After consulting with a friend whose business was recently hit with a computer virus and the increased prevalence of this type of attack, I wanted to assemble some information to bring people up to speed, talk about some quick fixes that haven’t been compiled yet and speculate on what this may mean for the future of malware on the ever widening scope of the internet.
What is Ransomware?
Perhaps the most memorable cyber-hold-up in recent history involved the theft of enormous amounts of data from Sony in December 2014. We may remember the embarrassing details from emails, exorbitant executive salaries and leaked social security numbers of tens of thousands of employees that made the news cycle. What may be less apparent in recent memory is that the hackers offered Sony the chance to squelch the leak by acquiescing to its demand for cash.
The concept seen in the Sony attack is the same as the ever more frequent hijackings of small business and personal information. The most prevalent type of ransomware infects your computer through a malicious link or email and uses strong encryption to lock important files on your computer. Often times the only resolution is to give into the demands of the malignant program and pay the ransom (typically in the range of $300-10,000). It is the equivalent of a shady character kidnapping your family photo album, work contacts, and important work files while promising they will return it if you drop a certain amount of ‘unmarked cash’ in a dark alley.
How do they get away with it?
Hackers use a lot of sophisticated techniques to mask their location, and then deal exclusively in Bitcoin along with services like Bitcoin Tumblers to anonymize their money trail. As the success rate for these attacks increases, so does the sophistication. Security experts who have analyzed the viruses consider the advanced techniques used to obscure their methods and collect payment to be at a level “worthy of any legitimate development in the corporate world” (Rick Howard, Palo Alto Networks). The following diagram explains the flow of the attack from beginning to end:
One version of Ransomware, Cryptowall 3.0, is reported to have extorted over $325m so far. The newest version of Cryptowall uses one of the strongest available encryption algorithms, RSA-2048, which is impossible to crack with conventional technology. The details are quickly lost in technical jargon, however an (over-simplified) visualization is to think of a very large combination lock to a safe with a numerical keypad. Encryption works by generating a (pseudo)random key using an encryption algorithm, in this case RSA 2048 bit. This is the largest of the RSA numbers and carries a cash prize of $200k for anyone who can factor it into two prime numbers. The number used to create the key is uncrackable because of how large it is–617 digits.
RSA-2048 = 2519590847565789349402718324004839857142928212620403202777713783 60436620207075955562640185258807844069182906412495150821892985591491761845028 08489120072844992687392807287776735971418347270261896375014971824691165077613 37985909570009733045974880842840179742910064245869181719511874612151517265463 22822168699875491824224336372590851418654620435767984233871847744479207399342 36584823824281198163815010674810451660377306056201619676256133844143603833904 41495263443219011465754445417842402092461651572335077870774981712577246796292 63863563732899121548314381678998850404453640235273819513786365643912120103971 22822120720357
Computers are really good at solving complex math equations, but even the most powerful supercomputers out there cannot brute force their way through a number that large. In short, the encryption technology behind most ransomware is unbeatable. That is why it is important to get ahead of this growing problem and protect against ransomware attacks.
Ransomware Prevention and Damage Reduction
There are several methods used to either prevent ransomware viruses or in the event of an infection help to recover data.
- Backup, Backup, Backup – While not necessarily a tool to prevent ransomware, frequent backups are the most reliable way to control the damage caused by the variety of viruses. Since ransomware is constantly evolving due to the resources it extracts from victims, it will be near impossible to prevent every new variant. Similar to an intelligent response plan for other cyber threats, resources should be aimed at mitigating damage and recovering from attacks rather than preventing every possible vector. It is important to always keep backups separate from the source, as ransomware viruses have been known to infect all connected drives. If an external backup drive is the only viable option, make sure the device is unplugged after each use to stop the virus from migrating to the backup. Additionally, most cloud storage providers now provide a few GB of storage for free with larger storage options at only a few dollars per month.
- Anti-virus software – fortunately most major anti-virus packages have started to integrate modules into their software which attempts to detect and prevent ransomware before it encrypts a large portion of a system’s files. Instead of scanning the computer for traces of known viruses, most modern prevention software monitors the behavior of a file system for anomalies in the file system. If files are being quarantined and encrypted by an unknown tool, the anti-virus program will step in and kill the process. The top two anti-virus suites this year as ranked by PCMag were Kaspersky Internet Security and Norton Security. Those are a good place to start to protect against ransomware and viruses in general.
- Safe browsing habits – The Cyber Threat Alliance (CTA) report states that roughly 2/3rds of the attacks originate from phishing emails. These emails were consistent with other malware attacks, with filenames such as ‘internal’, ‘voice’, ‘fax’, ‘invoice’, etc. attached to inconspicuous looking messages.
Example email containing ransomware attachment. Source: Cyber Threat Alliance
The other 1/3 of attacks came from exploit kits which are propagated through compromised web servers. No trends in link names or sites were identified; however it is important to note that attacks were only successful on vulnerable browsers. The surest way to prevent against these exploit kits is to download software updates as they become available.
3. Up to date software – This applies to both browsers and operating system updates. Frequent patches will keep most exploits from accessing a computer’s file system via a vulnerability. Windows can be configured to automatically update as important releases are made available. Browsers must be updated manually, so it is best to check the developer’s website regularly or use the ‘check for updates’ button in the browser’s toolbar.
In a perfect world, it would never get to this point, but if it does, the main defense discussed earlier is to use a backup which is not infected. If that option is not available, or previous backups are also encrypted with the ransomware virus, there are still a few possibilities to remove ransomware.
On October 28, 2015 Kaspersky Labs released over 14,000 decryptor keys which can help unlock files encrypted by CoinVault and Bitcryptor ransomware variants. The application is 100% free an may offer a solution if the computer was hit with one of the cracked variants. Check out the tool by clicking on the Kaspersky Lab logo or link below.
Computers infected with the CryptoLocker ransomware virus (usually indicated with a ‘.7z.encrypted’ extension) unfortunately do not have a lot of recourse other than using backups. In a last ditch effort to remove without paying up, use the following removal steps:
- Install a robust anti-malware scanning package (recommend versions are Malwarebytes and HitManPro–both have free trial versions),
- Perform a first scan and second opinion scan (to be sure) and then do the same for backup drives.
- After scans have been performed and if the virus was able to be removed, move the old files over to the freshly scanned computer.
Alternatively, a more effective method is to wipe out the hard-drive completely and restore from an uninfected backup copy. This moethod is more likely to completely remove the virus and any headache associated with it.
What this may mean for the future of computer viruses
Now onto the good part.
[Quote from Daemon]
Wild conjecture about AI
Need to reform future developments in machine learning (AI code of ethics, 3 laws of robotics, etc.)