{"id":15067,"date":"2015-05-20T16:44:24","date_gmt":"2015-05-20T16:44:24","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3965"},"modified":"2019-11-15T22:59:54","modified_gmt":"2019-11-15T11:59:54","slug":"saving-private-files-a-no-movie","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/saving-private-files-a-no-movie\/15067\/","title":{"rendered":"Saving Private Files: a no-movie"},"content":{"rendered":"

Encrypting ransomware is a relatively new, but extremely pesky, threat that has gone almost epidemic since 2013. Despite the formidable counter-attack from the security vendors and law-enforcement agencies, encrypters are still around and they are evolving at a rapid pace, becoming a more advanced problem both for end-users and businesses<\/a> alike. What can be done about it?<\/p>\n

It all began in 2013<\/strong><\/p>\n

Encrypting malware wasn\u2019t much of a problem until the second half of 2013, when the now notorious Cryptolocker emerged. Then became a wholesale problem: it spread quickly, the systems attacked were next to defenseless, not all antimalware suites were able to detect it, and IT workers took their time to figure out how to fight it.<\/p>\n

\u201c\u2026The company boss all but ignored me when I sounded alarm \u2013 he thought I cried wolf. Guess, he regretted that later, \u2018coz we\u2019ve lost lotsa files. Dunno, whether they paid to the bad guys, but no fun, you know\u2026\u201d<\/em> a consulting system administration, who requested to stay anonymous, told us about his first encounter with this threat.<\/p>\n

Saving Private Files: a no-movie #ransomware<\/p>Tweet<\/a><\/blockquote>\n

Unfortunately, criminals have managed to give businesses a \u201cquick scare\u201d that was\u00a0converted into profit. They viewed this as hitting the jackpot, even if not many people actually paid for decryption.<\/p>\n

So, Cryptolocker and its variants started multiplying like rabbits and evolving like Zerg from a renown videogame \u2013 Cryptolocker 2.0, CryptoWall, ACCDFISA, Tor-enabled Onion malware, Xorist, Scatter, etc.<\/p>\n

There is a large article<\/a> on the sorts of encrypters on Securelist \u2013 a reference documents of sorts, describing the flavors and variations of encrypting ransomware, evolving from its earliest to current advanced forms.<\/p>\n

Evolving badness<\/strong><\/p>\n

The first encrypters were more-or-less simple, albeit effective. The IT worker we spoke\u00a0with says:<\/p>\n

\u201cOur CTO has disassembled one such piece. It doesn\u2019t look like a malware at all, just, you know, a VB script that launches encryption. Once we\u2019ve managed to catch the file with encryption key in the system before it got away and managed to recover everything. But the only sure way to stop it is to cut the power to servers at the first suspicion. \u2018Tis hardcore but it works. Also, if you don\u2019t have backups, may God have mercy on your soul.\u201d<\/em><\/p>\n

But after the fabulous Operation Tovar, which resulted in dismantling Gameover ZeuS botnet along with Cryptolocker infrastructure<\/a>, cybercriminals decided they need an extra safety level for their malicious tools \u2013 and employed the TOR networks to conceal their C&C infrastructure. This elevated the problem to a whole new level for the IT security researchers and law enforcement agencies.<\/p>\n

Target: A human-being<\/strong><\/p>\n

What slightly offsets ransomware in relation to other threats is that its primary target is not a computer system, but a human operator. As a matter of fact, most antivirus companies have already integrated advanced anti-ransomware tools into their suites, but what can a security solution do if it is turned off?<\/p>\n

\u201cDuring\u2026 investigations we often come across instances of the encryption of files in organizations as a consequence of their employees working with the antivirus program switched off.\u00a0 And these are not isolated cases, our technical help service encounters such cases several times a week,\u201d<\/em> wrote Kaspersky Lab\u2019s expert Artem Semenchenko at Securelist earlier this year<\/a>.<\/p>\n

He also wrote that the reason for such carelessness is\u2026 security advancements. Sounds like a paradox, but in fact there is none.<\/p>\n

\u201cThe improved defences of browswers and operating systems has led to a state where today users encounter the threats of malicous programs less often than previously.\u00a0 As a result some of them, not thinking, switch off individual components of their antivirus products or don\u2019t use them at all<\/em>\u201c, Semenchenko wrote.<\/p>\n

And that\u2019s what criminals are happy about. They are counting on mistakes such as launching executable files from emails coming from unconfirmed sources, or clicking dubious links. The availability of \u2018advanced\u2019 systems of defense does not relieve the user of the need to follow the security policy and basic rules of safety.<\/p>\n

#Security advancements in browsers & OS suddenly worked against itself<\/p>Tweet<\/a><\/blockquote>\n

With encrypting ransomware, frightening and taking victims by surprise are the primary means of extortion. They could probably do without it, but a recurring story with ransomware is that the targeted user or entity receives an intimidating letter ostensibly coming from law enforcement agencies \u2013 police, investigative bodies, even courts and\/or debt collectors. The combination of an official emblem, a menacing header with lots of CAPS LOCK for added formidability \u2013 this mesmerizing \u201ccocktail\u201d works astonishingly well, with amusing incidents such as this one<\/a>: The person, scared by an encrypter, turned himself over to police, and got charged with committed crimes.<\/p>\n

In most cases, however, innocent people get attacked. And the intimidating pictures, headers, and messages either conceal a common phishing letter purposed to infect the user, or a notification from the malefactors who demand \u201ctheir share\u201d of your profits after the files have been already encrypted.<\/p>\n

What do they want?<\/strong><\/p>\n

Money, of course. It\u2019s all about cash. Several dozens or a couple of hundreds from the end-users and five times more from corporate bodies (there are reports of a case where attackers demanded as much as 5,000 euros for decryption).<\/p>\n

They tend to obfuscate their communications using Tor, and in order to further ensure their anonymity, malefactors often demand payments in Bitcoin, which is way harder to track down than the movement of real-world currency.<\/p>\n

Occasionally, they get money. As a matter of fact, chances of recovering the encrypted files by decrypting them are slim. In the aforementioned Securelist doc<\/a> there are examples of encrypting ransomware that can be cracked (Xorist, for instance, yields relatively easy), but the most advanced -and thus the most widely used encrypters \u2013 use assymetric encryption, sometimes even with more than one key pair. There is no algorithm to decrypt files encrypted with the RSA with a key length of 1024 bits in an acceptable time. When it is down to a single key pair, acquiring (buying) the private key allows for the decryption of files for all victims of the same modification. When there are many modifications and many key pairs \u2013 you\u2019d better have a Plan B.<\/p>\n

Saving files: not always possible, prevention is easier<\/strong><\/p>\n

This Plan B is actually Plan A, and it happens to be prevention.<\/p>\n

First of all, backup is a must, and the backed up files should be stored \u201ccold\u201d (i.e. the unpowered storage media is required). Encrypters can crawl all over the mapped drives, but they still need a processing power to do their job.<\/p>\n

Antivirus products must be kept up-to-date always, and it is strongly recommended that antimalware bases be\u00a0updated before the employees even start reading their e-mails in the morning.<\/p>\n

Also, the employees (the main target) should be informed and educated on phishing, on launching suspicious files, and other threats associated (and not necessarily associated) with encrypting ransomware.<\/p>\n

Getting attacked by an encrypter is easy, while recovering from it may be very problematic if at all possible. Securelist\u2019s article carries a number of links to the anti-encrypters utilities<\/a>, but they only help against certain types.<\/p>\n

Preventing the files from being encrypted is a much better way to put criminals\u2019 noses out of joints.<\/p>\n","protected":false},"excerpt":{"rendered":"

Encrypting ransomware is a relatively new, but extremely pesky, threat that is evolving at a rapid pace, becoming a more advanced problem for end-users and businesses alike. What can be done about it?<\/p>\n","protected":false},"author":209,"featured_media":15674,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[648,2309,420],"class_list":{"0":"post-15067","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cryptolocker","10":"tag-encrypters","11":"tag-ransomware"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/saving-private-files-a-no-movie\/15067\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/saving-private-files-a-no-movie\/15067\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/saving-private-files-a-no-movie\/15067\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/cryptolocker\/","name":"cryptolocker"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=15067"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15067\/revisions"}],"predecessor-version":[{"id":24761,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15067\/revisions\/24761"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15674"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=15067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=15067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=15067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}