Ransomware – A HULK Avatar of Cyber Threat

What is RANSOMWARE?

RANSOMWARE is a fast emerging dangerous malware that gets introduced into PCs and Servers by hackers. Once introduced, this malware will encrypt all the information contained in the various drives of those PCs and Servers, which can be decrypted only by the hacker with the decryption keys at their end.  To decrypt the same, the hackers will ask for ransom amount. That’s why this malware is called RANSOMWARE.

Types of RANSOMWARE

There are two main forms of RANSOMWARE in circulation today:

• Locker RANSOMWARE (computer locker): Denies access to the computer or device
• Crypto RANSOMWARE (data locker): Prevents access to files or data. Crypto RANSOMWARE doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does.

Crypto RANSOMWARE is now the preferred RANSOMWARE among cyber criminals. It accounts for 75 percent of new RANSOMWARE threats discovered in 2015.

The following are steps used by hackers in introducing RANSOMEWARE into an organization:

• The RANSOMWARE executable is delivered into the end user’s device when the end users will click the
• Attachments or web links in phishing emails
• Malvertising (Malicious Advertisements) running in web pages
• Drive-by downloads (e.g. fake antivirus)
• The RANSOMWARE installs itself on the victim’s computer
• The RANSOMWARE generates a unique encryption/decryption key pair
• The RANSOMWARE contacts a C2 server on the Internet to deposit the decryption key
• The malware starts encrypting the files on the hard disk, mapped network drives and USB devices with the encryption key
• Once the process finishes, the files become inaccessible. The malware places a text file on the desktop and/or a splash screen pops-up with the instructions to pay and restore the original files. The favored payment method for RANSOMWARE is payment vouchers and for Crypto RANSOMWARE, it’s bitcoins.(Used in Invest Bank Case).

What is the financial loss so far due to RANSOMWARE attacks ?

While this is not an easy question to answer, several published reports provide insights into RANSOMWARE earnings of cyber criminals. In 2012, a Symantec report found that as many as 2.9 percent of victims paid the ransom demands. The report also found that one of the smaller RANSOMEWARE players managed to infect 68,000 computers in just one month, which could have resulted in victims being defrauded of up to US$400,000 in total.

In March 2014, Symantec found that Trojan.Cryptowall earned at least US$34,000 in its first month of operations. A further study of Cryptowall by other information security researchers found that by August 2014, Cryptowall had earned more than US$1.1 million. In June 2015, data from the FBI’s Internet Crime Complaint Center (IC3) showed that between April 2014 and June 2015, it had received 992 Cryptowall-related complaints. The victims were a mix of end users and businesses, and the resulting losses from these cases amounted to more than US$18 million.

How are cyber criminals cashing out using RANSOMEWARE

The method chosen by cyber criminals for money laundering varies and can depend on how the ransom payment was made. Cyber criminals opting for RANSOMWARE payments in the form of payment vouchers generally use specialized money-laundering services. These cash-out options use services like online betting and casino sites that accept voucher codes for payment. The sites used are hosted in different geographical and legal jurisdictions, making it difficult for law enforcement to track the money.

Once laundered through these sites, the money is transferred to fraudulently obtained prepaid debit cards and the funds are withdrawn from ATMs by money mules. The cash-out service then sends on an agreed percentage of the payment vouchers’ value to the RANSOMEWARE cyber criminals.

Protective Controls

1. Block access to websites with unwanted content
2. Apply right Patch at right time
3. Installation of next generation firewall
4. Block incoming emails on the SMTP server, removing emails from user inboxes, warn users to not click on certain links and attachments
5. Block malicious URLs on the web proxy, identify computers that visited malicious websites using the proxy logs
6. Deploy custom AV signatures to block certain files to be downloaded.
7. Application whitelisting
8. Identify and/or block traffic on NIDS and the proxy
9. Monitor end-user devices and shared folders for certain file extensions, such as .abc, .xxx, .yyy, .zzz
10. Monitor endpoints for RANSOMEWARE related text or HTML files in the desktop folder
11. Back Up Everything and maintain Offsite Backups
12. Modify browser security settings to detect unauthorized downloads
13. Do not install unknown programs
14. Prior to downloading software, be sure to review any associated license agreements or privacy statements
15. Do not click on a link within pop-up windows. Close popups by clicking the “x” in the upper right-hand corner of the window, not by clicking the buttons located within the window.
16. Good awareness on Phishing Attacks

Arrange a Conversation