A little information on Ransomware

What is Ransomware?

Ransomware can take different forms, but it is a type of malware that denies access to a device or files until a ransom has been paid. Ransomware encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.

Ransomware encrypts the files on a workstation, and can travel across your network and encrypt files located on both mapped and unmapped network drives. It’s how one infected user can bring a department or entire organization to a halt.

Once the files are encrypted, the hackers will display a screen or webpage explaining how to pay to unlock the files. Historically, ransoms started in the $300-$500 range, but fast forward to 2016 and companies are being hit with ransoms in the thousands of dollars.

Paying the ransom invariably involves paying a form of e-currency (cryptocurrency) like Bitcoin. Once the hackers verify payment, they provide “decryptor” software, and the computer starts the arduous process of decrypting all of the files.

Here are some interesting statistics on Ransomware:


Strains of Ransomware

With over 2900 new malware modifications reported in the first quarter of 2016, it’s hard to keep up with all of the latest threats. Here are a few examples of some of the basic types of ransomware in circulation.


Locky renames all of your important files so that they have the extension .locky and encrypts them so only the cyber criminals have the decryption key. You can buy the decryption key from them via the dark web for $400 in bitcoin.


CryptoLocker targets computers running Microsoft Windows and restricts access to infected computers. Like other ransomware strains, victims need to provide a payment to the attackers in order to decrypt and recover their files. CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.


When infected, a victim’s data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins (or $500) to get their files back. It can play a text-to- speech or synthesized recording, show a web page, or a plain text document. Unfortunately, there is no known way to decrypt a victim’s encrypted files for free.


Ransom32 is a variety of “ransomware-as- a-service” that effectively puts the power to create ransomware into the hands of just about anyone - regardless of their technical know-how. What makes Ransom32 really dangerous is that it is coded entirely using JavaScript, which means it can be used to target computers running Windows, Mac OS X and Linux.


FakeBsod uses a malicious piece of JavaScript code to lock your web browser and show a fake warning message when you visit a compromised or malicious webpage. The warning message tells you to “contact Microsoft technicians”about an “Error 333 Registry Failure of operating system – Host: Blue screen Error 0x0000000CE". if you call the phone number in the message you will be asked to pay money to "fix" the issue.

Perfect example of a CryptoLocker screen:


How do companies get infected

Hackers primarily use the following vectors to infect a machine: phishing emails, unpatched programs, compromised websites, poisoned online advertising and free software downloads. An attack typically starts when a user opens a malicious email attachment that installs a virus on to their desktop that begins excrypting all of their files.


By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true
type of file you are receiving. If a user opens the email attachment or clicks on a link to a software download, without verifying its authenticity, the ransomware infection begins.


Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser, software plug-in, or an unpatched third party application can infect a machine. The compromised website runs an exploit kit (EK)
which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable. Examples of exploits can range
from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser, and an unpatched operating system.


Another common way to infect a user’s machine is to offer a free version of a piece
of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter.

For example, one ransomware attack exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When users installed it, the software also installed a sleeper version of ransomware that activated weeks later.


You may be affected if you experience any of the following symptoms:

  • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
  • A window has opened to a ransomware program and you cannot close it. This
    is usually accompanied with an alarming message with instructions on how to pay to unlock your files.
  • The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.
  • You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.


Even if you have all the right technical safeguards (such as antivirus software, spam filters and firewalls) in place on a customer’s system, they can still fall victim to ransomware. All it takes is one person to accidentally click on a suspicious link or open the wrong attachment, and a whole system could be infected. According to Gary Pica with TruMethods: “To help combat this, you need to teach your customers about what ransomware is, how it can hurt their business and the warning signs they should watch out for.”

Tips to help you keep clear of Ransomware:

  1. USE REPUTABLE ANTIVIRUS SOFTWARE AND A FIREWALL. Maintaining a strong firewall and keeping your security software up to date are critical. Anti- malware programs are built to deal with malware after it gets onto a machine and include pro-active monitoring of your system to identify potentially risky programs or behaviors, even if there is not yet a known definition.
  2. EXERCISE CAUTION. Don’t click on links inside emails, and avoid suspicious websites. According to security experts, one of the principal infection vectors of ransomware is through Javascript attachments sent in spam email. If your PC comes under attack, use another computer to research details about the type of attack. But be aware that hackers are devious enough to create fake sites, perhaps touting their own fake antivirus software or their de-encryption program. Partners and system administrators must be proactive in filtering incoming messages and use security programs to prevent users from mistakenly opening malw
  3. BACK UP OFTEN. If you back up files to either an external hard drive or to an online backup service, you diminish the threat. Even if your mail security, AV and anti-malware fail, your backups will be your final option to avoid paying costly ransoms to protect your data. Security guru and expert Bruce Schneier stresses the importance of ‘good backups’ as the most important piece of any IT framework because your backup is your last resort.
  4. ENABLE POPUP BLOCKER. Popups are a prime tactic used by hackers, so installing a pop-up blocker reduces the risk of clicking on an infected popup.
  5. DISCONNECT FROM THE INTERNET. If you receive a ransomware note, disconnect from the Internet so your cusomter’s personal data isn’t transmitted back to the criminals and shut down the computer.

Related posts: