Ransomware is one of the threats that has grown most in recent years. They are malicious objects that, once running on the user’s system, encrypt his personal files with a cryptographic key kept secret.
The files of others are thus literally “taken hostage” and, by promising their decoding, an attempt is made to extract a variable amount of money from the user. The payment must generally be made using BitCoin encryption: in this way the transaction takes place without intermediaries and is not traceable (otherwise it would be possible, easily, to trace the identity of cybercriminals).
Often the amount of money required by ransomware increases with the passage of time; in case of non-payment, the decryption key is permanently deleted.
Ransomware itself is nothing more than a normal application that, once executed, encrypts the user’s files.
Ransomware uses cryptographic algorithms that are generally not hackable. The RSA algorithm, for example, as well as other asymmetric cryptographic algorithms, relies its operation on the use of a private key and a public one (for this reason they are called “asymmetric”).
The private key/public key pair is used by ransomware to encrypt all the user’s personal files or files with specific extensions (.DOC, .XLS, .DOCX, .XLSX, .PDF, .ODT, .MDB and so on).
Ransomware therefore uses cryptographic algorithms created to preserve the security of its communications (and which we all use, every day, when we use an application that relies on end-to-end encryption) for criminal purposes.
Unlike legitimate software, in fact, ransomware keeps the public key on the user’s system while keeping the private key on remote servers, inaccessible to the user.
The difference is all here: every message and therefore every file encrypted with a certain public key can only be decrypted using the corresponding private key.
Cybercriminals who develop ransomware are careful not to provide the victims with the private key and only release it if they have to pay a cash ransom.
We said that ransomware usually uses the usual cryptographic algorithms that are universally recognized as secure.
The RSA algorithm, for example, has not revealed any intrinsic weaknesses: it is therefore not possible to exploit one of its “weaknesses” to decipher the files encrypted by a certain ransomware.
Especially since in the vast majority of cases ransomware uses 2,048 or even 4,096 bit keys making attacks physically impossible.
The operation of a ransomware in brief. Source: Cisco.
RSA is based on the high computational complexity of factoring into prime numbers (breaking down a number into its prime partitions is a very slow operation that requires a considerable effort in terms of hardware resources). RSA-2048 and RSA-4096 (RSA algorithm using 2048 and 4096 bit keys) have not been factored in and will not be factored in yet, presumably, for many years, even considering the progress being made in optimizing computational resources: just think of the computing power provided by many cloud services or by the higher-end GPUs themselves.
The only hope to recover encrypted files, therefore, is that the authors of ransomware have made some mistakes in the implementation of encryption algorithms.
In the case of TeslaCrypt ransomware, for example, the generated cryptographic keys (including the decryption key) were produced using non-prime numbers and thus making a targeted attack very feasible even with modern consumer PCs.
For the first variants of CryptoLocker it was enough to have only one decoded file, in its original form, to reconstruct the decoding key for all the files.
In the image, the evolution of ransomware to “the present day”. Source: Cisco.
For some ransomware, then, when it is not possible to extract the so-called keystream, they are often vulnerable to attacks of cryptoanalysis.
These are attempts at aggression that are not at all immediate but that sometimes can lead to the extraction of the private key from the generation of rainbow tables.
Including what ransomware is, it must be said that these types of threats are those that have shown the most marked growth in recent years.
As recently highlighted by Malwarebytes (Ransomware increasingly dangerous: Malwarebytes looks at malware trends in recent months), ransomware has become a lucrative business for a wide range of cybercriminals.
In the “black market” there are several tools that allow you to automate the creation of ransomware: this means that potentially anyone can create ransomware and start making money illegally. Even those who have no expertise in development materials (Ransomware-as-a-Service).
To give an idea of how profitable the “ransomware phenomenon” is for cybercriminals, just think that Locky, one of the malware capable of “seizing” the files of the most active users has generated something like 1.6 million dollars in profits a day, calculating that daily there are about 2,600 users who decide to pay (data source: Cisco).
WannaCry: a ransomware with a worm soul
Worms are threats that can self-replicate, usually by exploiting application and operating system vulnerabilities (sometimes even firmware that makes a communication-capable hardware device work).
WannaCry also has the main features of a worm.
Once installed on a system, it “scans” the other networked devices with the aim of verifying whether they can be attacked in turn.
The infection spreads both when the user behaves “recklessly” (for example by opening a malicious attachment containing the code that “triggers” the attack by the malware), and by exploiting a Windows vulnerability.
To avoid ransomware and protect your data, therefore, we suggest to follow some simple but very effective rules:
1) Attention to the material received by email. Do not open attachments on which you have doubts. The sender of the email can often not be the real one
Follow all the suggestions published in the article How not to catch viruses and malware when downloading programs, always paying the utmost attention to the origin of emails and any attachments present.
Keep in mind that some emails are prepared in such a way as to mislead the recipient. Malicious people can carry out phishing emails that specify as sender a well-known person in the company, a trusted collaborator or a recurring customer.
And sometimes the same cybercriminals can go even further by registering a domain very similar to the one of the company to be attacked.
By sending bogus emails from a similar domain and indicating how, for example, the CEO of the company, the messages will easily pass the spam filters and, in all likelihood, end up in the inboxes of recipients.
The use of antivirus and antispam filters on the server side, moreover, is not a guarantee of absolute security. Some messages containing malicious attachments or links to dangerous websites can still pass the control exercised by these filters.
In general, you should not give credit to any message, even those that seem to come from known senders: the headers of the email can help you to notice any scam messages.
Without even opening the email, by selecting the message and using the CTRL+U key combination, you can see when a message has not started at all from the server that the sender relies on.
Examining the headers, in fact, you will see references to foreign IP addresses, confirming that the message is at least bogus and, most likely, dangerous.
Analyzing the source of a message, then, you can see it in its “raw” format by immediately recognizing the URLs to which the links in the email really point.
2) Use a good antivirus/antispam solution on the server side.
The fact that some malicious messages may escape the clutches of antivirus/antispam does not mean that you should not use a similar server-side mail solution.
Whether you set up a mail server in your corporate structure or rely on an external provider, it is essential that antispam and antivirus work on all mailboxes and automatically block malicious messages.
We recommend that you choose an e-mail service provider that provides a valid server-side anti-virus/anti-spam system. In this way, in all likelihood, the provider will move the emails sent by the authors of ransomware or any other malware to the junk mail.
Since these messages use mail spoofing techniques, are sent by servers often involved in sending spam and have a similar structure to unwanted messages, it is possible that with a good antivirus/antispam system on the server side, messages containing malicious attachments never (or almost) arrive in the inbox (see also Why do my emails go into the spam folder?).
It’s obvious that you need to pay close attention to that “almost”. If some ransomware vehicle messages arrive in your inbox, you should be sure to recognize them. And in this sense an operation of training and information of employees or collaborators can help, even if alone does not help to solve the problem at its root.
3) Use protection solutions that act at the level of a single client machine, that are able to analyze the behavior of any software component and that make use of cloud intelligence.
Even in the company, in addition to a centralized protection system, it is good to use solutions such as Malwarebytes 3.0 (Malwarebytes 3.0 will replace traditional antivirus) and HitmanPro.Alert (Protect yourself from ransomware and malware still unknown with HitmanPro.Alert) that integrate effective protection against ransomware.
In any case, we suggest to always install anti-malware products that integrate behavioral analysis and collective intelligence. If the approach based on the exclusive use of viral signatures has already highlighted all its shortcomings (the most recent threats, recently appeared on the Net – the so-called “0-day”), products that leverage on behavioral analysis and cloud intelligence can offer a good level of protection.
4) In SMEs and larger companies, implement a system for the centralized management of endpoints.
The market offers several solutions (some of which have already been the subject of in-depth studies on IlSoftware.it) that allow you to protect individual endpoints centrally.
In this way it is possible to keep under control the status of each client machine, block downloads and installation of potentially harmful software, apply restrictions that help to prevent any problems in the bud.
5) Use standard user accounts for daily work.
When working on Windows, we recommend that you use a user account with standard privileges (and not an administrative account) for your everyday activities.
In case of ransomware infection the damage would be more limited (only to the user’s files in use), the attack could not spread elsewhere and it would be possible to recover any shadow copies created by Windows (to delete them, in fact, are required administrator rights) or previous versions of the files along with all their content.
The administrator account should only be used for activities that strictly require its use.
To acquire administrator rights with a standard user account you need to enter the administrative password: keeping it secret will avoid most of the problems caused, for example, by collaborators and employees.
Some companies still use programs that require the use of an administrative account in order to function.
Given that this is an example of poor programming (an application commonly used, as can be a management, can not necessarily require the use of administrator rights), this is one of the most complex scenarios to manage.
One possible solution could be to install the program in a virtual machine, kept isolated from the rest of the network.
All the main virtualization software, in fact, also allows to create virtual machines without a network card or isolated from the “real” local network.
6) Activate the visualization of the known extensions in Windows and never double click on the files with a double extension.
One of the most used devices by computer attackers, is the massive sending of spam emails containing malicious attachments marked by a double extension.
Since Windows never indicates the actual extension of known file types (including .exe), sometimes you may be induced to open files that look like Zips or PDFs when a dangerous executable is actually started.
In this regard, we suggest reading the articles Viewing file extensions in Windows and unmasking dangerous tricks and the article How not to catch viruses and malware when downloading programs in step 7) Beware of real file extensions.
7) Always back up your data and use a NAS server to store copies of the most important files stored on each workstation.
The latest variants of the various ransomware are able, once running on the user’s system, not only to encrypt the files on the individual machine but also to encrypt all those contained within the local network (including files stored on other workstations or on NAS servers).
If a folder shared in the local network could be reached and accessible by the infected system, it is highly likely that ransomware will also start to encrypt the contents of these resources.
Not only that. If a shared folder or one that is synchronized to the cloud (think of OneDrive, Dropbox or Google Drive clients) is accessible from the Windows interface through Windows Explorer, ransomware will also encrypt the data saved “on the cloud”.
It’s therefore good to make sure that the NAS server creates a copy of the files and stores them on its hard drives: the NAS will connect to the individual workstations and create a backup from the contents of the folders on the individual computers connected to the local network.
The important thing is that the NAS is configured so as not to erase the last backup copies. Otherwise, in case of ransomware infection, you will only have a backup of the encrypted versions of your files in your hands.
On NAS servers, where present, it is always good to activate the file versioning. In the event that an infection should unfortunately occur that also affects the files stored on the NAS, after removing the ransomware you can recover and restore previous versions of the same items.
8) Don’t underestimate Windows 10 File History.
Windows 10 offer File History, a convenient tool to set aside traditional data backup software.
File History gives you full control over the various versions of your files and automatically creates up-to-date backups as soon as you connect the drives configured for data storage.
The great advantage of File History is that the backup process is managed independently by Windows (with a set and forget approach), and full support for removable drives and network paths is guaranteed.
If configured well (i.e. to keep multiple backup copies of the same files, created over time) File History is an excellent solution in case of a ransomware infection (see Recovering deleted files or old versions of documents in Windows 10).
9) Beware also of files that you download from social networks.
Social networks themselves are also platforms increasingly used by cybercriminals to induce users to download and install ransomware and malware in general.
Those elements that appear to be presented as absolutely legitimate images or files can instead hide the code that causes the installation of ransomware on the system: Attack ransomware on social networks with false images.
10) Update all the software you use, including the operating system.
Some malicious files (often in PDF or DOC format) also exploit software vulnerabilities with which they can be opened to execute malicious code.
It is therefore essential to keep all the software you use up to date (i.e. not only Adobe Reader – which can be replaced with other similar applications – Office, etc.) but also the browser, all the plugins used by it, the messaging program and so on.
The operating system must also be regularly updated with the latest security patches.
Usually a couple of weeks can elapse (unless there are imminent problems or exploit codes already used by the attackers) from the moment Microsoft releases the updates before they are actually installed (so as to avoid “first-hour” problems).
11) Check the exposed doors on the WAN.
The router usually uses NAT (Network Address Translation), a technique that allows local networked devices to share a single public IP to communicate over the Internet with remote systems.
Normally the router should be “non-existent” in the “eyes” of a remote system and should not expose the ports of any local machine on the Network (except where a server component has been specifically activated).
We therefore recommend that you always check if and which ports were open on the router and can be used remotely.
A malware that was developed to scan the Internet network for ports on which vulnerable services are being listened to, could in fact cause remote code execution.
The ransomware WannaCry, for example, searches for the TCP port 445 that may be open and tries to exploit the flaw solved by Microsoft with the update MS17-010. Typically this port is not accessible remotely because the NAT functionality of the router does not expose it by default.
Once running on a single computer connected to the local network (for example because a user has opened a malicious attachment…), however, WannaCry can scan all the systems connected to the LAN and identify those with the TCP port 445 open and without the Microsoft patch, thus spreading further.
However, you should always check if and which ports are open on your router and deactivate the UPnP (Universal Plug and Play) feature.
See Configuring a Router, Things to Do After Your Purchase in The Danger UPnP (Universal Plug and Play).
12) In the company and in the professional offices: isolating “vital” systems.
In the business environment, in order to prevent a ransomware attack from spreading to systems that handle critical information or perform tasks of primary importance, the use of VLANs (Virtual LANs) is the way forward.
The most modern switches allow systems to be isolated and prevent certain types of machines from interacting with others.
In the article VLAN: what they are, how to use them and why we presented VLANs and it is therefore obvious how they can help to protect themselves from ransomware attacks.
A ransomware that could attack a portion of the LAN would have no effect on the VLAN to which the “critical” machines are connected.
As we have seen, it is not always possible to recover encrypted files from ransomware.
The first step to finding out if you have a chance to recover the encrypted files, however, is to check which ransomware has encrypted the data:
1) One of the best services in this sense is ID Ransomware that helps to establish the identity of the ransomware that has made racìa of the files starting from the instructions exposed by the malware and from any encrypted file.
And if knowledge is already half the battle, the Ransomware ID service offers a very valuable help because it allows to establish the identity of about 300 different ransomware.
In cases where immediate data recovery is actually possible, ID Ransomware will return references to the software tools to be used.
2) The Bleeping Computer forum pairs up with ID Ransomware: here, in fact, it is often possible to know in advance if a strategy was found to defeat ransomware and proceed with the free recovery of encrypted files.
3) Similar to ID Ransomware is No More Ransom, an initiative promoted by Kaspersky in collaboration with Intel Security, Europol and the Dutch police: Ransomware: don’t pay the ransom. Word of Kaspersky.
No More Ransom integrates the Crypto Sheriff service that allows you to trace an identikit of the ransomware simply by sending the verification system a pair of encrypted files and instructions for the payment of money exposed by the malware.
The Decryption tools section offers a collection of tools for decoding files encrypted by different ransomware.
In this regard, you should also download the software Ransomware File Decryptor continuously updated by Trend Micro and able to clear the files encrypted by different malware.
Very useful is also the page set up by EmsiSoft, with a large collection of decrypters for different families of ransomware.
4) Among the companies most active in contrasting the “ransomware phenomenon” there is Dr. Web. The Russian company, which is not very well known in Italy, offers particularly effective solutions for decoding files encrypted by ransomware.