This period has seen the widespread emergence of a sophisticated strain of ransomware called CryptoLocker. Having infected a computer, invariably via a phishing vector, the malware connects to a command and control server to generate a 2,048 bit RSA cryptographic key (sufficiently complex to deter any attempt to crack it) to encrypt the victim’s files. The program then demands a ransom of $300 USD via Green Dot MoneyPak pre-paid credit cards or 2 Bitcoins (currently worth around $1,000 US) to decrypt the files. If payment by these anonymised means is not made before the expiration of a 96 hour countdown timer, the victim’s files are permanently encrypted. In more recent versions of the malware, victims can instead choose to extend this deadline, albeit at vastly inflated prices. Encryption can also spread to flash drives, through private networks, and onto cloud based storage providers.
The malware operates on all versions of Windows and appears to be focused on small businesses, presumably on the basis of the combination of data dependence and comparatively weak security practices. Infections have been most prevalent in the U.S., with a Massachusetts police department reportedly among victims opting to pay the ransom. In the U.K., the National Crime Agency has warned that tens of millions of malicious emails containing the ransomware have been distributed to PC users, though there is currently no evidence of infection on this scale............
Considering current propagation methods, the simplest means of preventing infection is enhanced vigilance to phishing emails which feature attachments containing the malware. To date, popular variants have included a document circulated within companies claiming to be a payroll report, designed to pique an employee’s interest; and a document claiming to be parcel tracking information from UPS or FedEx, an approach with particular current appeal due to the upsurge in home deliveries associated with increased online shopping in the run-up to Christmas. Less common vectors include the exploitation of a vulnerability in Java, and the automatic infection of computers that are part of the Zeus banking Trojan botnet. Besides user awareness, popular free antivirus programs such as Avast and MalwareBytes may assist in the detection of such attacks, while CryptoPrevent is specifically designed to prevent infections from this form malware.
Though prevention an initial infection is the only guaranteed means of avoiding encryption, some other techniques can help users mitigate the worst effects of the ransomware. The Windows feature ShadowExplorer allows victims to access previous versions of files. Despite claims to the contrary from the creators, adjusting the time on a PC’s BIOS (basic input/output system, the program used by the operating system to communicate with the hardware on start-up) can buy victims more time. However, such techniques may be rendered ineffective by future modifications to the ransomware. The creator’s continued financial interest in the ‘integrity’ of the transaction invariably means that payment remains the surest method of regaining access to encrypted files, although there have also been reports of some users’ files corrupting in the decryption process.
While the perpetrators’ sophisticated command and control and payment techniques have helped to maintain their anonymity, evidence that multiple groups are running the ransomware, combined with the program’s use of broken English (“most cheap option” and “nobody and never will be able to restore files”) suggest the possible involvement of Russian criminal gangs, which remain among the world’s leaders in this field. The ability to constantly adapt that has been a significant factor in the success of CryptoLocker. The creators appear to have been monitoring computer security forums for victim “feedback” in order to increase their revenues. This has led to modifications such as the addition of a desktop item to ‘reinstall’ the malware if a victim’s antivirus software removes their ability to pay after encryption has occurred. Although current estimates suggest only 3% of the victims opt to pay the ransom, further adjustments and reinvestment of this revenue may increase the attractiveness of this option in the coming period. Accordingly, the authors may increasingly seek to employ alternative methods of infection, such as spear-phishing (highly tailored) attacks with higher ransoms; or watering hole attacks, which involve the infection of a trusted third-party website.
This latest strain of ransomware also represents the continuing evolution of the form of malware from relatively unsophisticated ‘Ransomlock’ Trojans which act simply to freeze a user’s interface pending a ransom payment. The increasing success of such tactics despite the currently simplistic means of infection reinforce the need for effective basic security measures. In addition to the steps above, readers are advised to ensure valuable documents are backed up in secure locations on a regular basis to minimise the impact in the event of such a breach.