Saturday, December 12, 2015

How to prevent ransomware ?

Ransomware is a type of malware which infects a computer silently and restricts access of the computer for the user. After that, it demands for a ransom to the victim to resume normal operations on the computer.


Ransomware is one of the biggest threats of today. Every year it infects millions of computers and extorts hefty amount of money from the users or the organizations.





Targets of Ransomware


Ransomware can target any computer including a home computer, endpoints in an enterprise network or servers of an organization or government agency or a healthcare provider. Ransomware infects a computer by some means and then stops normal operations until the ransomware is removed from the computer.


Different Types of Ransomware


There can be different types of ransomware. They infect a computer by various means and restrict the access of the computer using different ways.


One type of ransomware infects a computer silently and displays a fake warning message. It falsely claims that the computer has been used for illegal activities like pirated software or pornograpghy and got caught by some legal authorities. And then it claims a large amount of money from the user.


Another type of ransomware infects a computer and sets the Windows Shell to itself. Then, it restricts access of the computer to the user and claims a large amount of money to give back the access.


And some ransomware are extremely complex ones. They enter the system and encrypt useful files with an encryption key which is difficult to break. It then asks the user to pay money to be able to decrypt those files. But, payment of money, in no way, ensures that the encrypted files will be decrypted back.


But, irrespective of whichever type the ransomware is, all their purpose is same – to extort money from the user.


How does ransomware infect a computer ?


Ransomware is a type of Trojan (What is a trojan ?). It can infect a computer by different means.

In some cases, the ransomware hides himself in a software that appears useful or interesting to the user and convinces him to install it. On installation of the apparently benign software, the malware infects the computer silently and stops its operations.

Sometimes, it even enters the system by fake upgrades of software. While entering an unsafe website, a popup window may appear and ask the user to upgrade software like Adobe Reader, Flash Player or Java Runtime Environment. And, faking the update of the software, it infects the computer.

Ransomware may even enter a system through a downloaded file or a vulnerability in a network service.


Please note that, most of the cases the infection of ransomware begins with carelessness of the user. For example :

  • On visiting an unsafe, untrusted or suspicious looking website, the malware may infect the system.
  • Many a times, a victim first gets an email from untrusted sender with an email attachment and is tricked to click on it. And, on opening the attachment, the malware silently infects the computer.
  • Ransomware may infect a system if the user clicks on any suspicious link in an email or a website, without properly knowing what the link contains.
  • Ransomware may hide itself with some apparently interesting software, on downloading which it infects the computer.
  • Many a times, ransomware infects a computer taking advantage of security vulnerabilities of commonly used software in the computer.


Some Examples of Ransomware


Very recently, a number of ransomware infected lots of computers extorting hefty amount of money from the user or the organization. A few of them are mentioned below :


Petya Ransomware


Petya Ransomware is a ransomware which infects a victim's machine mostly via an email attachment and affects the Master Boot Record or MBR and Master File Table or MFT of the system. It also encrypts the files in the system and asks for a ransom of 0.99 Bitcoins from the victim to recover the encrypted files.


As per most of the reported cases, the victim first receives an attachment of an email which seems to be from some applicant seeking for a job position. On opening the attachment, the malicious troja starts executing and rewrites the MBR of the system.


Actually, the malware encrypts the Master File Table of the system which contains information on every file in the file system including file size, time, date stamps, permission, data contents etc. Without this MFT file system cannot access any file from the file system. As a result, the computer becomes inaccessible to the user.

The ransomware then displays a specific screen to give instructions on how to pay the ransom.

More information on Petya Ransomware can be found here : Petya Ransomware


TeslaCrypt Ransomware


TeslaCrypt is a ransomware which infects a computer mostly with some specific games installed and encrypt important files. And then, it extorts a ransom of $500 in order to obtain the secret key for decrypting the encrypted files.

Attackers first send spam emails to victims and use social engineering to convince the victims to open the email. On opening the attachment, the malicious JavaScript code starts execution and infects the computer with TeslaCrypt ransomware.

Upon infection, the ransomware searches for a list of files with some specific extensions, which are mainly involved in saving data, player profiles, custom maps and game mods, and encrypt them. The newer variants of TeslaCrypt are not focused on computer games only, and can encrypt files including Word, PDF and JPEG.

TeslaCrypt encrypts important files with AES symmetric keys and asks for a ransom of $500 worth of Bitcoins to get the secret key to decrypt the encrypted files.

More information of TeslaCrypt ransomware can be found here : TeslaCrypt


CryptoLocker


Another widely known ransomware of 2013 was CryptoLocker. It would infect a computer and encrypt important files of some specific file extensions with a 2048-bit RSA key. It would then blackmail the user saying, it would destroy the private key of the encryption if a specific amount is not paid within 3 days of the infection. As the keysize was large, it would become extremely difficult to decrypt the encrypted files. The attackers used to demand payments using Bitcoins. And if not paid within 3 days, the payment amount would increase to 10 BTC, which is equivalent to approximately US$ 2300.

Another ransomware became widely known in Australia in September, 2014 and it was named CryptoLocker.F. It would spread to computers using fraudulent emails. The emails would falsely claim that the user has a failed parcel delivery from Australian Post. The emails would then redirect the users to an unsafe website. It would make the users to enter a CAPTCHA and then infect the computer. It would typically encrypt the important files in the system and claim extortion amount from the user to buy the encryption key. A notable victim of this ransomware was Australian Broadcasting Corporation and it disrupted their live TV program for almost half an hour.


Purpose of Ransomware


The intention of all ransomware is same – to extort money from the user. In most of the cases the attackers use untraceable payment systems like wire transfer, premium rate text messages, online payment voucher services like Ukash or Paysafecard or even digital currency Bitcoins. As a result, it becomes very difficult to trace the perpretators.


How to prevent ransomware ?


We can always take a couple of steps to protect us from ransomware. A number of them are mentioned below :

  • Keep your computer updated with anti-malware programs from trusted sources.
  • Take regular backup of your system, so that you can restore it at any time if ransomware infects the system.
  • Be careful while opening email attachments. It is advisable not to open any email attachment from any unknown sender.
  • Avoid clicking on any link if you are not very sure what the link contains.
  • Always keep your Operating System and other commonly used software updated with recent security patches. Many a times, ransomware infects a computer taking advantage of security vulnerabilities of commonly used software.
  • Do not install any software from untrusted sources.
  • Attackers often trick a user to click on malicious links taking advantage of pop-ups. So, it is always advisable to enable pop-up blocker.
  • Configure firewalls in your system (What is firewall and how does it protect a computer ?).


Mitigation of Ransomware Infection


If your computer is infected with ransomware, you can take a couple of steps as a mitigation :

  • Disconnect the computer from the Internet, so that data from your system cannot be transmitted back to the attackers.
  • If you already have the backup of your data, reinstall the system and restore the files.
  • Alert appropriate authorities so that proper action can be taken.
  • Please do not pay any ransom to the attackers. Because that is the reason the attackers are making the attacks. If you pay them extortion amount, it would only encourage them more to perform more attacks. Moreover, there is no guarantee that the system or the crucial files will be restored even after paying the ransom money. Instead, use a fully updated reliable security programs to restore the system and its files.


So, avoid suspicious emails, links or software updates. Keep your system fully updated with a reliable security programs. Use firewalls. And stay safe, stay secured.

No comments:

Post a Comment