To be precise, ransomware developer’s goal is not to destroy your data. They care mainly about their own wallets (usually bitcoin wallets but this does not make a big difference to you) which means that destroying your data is not the goal they are trying to achieve. They usually try to make it impossible to you to use your own data and in the same time they leave a chance to recover from the issue after you pay the ransom. The obvious question here is “why do I have to pay a bad guy instead of hiring a friendly computer expert to do the same job?”
A history of ransomware clearly shows that this approach made a lot of sense in the past. Unfortunately, all those bad guys quickly realized that their victims prefer to recover (even sometimes paying more for it) using any possible way which was not related to supporting cybercrime. But as long as there is someone to pay, there will be someone to encrypt your data and politely ask for money. Amount of money people pay is breathtaking in its sadness.
According to a public service announcement from the FBI’s Internet Crime Complaint Center (IC3) only within the last year the estimated amount of ransom paid for the Cryptowall was circulating around $18 million between April 2014 and June 2015.
Nowadays the modern ransomware is not even trying to be clean-proof. Any proficient computer user will quickly mitigate the malware using some webpages or movies as a guide. Unfortunately professional troubleshooting after or during the malware-situation requires gathering knowledge about ways of execution so that later we can prevent it in future.
So why ransomware is dangerous if the malware removal process is so straightforward?
The answer is very simple: it encrypts your data instead of destroying it actually. The encryption process itself has changed over years to reach its final form: advanced well known and secure asymmetric encryption algorithms. Asymmetric means there is always a pair of keys: one for encrypting only and another one for decrypting. And nowadays, ransomware developers really care about the decrypting key. They will never send it to the infected computer during the attack and the only way you can get the key is to pay for it.
Even if in the past we could have somewhat badly (in technical and not moral terms) designed malware, now if your data is encrypted, the one and only way to decrypt it is to pay for the decryption key. This is not a thing you would actually like to do, right? So please, forget about any decryption based approach – it is virtually impossible without paying. You have to protect your data somehow differently.
Let’s start from the very begin. Ransomware exploits the fact that Windows allows applications, both good and bad, to access the user’s data. As threats change rapidly to evade detection, often utilizing social media to spread, it is impossible to prevent them appearing on the endpoint. Ransomware attack is not a magic.
There are two ways how it can happen:
- Your computer (OS and applications installed) is not up to date. There are (and always will be) bugs in the software. Some of those bugs can be used to take control over your computer and of course to infect it with ransomware as well. If any of those bugs can be used to infect your computer – at some point, someone will try to use it for such nasty purpose. If you do not patch your computer on a regular basis sooner or later it will be infected and that’s what you can be sure about! So if you would like to avoid being a victim in this type of attack, a remedy is extremely simple: please patch your Operating System and applications. Do not ignore these desperate update messages and annoying restarts. The general rule is simple: get newer versions of applications, update your system, update drivers etc.
- You have launched a ransomware code (executable / script / macro) on your own. Bad guys are extremely creative trying to convince you to run their applications. They will post them on webpages as a movie to download, send it to you as a fake invoice via email, drop it on the USB stick next to your company doors etc. Is there something you can do about this? Actually nothing but be aware that situation can happen. They will still try as it is worth it. But your role here is quite simple: trust no one and know the context of what you do. Do not go to suspicious web pages, do not download cracks or key generators, do not trust emails even if you can clearly see that your business partner just have sent you an unexpected invoice. If it does not smell good, it probably is not good.
Both options above sound like not very complicated pieces of advice but you should be aware that the smartest IT Security brains in the industry still think about the universal and cost effective solution.
Technically to find the traces of ransomware, you need to do the following as first steps:
- Disconnect the machine from the network.
- Run Autoruns.exe – under the ‘Options’ menu, select ‘Hide Microsoft and Windows Entries’ and ‘Verify Code Signatures’. Take special care about entries that don’t have a publisher or where the publisher is not verified. If you have entries where the file is not found, you can delete them. If you have entries, that shouldn’t really be there, you can at least unselect them to disable them and can later turn them back on. Delete malware files if identified. Verify the path. It should point to Program Files or Windows directory.
- Run Process Explorer – look at the Company column, if not visible, turn it on by View-Select columns. Look at all processes that are not by Microsoft Corporation, Do you know what these processes are? Check for process names such as csrss.exe, lsass.exe and services.exe that are not from Microsoft. Add Virus Total column to verify if there is something known out there. Verify signatures – make sure that they are checked for. Suspicious processes? Suspend and terminate them.
- Check Windows Explorer components or handlers (autoruns.exe Explorer tab).
- Check in Windows Prefetch what was the set of last running processes. Analyze it with the professional tools – we have written one and we are happy to share.
- Run System File Checker (sfc.exe) and verify if the operating system files have not been changed.
- Check open connections – for example by using TCP View, look at the list of related processes.
- Use Process Monitor – monitor the current disk activity (filter: Category is Write).
- Use NTFS Journal parser to see the recent files modification.
- Review the content of ‘C:\WINDOWS\system32\drivers\etc\hosts’ in Notepad.exe, to search for the malicious entries.
- Review the Sysmon logs (if you are using Sysmon).
However they should not happen if you protect your computer properly and as we have mentioned above, trying to decrypt it on your own is usually a complete waste of time. The deeper you go through dark corners of the Internet looking for the solution, the higher is the risk of infecting your computer with another malware. So what to do? The answer is extremely easy: perform backups and in case of the emergency restore the data from the backup. The problem is that people have no backup… (apparently, they have never played football!). Or at least the backup is not up to date or it is not stored on the same computer etc.
If you have to take only one conclusion, let’s choose this one: revise your backup strategy and choose one that corresponds to how much is your data worth, perform backups on regular basis and store them on separate (not connected all the time!) media, well protected from being stolen, dropped, eaten by your dog, left with your laptop bag, out of reach of small children etc. You should definitely have a look at the cloud-based backup and review its terms. Then your data is immediately (and without engaging you) sent to some remote server room and stored safely, just in case you going to need it one day.
On the enterprise level, from the technical perspective, it is extremely important to prevent unknown code execution, so that whoever is tempted to pay this badly formatted invoice will be prevented to execute whatever is brought with it as a sweet encryption surprise. The fantastic way to mitigate these threats is to implement a defense in depth approach, layering technologies that can block and isolate threats on the endpoint. These are privilege management and application control that prevents untrusted content such as malware payloads from executing.
An important line of defense is sandboxing. Many exploit kits exploit weaknesses in the browser and plugins like Java, Flash and Silverlight to run ransomware. Other attack vectors can be found in malicious documents, also from tricking the user into running malware thorough worms found on many popular websites, such as Facebook. Sandboxing allows you to safely contain such web threats and isolates any malicious activity, without restricting your people. There are many solutions that perform these activities, from Microsoft you will find AppLocker and EMET – together create a great security combo.
Of course security awareness should not be left without attention too but all these go together and when wrapped into one reasonable security focused prevention strategy the idyll can become a fact.