Help the Government of Canada organize its website! Complete an anonymous 5-minute questionnaire. Start now.

Ransomware

Number: IN13-004
Date: 06 August 2013

Audience

The purpose of this document is to provide readers with information and guidance related to ransomware. This document also provides mitigation advice which may reduce the risk associated with this threat.

Description

Ransomware, also called scareware, is a type of malicious software (malware) that infects a computer and restricts access until a ransom is paid to unlock it.  This malware will attempt to extort money from victims by displaying an on-screen alert stating that their computer has been locked or all of their files have been encrypted and demand a ransom be paid to restore access.

Victims describe receiving alert messages that a software license is out of date or fake anti-virus pop-ups claiming their computer is infected and to click on a link to fix it. This type of malware can be very effective because it scares or causes panic for the victim to click on the link and become infected. It will also cause panic so that the victim will pay the ransom demanded as quickly as possible to restore access to their computer.

Paying the ransom does not guarantee that the victims files will be released, it will only guarantee that the criminals receive your money and possibly your banking information. Ransomware doesn’t just target home users; businesses have also fallen victim and have lost incurred costs when restoring their systems.  Some reporting indicates that this scam is highly profitable with victims paying out over 5 million dollars a year to criminalsFootnote 1.

Examples of ransomware that have affected Canadians can be found in the appendix.

Infection Methods

There are several ways that users can become infected with ransomware. Cyber criminals have changed their methods and are now purchasing advertising on websites, often pornography or gaming sites, so that when users click on advertising pop ups, they are redirected to an exploit kit which will infect them with ransomware or other malware. Exploit kits that have been used include Blackhole, Cool EK and neutrino. In addition to Microsoft Windows, criminals are now targeting Macintosh users and mobile devices.

Past methods of infection include malicious email attachments, removable media such as USB keys, social media or poisoned websites through drive by downloading. Drive by downloading is when a user visits an infected web site and malicious software is downloaded and installed without their knowledge.

Recommendations

There are a few steps that a user can take to lower the risk of infection and to help with recovery if an infection should occur. 

  • Ensure all software is kept up to date with the latest patches including Windows, web browsers, Java and Adobe.
  • Perform regular backups of your data. Ideally, this data should be kept on a different device other than your computer.
  • Don’t open links or attachments in emails from untrusted or unknown sources.
  • Ensure your anti-virus is up to date.
  • Consider using a security application from a reputable company on your mobile device.
  • Don’t download or install applications from untrusted or unknown sources.
  • Never click on pop-up windows that claim your computer has a virus.

Recovery

Recovery from ransomware can be a difficult process and may require the services of a reputable data recovery specialist. It is important to note that paying the criminals their “fine” or “ransom” will not get your data back, nor will they decrypt it for you. They are only interested in your money.

  • Manual Removal
    If you are familiar with data recovery, then you may attempt to remove the malware yourself. Many well-known anti-virus companies will detect most variants of this
    malware and will have instructions and software to aid the user in removing it.

    This software will probably have to be downloaded from a separate computer that is not infected and placed on a USB drive or bootable disc. Booting your computer from this image in safe mode will allow the anti-virus software to remove the ransomware malware.

    CCIRC’s Malware Infection Recovery Guide TR11-001
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-eng.aspx  

  • Professional IT Removal
    Obtaining the services of an IT security specialist, or data recovery specialist is another option to recover from this type of malware. If the malware has encrypted the hard drive, making recovery impossible, then all of the information will have to be restored from backups. It is important to keep current backups if this should occur.

Once the malware has been confirmed to be removed, change all passwords for all accounts accessed from the previously infected computer. These could include:

  • Banking and financial web sites.
  • Social media.
  • Account and email logins.
  • Remote access logins.

If you have already paid them, alert your financial institution and your local law enforcement authorities. You may also report it to the Canadian Anti-Fraud Centre.
http://www.antifraudcentre-centreantifraude.ca/
info@antifraudcentre.ca
1-888-495-8501

Conclusion

Ransomware is extorting, in total, millions of dollars a year from victims. Users can protect themselves by ensuring that their operating systems and applications are kept up to date, a reputable anti-virus application is installed and regular backups of information are performed. If an infection should occur, then the victims would be able to recover more quickly when the proper recommended steps are in place.

Appendix

Reveton
This variant of ransomware, also called the “Police Trojan”, locks the computer and displays a warning stating it’s from the victim’s national law enforcement agency claiming that the computer has been used for illegal activities. This supposedly illegal activity includes viewing child pornography and downloading pirated software.

The warning states that in order to unlock the computer and to avoid criminal charges, the victim must pay a fine using an online money voucher such as Paysafecard, MoneyPak, or Ukash. Criminals will even use geo-location to add authenticity to the message by adding the law enforcement logo, quoting sections of the criminal code, activating your web cam to display your picture and display your IP address claiming they are tracking and recording you, all to scare you into paying the ransom.

Legitimate organizations in Canada that have had their logos used in this scam include the Canadian Police Association, Royal Canadian Mounted Police (RCMP), Public Safety Canada and Canadian Security Intelligence Service (CSIS). Illegitimate organizations that have been used include the Cybercrime Investigation Department. Images of past examples may be found at the following link. https://www.botnets.fr/index.php/Landings_CA

An interesting note about this variant is when the computer becomes infected with the Reveton ransomware, the computer connects to a command and control server controlled by the criminals to receive additional commands, allowing this malware to be highly adaptable and even keep the computer infected long after the ransom has been paid. This malware has also been known to run in the background and install key loggers to capture personal information and passwords.

Urausy
Urausy is very similar to Reveton in that it uses law enforcement images to scare the victim into paying a fine. Where it differs is how the victim becomes infected. Urausy is primarily spread through exploit kits, such as Blackhole, which will exploit unpatched vulnerabilities in common web browsers to serve malware to victims.

Images of past examples may be found at the following link.https://www.botnets.fr/index.php/Urausy

Mobile Devices
Ransomware is now spreading to mobile devices. However, this variant of ransomware will typically not lock a mobile device and demand money as seen in examples on a personal computer, but instead masquerade itself as an anti-virus application with an alert claiming that your mobile device is infected. It demands that the victim pay money to resolve the security alerts.

Victims may become infected by downloading and installing applications from untrusted, third party sources. Upon installation the malware will pop up to look like an anti-virus stating that your device is infected and to click “here” to fix it. Clicking on this button, or anywhere will not close the application or allow you to perform any other function on your mobile device, and due to compatibility issues, clicking on the home button may cause the device to crash. Upon restarting the device, the malware will pop up again and will restrict access to any other applications making it very difficult to uninstall the malicious application. Recovery from this malware can be difficult and may require a factory reset of the device or the services of a professional.

Winlock
Winlock is a non-encrypting ransomware that was popular in Russia several years ago and eventually made its way to North America. It would lock users out of their computers and display a warning message with pornographic images demanding users send a premium rate text message to receive a code to unlock their computers. The premium rate text would cost approximately $10 USD and paying it would have the images disappear and the computer unlocked. However, the warning would pop up again a few days later demanding more money, proving that the malware was never eradicated in the first place.

Microsoft Windows Product Activation
Ransomware then evolved to using Microsoft Windows product activation messages. This type of ransomware was non-encrypting and would lock victims out of their computers with a message claiming that their Windows installation needs to be reactivated because they were a victim of fraud. Victims would be directed to receive a six digit code by calling an international phone number, only to be routed through a rogue operator and placed on hold, incurring significant long distance charges.

Encrypting Ransomware
This type of ransomware locks victims out of their computer, demands money, and encrypts all of the victim’s files or entire hard drives including business related documents. Recovery from this variant is particularly difficult because even when the malware has been removed from the computer, the files are often still encrypted. Often, restoring the computer from backup is the only recovery method available.

References

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca