Ransomware

Number: IN13-004
Date: 06 August 2013

Audience

The purpose of this document is to provide readers with information and guidance related to ransomware. This document also provides mitigation advice which may reduce the risk associated with this threat.

Description

Ransomware, also called scareware, is a type of malicious software (malware) that infects a computer and restricts access until a ransom is paid to unlock it. This malware will attempt to extort money from victims by displaying an on-screen alert stating that their computer has been locked or all of their files have been encrypted and demand a ransom be paid to restore access.

Victims describe receiving alert messages that a software license is out of date or fake anti-virus pop-ups claiming their computer is infected and to click on a link to fix it. This type of malware can be very effective because it scares or causes panic for the victim to click on the link and become infected. It will also cause panic so that the victim will pay the ransom demanded as quickly as possible to restore access to their computer.

Paying the ransom does not guarantee that the victims files will be released, it will only guarantee that the criminals receive your money and possibly your banking information. Ransomware doesn’t just target home users; businesses have also fallen victim and have lost incurred costs when restoring their systems. Some reporting indicates that this scam is highly profitable with victims paying out over 5 million dollars a year to criminalsFootnote 1.

Examples of ransomware that have affected Canadians can be found in the appendix.

Infection Methods

There are several ways that users can become infected with ransomware. Cyber criminals have changed their methods and are now purchasing advertising on websites, often pornography or gaming sites, so that when users click on advertising pop ups, they are redirected to an exploit kit which will infect them with ransomware or other malware. Exploit kits that have been used include Blackhole, Cool EK and neutrino. In addition to Microsoft Windows, criminals are now targeting Macintosh users and mobile devices.

Past methods of infection include malicious email attachments, removable media such as USB keys, social media or poisoned websites through drive by downloading. Drive by downloading is when a user visits an infected web site and malicious software is downloaded and installed without their knowledge.

Recommendations

There are a few steps that a user can take to lower the risk of infection and to help with recovery if an infection should occur.

Recovery

Recovery from ransomware can be a difficult process and may require the services of a reputable data recovery specialist. It is important to note that paying the criminals their “fine” or “ransom” will not get your data back, nor will they decrypt it for you. They are only interested in your money.

Once the malware has been confirmed to be removed, change all passwords for all accounts accessed from the previously infected computer. These could include:

If you have already paid them, alert your financial institution and your local law enforcement authorities. You may also report it to the Canadian Anti-Fraud Centre.
http://www.antifraudcentre-centreantifraude.ca/
info@antifraudcentre.ca
1-888-495-8501

Conclusion

Ransomware is extorting, in total, millions of dollars a year from victims. Users can protect themselves by ensuring that their operating systems and applications are kept up to date, a reputable anti-virus application is installed and regular backups of information are performed. If an infection should occur, then the victims would be able to recover more quickly when the proper recommended steps are in place.

Appendix

Reveton
This variant of ransomware, also called the “Police Trojan”, locks the computer and displays a warning stating it's from the victim's national law enforcement agency claiming that the computer has been used for illegal activities. This supposedly illegal activity includes viewing child pornography and downloading pirated software.

The warning states that in order to unlock the computer and to avoid criminal charges, the victim must pay a fine using an online money voucher such as Paysafecard, MoneyPak, or Ukash. Criminals will even use geo-location to add authenticity to the message by adding the law enforcement logo, quoting sections of the criminal code, activating your web cam to display your picture and display your IP address claiming they are tracking and recording you, all to scare you into paying the ransom.

Legitimate organizations in Canada that have had their logos used in this scam include the Canadian Police Association, Royal Canadian Mounted Police (RCMP), Public Safety Canada and Canadian Security Intelligence Service (CSIS). Illegitimate organizations that have been used include the Cybercrime Investigation Department. Images of past examples may be found at the following link. https://www.botnets.fr/index.php/Landings_CA

An interesting note about this variant is when the computer becomes infected with the Reveton ransomware, the computer connects to a command and control server controlled by the criminals to receive additional commands, allowing this malware to be highly adaptable and even keep the computer infected long after the ransom has been paid. This malware has also been known to run in the background and install key loggers to capture personal information and passwords.

Urausy
Urausy is very similar to Reveton in that it uses law enforcement images to scare the victim into paying a fine. Where it differs is how the victim becomes infected. Urausy is primarily spread through exploit kits, such as Blackhole, which will exploit unpatched vulnerabilities in common web browsers to serve malware to victims.

Images of past examples may be found at the following link.https://www.botnets.fr/index.php/Urausy

Mobile Devices
Ransomware is now spreading to mobile devices. However, this variant of ransomware will typically not lock a mobile device and demand money as seen in examples on a personal computer, but instead masquerade itself as an anti-virus application with an alert claiming that your mobile device is infected. It demands that the victim pay money to resolve the security alerts.

Victims may become infected by downloading and installing applications from untrusted, third party sources. Upon installation the malware will pop up to look like an anti-virus stating that your device is infected and to click “here” to fix it. Clicking on this button, or anywhere will not close the application or allow you to perform any other function on your mobile device, and due to compatibility issues, clicking on the home button may cause the device to crash. Upon restarting the device, the malware will pop up again and will restrict access to any other applications making it very difficult to uninstall the malicious application. Recovery from this malware can be difficult and may require a factory reset of the device or the services of a professional.

Winlock
Winlock is a non-encrypting ransomware that was popular in Russia several years ago and eventually made its way to North America. It would lock users out of their computers and display a warning message with pornographic images demanding users send a premium rate text message to receive a code to unlock their computers. The premium rate text would cost approximately $10 USD and paying it would have the images disappear and the computer unlocked. However, the warning would pop up again a few days later demanding more money, proving that the malware was never eradicated in the first place.

Microsoft Windows Product Activation
Ransomware then evolved to using Microsoft Windows product activation messages. This type of ransomware was non-encrypting and would lock victims out of their computers with a message claiming that their Windows installation needs to be reactivated because they were a victim of fraud. Victims would be directed to receive a six digit code by calling an international phone number, only to be routed through a rogue operator and placed on hold, incurring significant long distance charges.

Encrypting Ransomware
This type of ransomware locks victims out of their computer, demands money, and encrypts all of the victim's files or entire hard drives including business related documents. Recovery from this variant is particularly difficult because even when the malware has been removed from the computer, the files are often still encrypted. Often, restoring the computer from backup is the only recovery method available.

References

Footnotes

  1. 1

    http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: