to be an end to the new variations and forms impacting our computers.
Ransomware is the term for any malicious software that demands a ransom be paid by the computer’s user. It is based on the premise that you're willing to "pay a ransom" to undo the damage the ransomware has done (or may do) to your computer and/or your data.
For example, it might have encrypted your documents or other files and demanded you pay a ransom to access them.
In the case of many ransomware attacks, there is a deadline for payment. If you don’t pay up in the time allowed, you could permanently lose access to your files. But file-encryption isn’t the only malicious act that ransomware may produce. There also is lock-screen ransomware, which locks your computer and prevents you from doing anything until the ransom has been paid.
From a law enforcement perspective, there isn’t much you can do on a local level. In fact, some police departments may tell you that it isn’t worth their time to come out and file a report. In many jurisdictions, the value of a single Bitcoin, commonly required as an initial ransom, wouldn’t even qualify the offense as a felony, even if the crime could be prosecuted at the local level.
While the U.S. Government, working with other countries and private security experts, has managed from time to time to seize some computers originating and spreading ransomware, there seems to be new or variant forms of the ransom demanding malware programs exploding every month or so.
Many appear to originate on servers off-shore or in several countries overseas.
When Ransomware Strikes Your Computer
Most ransomware takes the form of a filecoder, with CryptoLocker and CryptoWall the two most notorious ones. CryptoLocker ransomware began impacting Windows Operating System users back in September 2013.
CryptoWall, a variant of CryptoLocker, appeared a month or two thereafter. Both are members of the “Crilock family of ransomware,” which is the focus of this article.
These ransomware programs encrypt certain files on your computer use a variety of encryption methods, including RSA & AES. Once they have encrypted your files, they display their “red screens of ransom” that demand payment to decrypt your files.
Cryptolocker
This red screen (shown above) includes a countdown clock that gives you a specified number of hours, typically either 72 or 96, to pay the ransom. If you have not paid the ransom by the end of that time, the program will permanently delete the encryption key used to encrypt your files.
The result: There is no way for you to decrypt your files.
These filecoder programs usually demand that ransoms be paid using a specified number of Bitcoins. Early on, when Bitcoin prices were in the $200 range, the programs may have required you to pay a two or three Bitcoin ransom.
Currently, some infected users report ransoms as low as a single Bitcoin worth approximately $630 (at the time this article was published). Once you send the Bitcoin payment, and the payment is verified, the ransomware programs provide you with steps to get your files decrypted.
Crilock ransomware is spread via emails sent to company email accounts. Typically, these emails appear as customer support related messages from companies like FedEx, UPS, DHS, and others. The emails contain an attachment, disguised as a PDF file, which when opened immediately infects your computer with the malware that begins the process of encrypting your data in the background.
Next, it displays a ransom message stating it has finished the encryption process.
In other instances, websites have become infected with forms of these filecoders users, which download programs or infected documents (again PDF is a typical source) that take over your data. Infections not only impact local hard drives, but also mapped drives such as Google Drive or Dropbox.
When CryptoLocker was first released, it was distributed by itself. But many people recently infected by Crilock ransomware report that the infected emails or downloads contain other malware infections as well.
If you discover that your computer is infected with any ransomware, the first thing you should do is to isolate your computer from your network. But you still need to maintain internet connectivity. Isolating the computer from network resources can prevent the encoder infection from spreading to other computers and network resources where it could encrypt any files it can access.
Some people who have been impacted by ransomware variants have reported that once the network connection is disconnected, the ransom demand screen almost immediately displays on the original computer.
You are not advised to remove the infection until you decide if you want to pay the ransom.
Other than paying the ransom, the only methods you have of restoring your files is from a backup or shadow volume copies (if you have System Restore enabled). But be aware that some newer variants of Crilock ransomware will attempt to delete resident shadow copies. To note, these attempts are not always successful.
If you don't have System Restore enabled on your computer or reliable backups, you will need to pay the ransom to get your files back.
If you do not intend to pay the ransom, contact an experience IT professional to assist you with removing the malware, cleaning your computer and restoring your data via some safe source, assuming you have pre-contaminated backups of all affected files
Many anti-virus programs may be configured to delete the Crilock ransomware executables after the encryption started. In these cases, you could be left with encrypted files and no way to decrypt them.
Impacted users report that some versions of this malware now set your Windows wallpaper to a message that contains a link to a decryption tool you can download to pay the ransom and obtain the decryption key and tool. Users impacted in this way report that this download will allow you to decrypt your encrypted files.
Crilock ransoms typically require one or more Bitcoins. When it comes to paying the ransom, the software generates a unique Bitcoin payment address for each instance of an infection. This continual address change approach, along with the fact that Bitcoins are not a regulated form of currency, makes forensic investigation of this crime a nightmare for authorities.
Cryptolocker bitcoin demand
Bitcoins currently are valued at $600 (U.S.) or more. Unless you already have a Bitcoin account, it may take you up to two days to establish an account and acquire Bitcoins from an exchange to pay the ransom. That means you must decide quickly if you want to pay the ransom.
Some persons infected with Crilock ransomware report they could select GreenDot MoneyPak as an alternative form of payment in lieu of Bitcoins. MoneyPak can be purchased from many retail locations, including some convenience stores, chain pharmacies, major retailers and grocery stores.
Perhaps Crilock developers are becoming less picky about the method by which ransoms are paid, and are accepting easier options to facilitate payments from those they hold ransom.
It should be noted that neither of these payment systems (Bitcoin or MoneyPak) are in any way associated with the threats.
Upon paying the ransom, Crilock ransomware displays a screen stating your payment is being verified. This verification process can take a few hours to complete. Failing to follow the steps or entering the wrong information can have serious effects. The malware even displays a "courtesy warning" (shown below) stating the implications of entering an incorrect payment code. (It is as if they intentionally are out to rub you raw.)
Cryptolocker Decoder
Once the verification has completed, a link will be displayed where you can download a standalone decrypter containing you’re the unique decryption key stored within filelocker. The decrypter then must be used to detect and decrypt the previously encrypted files. Infected users report that the decryption process can be lengthy, depending upon the number of infected files.
In some instances, the decryption process may report an error stating that one or more specific files cannot be decrypted. Some infected users who paid the ransom report that the decrypter continued to decrypt the rest of their files, even though it experienced the decryption error with certain files.
Will You Be the Next Ransomware Victim?
More than 350,000 people and businesses within the United States alone, many of which are small businesses, have been impacted by Crilock ransomware demands within just the last two years.
In some cases, these victims report having been the subject of even second and third attacks. Each subsequent attack required a higher ransom than the one before.
To prevent ransomware attacks, like Crilock variants, make sure you're using up-to-date security software to protect your computer from malware. Since many threats target vulnerabilities in your computer’s operating system, it's essential you regularly update your computer’s software.
In the case of Crilock, Microsoft is the impacted operating system, so make sure you keep your Microsoft software updated with the latest security releases.
It also is important to understand how threats like Crilock invade your computer. Most malware arrives via an email attachment. You should never open an attachment from someone you don’t know. All email should be screened by your security software prior to viewing/opening.
Websites can contain malware and install it on your computer when you visit them, so never open webpage links you don’t recognize.
Insure your firewall is properly configured to help prevent malware infections by stopping suspicious programs from accessing your computer or blocking any malware already on your computer from accessing the internet.
Many malware threats need full access to your computer to run properly. By limiting user privileges and making use of regularly changed passwords, you can go a long way in stopping malware and unwanted software from installing themselves on your computer or changing the way your computer works.
Unless you're prepared to "pay the ransom," you must protect yourself against ransomware.
Do it today.