It’s important to note that not all ransomware operates the same way. The file-encrypting type is probably the most dangerous. Not only have you lost access to your own files, but this data often contains confidential material, and the perpetrators technically do have full access. The issue is made worse however because paying the ransom offers no guarantee that the files will be unlocked. Ultimately, making frequent backups is by far the best defence against ransomware.
Since the average figure demanded is relatively low, usually only a few hundred dollars, the attackers tend to spread the attack quite far, and just randomly to maximise their potential gains. These are usually in the form of emails with malicious attachments, or links to malicious websites.
Common Ransomware Families
We continue to see sustained distribution of many well-established ransomware families used in mass infection campaigns. In many cases these renowned variants, such as CryptoWall and TorrentLocker, spawned updated versions with improved encryption capabilities and obfuscation techniques. These established attacks will continue to be a significant threat to global enterprises as malware functionality, encryption techniques, and counter-mitigation measures are adapted and introduced into new versions. Examples include:
- TorrentLocker: Throughout 2015, we’ve seen the continued distribution of TorrentLocker, a ransomware attack based on both CryptoLocker and CryptoWall. TorrentLocker has been active since at least early 2014 and is most often used in geographically-specific spam campaigns.
- CTB-Locker: CTB-Locker – a name that represents the key elements of the ransomware, Curve (for Elliptic Curve Cryptography), Tor and Bitcoin, was first reported around mid-2014 and remained steadily active throughout 2015. During this time, we saw many campaigns spreading CTB-Locker and its variants, including CTB-Locker distributors capitalising on the free upgrade to Windows 10. They did this by sending out emails masquerading as Microsoft emails offering the upgrade.
We have also seen several new ransomware variants that use a range of new tactics. Based on increased growth, we expect ransomware developers to continue developing variants with novel features in order to expand their targets
- Chimera: The operators behind the Chimera ransomware used the malware to encrypt victims’ files, but also threatened to publish the encrypted data if victims refused to pay the ransom. The attackers targeted German-based small and mid-sized businesses in mid-September 2015.
- LowLevel04: Operators of LowLevel04 purportedly spread their ransomware using the less commonapproach of exploiting Remote Desktop and Terminal Services.
- Linux.Encoder.1:Linux.Encoder.1 debuted in late 2015 as one of the first ransomware variants targeting Linux web-based servers. While the encryption capabilities in the early versions proved to be suspect, many reports alleged faults in its predictable encryption key. The targeting associated with this branch of malware family is far from more traditional Windows-based attacks.
Where to from here?
We expected to see the ransomware threat landscape increase from levels observed in 2015, and sadly we have been right. Cyber extortion has gained notoriety and momentum, with huge profits from highly publicised campaigns spreading among cyber criminals. Recent campaigns in which victims paid the ransom reinforce the success and popularity of this particular attack method.
One of the most worrying threats is the deployment of ransomware after the attackers have already had access to the network. In these cases, attackerscould conceivably conduct reconnaissance and even disable or delete backups, or identify systems that are most critical to an organisation’s operations before deploying the ransomware. To increase the difficulty of such an attack, enterprises are encouraged to properly segment networks and implement strong access controls. In addition, companies should evaluate backup strategies regularly, and test those backups to ensure that recovery is successful. As always, “offline” copies of backups should be stored offsite in case onsite backups are targeted.
Overall, the best way to stay protected is through education. Emails that insist you change settings so you can read them, or ask you to follow a links to access information should be heavily scrutinised. Do you know the sender? Is it likely that person would be trying to share files with you that require you accessing a website to get them? Commonly we say the malicious emails appear from a courier company, or Australia Post telling you a package is waiting for you, and click here fore details etc. Also we have seen emails claiming to be from the Australian Federal Police (AFP) asking you to appear in court. We have also seen others appearing to come from your local council and is referring to parking fines and things like that.
Make your staff aware of the real risks of an infection like this, and encourage them to not take the risk opening those attachments.
As soon as you notice the infection, shutdown your PC. If you are on a network and you leave the system running, these infections will spread to the server rendering that data useless. The sooner the infected machine is switched off, the less impact it will have.