[SingCERT] Ransomware

Published on Friday, 06 May 2016 17:01

Overview

There has been a noticeable rise in ransomware infections in both Singapore and overseas. This advisory provides information on ransomware and how members of public can mitigate and prevent this threat.

Currently, recovery of any data infected by ransomware is extremely difficult. Only a number of decryptors which work for older versions of ransomware are available. The best way to guard against ransomware is to prevent it from happening. 


What is Ransomware?

Ransomware is a type of malware that holds a victim’s files, computer system or mobile device ransom, restricting access until a ransom is paid. Operating systems that can be infected include Windows, Mac OS X and Linux. Some ransomware variants are also known to traverse across the network and encrypt all files stored in shared and/or network drives. The more prevalent type of ransomware today encrypts commonly-used files, such as user documents, images, audio, and video files. By encrypting these files with a strong encryption (2048-bit or more), these files are rendered irrecoverable unless a decryption key is obtained. The diagram below illustrates some of the ransomware variants identified by researchers in recent years.

Ransomware Variants
Image credit: https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain

Once the files in an infected computer have been encrypted, a ransom note will be displayed on screen to the victim, detailing the steps that need to be taken to decrypt the files. Samples of ransom notes are shown in the screenshot below.

TeslaCrypt

Locky Ransom Note

Ransomware has proven to be effective in extorting money from victims. By holding important data ransom, cyber criminals instill fear and panic into their victims and further pressure them to pay the ransom by threatening destruction of the decryption key.

How Is Ransomware Spread?

There are numerous ways in which ransomware is known to spread.

Infection Methods

One common way is through phishing emails that contain malicious attachments or links. Unsuspecting users can be infected with ransomware if they open these attachments or links, although these are rarely the ransomware itself. Rather they tend to take the form of an inconspicuous document, which when opened, downloads the ransomware from an external server and executes it.

Secondly, the unsuspecting victim may click on a malicious link and be redirected to a malicious website that contains scripts to automatically download and install the malware without their knowledge.

Thirdly, the infection vector for ransomware may come through malicious advertisements that exploit vulnerabilities in the user’s browser to serve and install ransomware (commonly known as drive-by downloads). Such advertisements may be found on malicious websites, and—to a much lesser extent—even legitimate websites, if the advertisement service has been compromised.

The fourth way that a user can be infected is through installation of software that has ransomware bundled with it. This may include unofficial or pirated software, or software from disreputable sources.


Symptoms of Ransomware Infection

A key sign of a ransomware infection is the inability of a victim to access his/her files or computer system. A ransom note will also persistently appear, typically replacing the Desktop’s wallpaper, to inform the victim of the ransom and payment instructions.

Some ransomware set deadlines for the victim to pay the ransom. Failing to meet these deadlines may result in the ransom increasing in price, or deletion of the decryption key, which would result in the victim losing his/her files or access to the computer permanently. 

Impact of Ransomware

Ransomware is indiscriminate and destructive in nature; it targets both home and business users, and its impact can be disastrous. Personal, sensitive, or propriety information may be lost if there is no backup of this data. Business operations may also be disrupted if employees are unable to work because certain files are encrypted. Furthermore, there may be financial implications to reinstate personal computers or business systems back to their original state.

Solution

The best solution for ransomware is to prevent it from happening. SingCERT recommends that users take the following preventive measures to better protect themselves against ransomware:

Follow Internet Browsing Best Practices to Stay Safe Online

Users should exercise caution and avoid opening suspicious email attachments; when in doubt, verify with the email sender if they had sent the email. 

Similarly, do not click on suspicious links to websites that you do not recognise or are sent from people you do not know. These websites may contain malicious codes that infect a visitor’s computer with ransomware.
 
More importantly, do not download software from unofficial or disreputable sources. Such software—especially pirated software—may have ransomware or other malicious software bundled with it.

Update Software Regularly

Some types of ransomware rely on software vulnerabilities to infect a system. Keep your operating system and all software updated with the latest patches to prevent such exploits.

Install an antivirus/anti-malware software and keep it updated. Perform a scan of your entire computer at least once a week, and scan all files you receive or removable storage devices that you connect.

Perform File Backups Regularly

Ransomware leverages on scare tactics by holding your data ransom. Having data backups to circumvent this limits the impact of a ransomware attack, and is pivotal to the recovery process. Formulate a backup and recovery plan for critical data, and perform data backups regularly

As ransomware is able to infect connected storage devices, take additional precaution and ensure that your backups are stored offline or disconnected when not in use.

For a full list of recommended best practices to safe Internet browsing, visit https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/protect-your-computer-from-cyber-threats

Additional Preventive Measures to Consider

While the measures highlighted above are important to keeping your data safe and secure, there are additional preventive measures you should consider to further safeguard against ransomware attacks.

Install an ad-blocker and/or script blocker extension/add-on to your web browser

Numerous ransomware incidents have occurred from drive-by downloads, whereby simply visiting a webpage hosting malicious scripts or advertisements resulted in the victim’s computer being infected. Having an ad-blocker and script blocker enables you to selectively allow scripts or advertisements to run on your web browser, and you should only allow trusted content to be run. 

Encrypt sensitive data

Some variants of ransomware encrypt only commonly-used file types, such as images and documents. Consider encrypting your data, which will prevent such ransomware from doing so. Sensitive or critical data should, all the more, be encrypted to prevent loss or leakage.

Enable Microsoft Office macros only when required

One key delivery mechanism of ransomware is the abuse of Microsoft Office macros to infect a computer with ransomware. This comes in the form of malicious Office documents that trick victims into enabling macros in order to view its contents. Users are advised to be cautious and enable macros only for trusted documents.

Application Control

Consider installing application control software that provides application and/or directory whitelisting. Whitelisting allows only approved programs to run while restricting all others, and is one of the best security practices to protect a computer system.

How to Remove Ransomware?

In the event that a machine is infected with ransomware, SingCERT recommends taking the following measures:
  1. Disconnect the infected computer immediately from:
    • Any wired or wireless network (e.g. Internet and Intranet) that it is connected to
    • Storage devices such as cloud-based storage, external hard disks, and Network Attached Storage (NAS)
    • Bluetooth devices
    Doing so isolates the infected system and prevents further spread of the ransomware.
  2. Scan and disinfect the computer with an antivirus or anti-malware application. Most types of ransomware create some form of persistence in the infected computer, and may re-encrypt data subsequently if not properly removed.
  3. Go to https://id-ransomware.malwarehunterteam.com/ and upload a sample ransom note or sample encrypted file to identify which variant of ransomware has infected your computer.
  4. Locate any files from possible backup sources to determine the extent of data loss. Having a data recovery or business continuity plan helps to facilitate this process.
  5. Perform data restoration from the backup sources. If possible, do so on a clean installation to ensure that the system is completely free of malware.

If you are a victim of ransomware, you can lodge a police report at any Neighbourhood Police Centre/Post or via the Electronic Police Centre website at http://www.police.gov.sg/iwitness for Police assistance. All information provided will be kept strictly confidential.

References

https://www.us-cert.gov/ncas/alerts/TA16-091A
http://www.bleepingcomputer.com/virus-removal/ransomware
https://threatpost.com/new-server-side-ransomware-hitting-hospitals/117059/
http://www.webroot.com/hk/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
https://www.nomoreransom.org/