What is Ransomware?Crypto ransomware is a type of malware that attacks by encrypting the victim’s files to hold data as hostage. The ransomware encrypts files, or sometimes the whole harddisk located in the affected machines, as well as the files on connected external devices or network drives. The victim is denied of access to the data until the attacker provides the decryption key. The attacker demands ransom payment in return for a decryption key to recover the data.
(Figures above) Wannacry and CryptoLocker demanding ransom payment.
Infection VectorCrypto ransomware typically infects computers via the following ways:
1. Spam email
2. Compromised websites
Some victims were infected by visiting compromised websites. Those websites target computers with unpatched system or applications, including browsers and plugins.
Malvertising is the short form of malicious advertising. Some victims were infected by visiting legitimate websites that display malicious banner ads.
4. Remote access
Some ransomware tries to use password brute force attack on remote access service, e.g. remote desktop or Team Viewer to penetrate into the data repository to launch attack.
While most Crypto ransomwares are Trojan that do not spread by itself, some evolved to have propagation ability. Once a ransomware infected a computer, it will try to infect other devices through networks and USB drives etc.
Malware’s OperationRansomware encrypts the local and network shared files with strong encryption. Targeted file types includes documents, images, videos, editable drawing files, database files, digital certificates, game profiles, etc.
After the encryption, the malware will send the encryption key back to the control and command server (C2 server), and leaves an extortion message on the infected computer. It demands a specified amount of ransom in bitcoins to exchange for the decryption key, otherwise, the unique decryption key will be deleted.
Due to the use of strong encryption algorithms in ransomware, the encrypted files cannot be recovered in the absence of the decryption key.
(Figures above) CryptoWall and CTB-Locker demanding a ransom payment
Incident handling of crypto ransomware infection1. Isolate and disconnect infected machine immediately to avoid further impacts the malware may cause.
2. Download legitimate cleanup tool, and run a full scan to remove the malware.
3. Restore the files and data from the backup, if backup files are available.
4. If no backup was done previously, we suggest not restoring the system to avoid losing information required for decryptions.
5. Report the incident to HKCERT
Prevention and Mitigation1. Beware of suspicious email. Do not open the attachment, especially compressed files (zip) or executable files (exe).
2. Install security software and update to the latest signature.
3. Update the system and software, such as Microsoft Windows, Office, Adobe reader, Flash player, etc., with the latest security patch.
4. Minimize the number of users who have domain administrative rights to confine the scope and impacts of attacks, and use normal privilege account in daily operation;
5. Backup the important documents instantly and regularly. Keep an offline copy of the backup to avoid being affected by the malware.
6. If you are using cloud backup service, make sure that the cloud service provider has a version history function. It can help to recover the files from previous version, even though the affected files are synchronized to the cloud.