What is Ransomware?

Crypto ransomware is a type of malware that attacks by encrypting the victim’s files to hold data as hostage. The ransomware encrypts files, or sometimes the whole harddisk located in the affected machines, as well as the files on connected external devices or network drives. The victim is denied of access to the data until the attacker provides the decryption key. The attacker demands ransom payment in return for a decryption key to recover the data.

   
(Figures above) Wannacry and CryptoLocker demanding ransom payment.

Infection Vector

Crypto ransomware typically infects computers via the following ways:

1. Spam email
Some victims were infected by opening attachments in spam emails. Known file types of malicious attachments include compressed file (.zip) containing executable files (.exe) or javascript files (.js), and macro enabled Microsoft office files. The spam email campaign was usually generated by botnets.

2. Compromised websites
Some victims were infected by visiting compromised websites. Those websites target computers with unpatched system or applications, including browsers and plugins.

3. Malvertising
Malvertising is the short form of malicious advertising. Some victims were infected by visiting legitimate websites that display malicious banner ads.

4. Remote access
Some ransomware tries to use password brute force attack on remote access service, e.g. remote desktop or Team Viewer to penetrate into the data repository to launch attack.

5. Self-propagation
While most Crypto ransomwares are Trojan that do not spread by itself, some evolved to have propagation ability. Once a ransomware infected a computer, it will try to infect other devices through networks and USB drives etc.

Malware’s Operation

Ransomware encrypts the local and network shared files with strong encryption. Targeted file types includes documents, images, videos, editable drawing files, database files, digital certificates, game profiles, etc.

After the encryption, the malware will send the encryption key back to the control and command server (C2 server), and leaves an extortion message on the infected computer. It demands a specified amount of ransom in bitcoins to exchange for the decryption key, otherwise, the unique decryption key will be deleted.

Due to the use of strong encryption algorithms in ransomware, the encrypted files cannot be recovered in the absence of the decryption key.

   
(Figures above) CryptoWall and CTB-Locker demanding a ransom payment

Incident handling of crypto ransomware infection

1. Isolate and disconnect infected machine immediately to avoid further impacts the malware may cause.

2. Download legitimate cleanup tool, and run a full scan to remove the malware.

3. Restore the files and data from the backup, if backup files are available.

4. If no backup was done previously, we suggest not restoring the system to avoid losing information required for decryptions.

5. Report the incident to HKCERT


Prevention and Mitigation

1. Beware of suspicious email. Do not open the attachment, especially compressed files (zip) or executable files (exe).

2. Install security software and update to the latest signature.

3. Update the system and software, such as Microsoft Windows, Office, Adobe reader, Flash player, etc., with the latest security patch.

4. Minimize the number of users who have domain administrative rights to confine the scope and impacts of attacks, and use normal privilege account in daily operation;

5. Backup the important documents instantly and regularly. Keep an offline copy of the backup to avoid being affected by the malware.

6. If you are using cloud backup service, make sure that the cloud service provider has a version history function. It can help to recover the files from previous version, even though the affected files are synchronized to the cloud.


About HKCERT

Managed by the Hong Kong Productivity Council (HKPC), Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) is the centre for coordination of computer security incident response for local enterprises and Internet Users. Its missions are to facilitate information disseminating, provide advices on preventive measures against security threats and to promote information security awareness.

HKCERT collaborates with local bodies to collect and disseminate information, and coordinate response actions. HKCERT is also a member of the Forum of Incident Response and Security Teams (FIRST) and the Asia Pacific Computer Emergency Response Teams (APCERT). We exchange information with other CERTs and act as a point of contact on cross-border security incidents.

HKPC

Hotline

(852) 8105 6060