Ransomware Reality Check

As threat actors test the water, we’re typically seeing two types of ransomware attacks:

1. Phishing. Threat actors have sought to spread ransomware via widespread spam that includes malicious attachments, such as Word documents, that initiate the malware downloading process when clicked. This was the method reportedly used to infect Hollywood Presbyterian. New reports suggest attempts to increase the sophistication and realism of the spam emails. In one case, TeslaCrypt ransomware was distributed via emails disguised as United States Postal Service messages with malicious attachments appearing as receipts. In a similar campaign, threat actors attempted to dupe Windows-based users into downloading attachments weaponized with Locky ransomware or the Dridex Trojan by disguising them as Bank of America invoices; in this particular case, there are reportedly up to 11 different customized versions of the email.
   
2. Compromised Website. A common attack vector for multiple kinds of malware, Web compromises and the use of exploit kits (EK) are another popular method for distributing ransomware. For the latter, Booz Allen has noted the increased use of the Angler and Nuclear EKs in Locky ransomware distribution. What’s interesting is that the previously referenced Locky spam campaign and the Angler EK distribution effort both use the same command and control infrastructure and Bitcoin wallet, suggesting that the group behind this ransomware campaign is seeking multiple attack vectors to maximize access to potential victims.

Regardless of the specific ransomware variant, attack vector, or method used to deploy it, once the ransomware is successfully activated it follows a standard process on the victim’s computer.

First, it systematically encrypts each file it finds, excluding important operating system files, so the system can continue to function in order to facilitate victim notification and ransom payment. Next, files in mapped network folders, and even unmapped network folders that are available to the victim, will be encrypted.

This includes files in cloud storage services that back up or synchronize files in real-time. The ransomware changes each file name and leaves “help” files throughout the victim’s computer systems that provide instructions for paying the ransom with Bitcoins in exchange for the decryption key—all of which is done anonymously through Tor software.

Currently, all indicators suggest that threat actors are seeking to double down on ransomware by investing time and resources to increase the method’s sophistication and capability.

• FTC Enforcement. The FTC chairwoman recently indicated that the FTC could consider an enforcement action against companies that fail to take preventative measures to protect against malware, even if the companies are not actually subject to an attack.
• Decrypting Jigsaw. Checkpoint analysts have created an updated decryption tool for the Jigsaw ransomware strain that takes advantage of a flaw in the code. The flaw allows a user to manipulate the Bitcoin account call to indicate the ransom has been paid. The Jigsaw developers will likely fix this flaw quickly, but until then the decryption tool is available through the Checkpoint website.
• Permanent Damage. A new ransomware variant named Alfa (or Alpha), from the developers of Cerber, creates an auto-run for the executable so that it starts every time a user logs into Windows. It also deletes the Shadow Volume Copies folder to prevent potential recovery of the encrypted files. Currently there are no tools available to decrypt the files impacted by Alfa/Alpha.
• More Difficult to Detect. Malwarebytes Labs is tracking a new ransomware strain being developed called Satana, which combines Peyta and Mischa to rewrite the bootloader with a customized tiny kernel that blocks users from Windows and then encrypts files. Satana triggers a user control notification that repeats until the user chooses the “Yes” option, but otherwise all installation and encryption activities are silent.
• New Coding Techniques. Researchers have identified new ransomware named RAA that is coded exclusively in JavaScript as client-side malware. In general, JS is utilized only by exploit kits to initiate the malware download. RAA includes a password stealing feature and demands $250 USD after encrypting the victim’s files.
• Greater Urgency. TrendMicro reported in April 2016 that a new ransomware variant named Jigsaw makes copies of a victims files, encrypts the copies, then deletes the original files. Jigsaw then deletes an increasing number of encrypted files and raises the amount of the ransom on an hourly basis until the victim pays the ransom. Rebooting the computer results in the permanent deletion of 1,000 files in addition to hourly deletions. 
• More Vulnerabilities. Cisco Talos indicated in April 2016 that a new ransomware campaign was leveraging JBOSS vulnerabilities to compromise servers and then pivot to deliver SamSam ransomware into the impacted organization. Talos estimated 3.2 million servers worldwide may be at risk of compromise through this method.