Ransomware is really nothing new to the IT world, but recent months have seen an uptick in attacks so we thought we would write about it a bit.
What is ransomware?
It’s certainly well-named. While using Wikipedia as a source may make you cringe, it’s a starting place for a definition:
Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.
Crafty for sure, since some may have enough fear to give a credit card number or purchase Bitcoins or MoneyPak. Of course, doing this is no assurance that the files will be restored, plus it’s the perfect way for a criminal to procure credit card numbers, which can then be used for other purchases.
Popular versions of ransomware are the Reveton Trojan (FBI Virus) and CryptoLocker. Pictured above is a screenshot of the pop-up one would see if CryptoLocker got inside a machine.
What we've seen
Here at Continuum, our NOC and Service Desk have been seeing an increase in this kind of activity recently. As a result, the following notification was sent out at the start of October:
Although it's not normally our practice to track and report on viruses and virus outbreaks, as a courtesy, we want to let you know that the Continuum Service Desk has seen an influx of a "ransomware" infection called CryptoLocker. Customers have reported that this infection occurs when you click on an attachment from a Wells Fargo email address.
This infection will encrypt all of your files using AES 256. Vipre is detecting and preventing some variants of this infection, but new variants are constantly discovered so there’s no guarantee that any AV product will prevent every infection. Because an encryption key is needed to decrypt the files, there is no known way at this time to recover files once encrypted (other than paying the ransomware organization). The recommended action is to remove all shared devices and mapped drives if this shows up on a machine and to restore from a clean backup.
Another variation on the theme of holding a computer hostage is one that plays on an even greater fear: the government fining you. In this case, though, it’s even more threatening, as the Reveton Trojan (FBI Virus) looks like a notification from the FBI.
In the news
As the Los Angeles Daily News recently reported:
Once a computer is infected, it immediately locks and displays a message stating there has been a violation of federal law, according to the FBI.
“The bogus message goes on to say the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated with child pornography sites or other illegal activity,” the statement continued, “To unlock their machines, users are required to pay a fine using a prepaid money card service.”
Another recent news story can be found here.
The FBI doesn’t collect or even notify of fines online so this approach is not even close to being real, but ransomware plays on fear. End users may be so concerned that they have gone sideways with the FBI that they might just give the credit card to pay the ‘fine’ and move on.
No matter what version or type of ransomware you encounter, it’s important to warn your company computer users to simply not click on anything in an email that they don’t recognize, no matter how convincing it might look.
While we at Continuum do not endorse any particular vendor or solution, we find that the most up-to-date and complete information can be found at: http://www.bleepingcomputer.com/.
Are you watching for ransomware? If not you should be; being held hostage by an online crook is no way to move your company forward.
By Paula Griffin
By Meaghan Moraes