Vulnerability of the Year: Ransomware

“Um, honey, I think we have a problem. The computer is telling me that all the files on it have been encrypted. This is your sort of thing, right?”

Inhaling, I let my dear hubby’s words sink in. Ransomware? My sort of thing?

In 2016, ransomware was everybody’s sort of thing.

Ransomware is nothing new. In fact, in internet years it’s older than dirt. It’s been around since the late 1980’s when it was distributed via floppy disks. Back then, the unlock fee of $189 had to be mailed in to the P.O. box of the anonymous creator who turned out to be a doctor with a few loose screws. Since then, ransomware has up its game significantly and in early 2016, the FBI predicted that the costs of the epidemic would reach the $1 billion mark. The total year-end numbers are still being tallied up, but the odds are that the FBI’s estimates were on target.

Ransomware attacks affected personal computers, big businesses, law enforcement agencies, schools and perhaps most devastatingly, hospitals, where IT was forced to chose between forking over money and losing potentially life altering patient medical information many times over in 2016. And the stats for 2017 don’t seem like they are going to be much brighter.

Here are a look at the most damaging or notable variants we crossed paths with in 2016:

Locky: A recent addition to the ransomware crime family, Locky sounds less than harmful but in reality, this variant turned out to be incredibly destructive in terms of speed and agility. Starting in late 2015, Locky spread through infected Excel and Word files email attachments and hit more than 400,000 victims in its first week of deployment alone. Since then it has been detected in 114 countries and has been the method of attack against high profile targets including Hollywood and Methodist hospital in Los Angeles and Kentucky, respectively.

Locky is profitable too – the decrypt fee is one bitcoin or about $419. Affecting about 90,000 people a day approximately, 2600 pay up. So you do the math – by the end of the year, Locky’s creators have raked in a nice bundle of cash from their exploit.

Petya and Mischa: Talk about double trouble, this ransomware pair surfaced in March of this year and spread via infected email attachments, displaying some truly unique qualities — First off, whereas most ransomware variants encrypt files, Petya takes the lead and goes after admin privileges, encrypting the master file table, and leaves the computer unable to boot. This can only happen if it gets admin privileges, which it does by scamming users into allowing access from the User Account Control (UAC) feature.

But wait, there’s more! If Petya fails to obtain admin privileges, Mischa steps in to encrypt files directly just like any other ransomware.

The decrypt fee for Petya was about 1.96 BTC (about $898) at the height of its infection-spreading spree and Mischa’s was slightly higher at 2.009 BCT, or $909.

Cerber: Spread via, you guessed it, infected spam email attachments that appear to come from companies like DHL or FedEx, Cerber starts to encrypt files with the incredibly powerful RSA 2058 encryption key when users click a link in the fraudulent emails.

A few elements make this variant noteworthy; Cerber follows the Ransomware As A Service, or RaaS, business model, meaning that any unskilled ransomware perpetrator-wannabes can buy the entire kit on the dark web and set up their own Cerber campaign in a few short and easy steps. They initiate the mayhem and collect the decrypt fee (1 BTC, an apparent steal) and the alpha creator gets a kickback of their profits. Cerber also plays a recording of the decrypt instructions for victims, perhaps to give it a more “personal” touch. The part that makes it truly noteworthy though, is that since its inception early this year, Cerber hasn’t stopped morphing and changing its methods, making it all that much more difficult to stop in its tracks.

ZCrypt: It’s got a funky new-agey name but Zcrypt is notable because of its throwback functionalities. Arriving via malicious attachments or as a fake Adobe Flash update, Zcrypt spreads via self-replicating virus infections, making it reminiscent of the computer viruses of yore.

Charging a decrypt fee of 1 BTC, there is a lot wrong with ZCrypt’s execution but what it lacks in precision it makes up for in creativity and perseverance – It evades detection specifically because it uses older methods that a lot of anti-virus products don’t bother trying to detect and then it overrides files not once, but twice, to make sure there is no way to recover them without paying up. And lastly, it monitors any new files that might be created after the initial encryption takes place (if you just wanted to count those already-encrypted files as goners and move on from there without paying up) and encrypts those too. It hasn’t been too widely distributed as of yet but its tenacity makes it one to watch out for.

Popcorn Time: Sounds cute, but it’s not. Not to be confused with the banned/unbanned/banned again video streaming platform bearing the same name, Popcorn Time is your typical run-of-the-mill ransomware, encrypting files and forcing victims to pay up. But there’s a twist — if you don’t want to pay and don’t have any particular scruples about you, just send it off to other people — If two of them pay up, you’re off the hook!

Popcorn Time just debuted in the last month or so and it’s still got a whole lot of bugs to work out, but as we have seen, hackers draw inspiration from past variants so look for Popcorn Time to become more perfected over time — and watch out for other variants looking to pull a page from its nasty book.

Ransomware keeps rearing its ugly head because people keep paying up, making the creators and distributors very, very rich. The very best advice is to back up with a reliable backup program before trouble strikes and wipe the encrypted files off your computer (unless you’ve been infected with Zcrypt, then good luck, buddy).

As for my ransomwared-with-Locky computer? It was a really outdated gosh-why-do-we-even-have-this-old-thing standby that I hadn’t thought to install RCS on. My fault right there. We just decided to chuck it, because there was no way I was going to pay up and thankfully, there was no important info on there anyway. But I surely learned my lesson. Maybe, with a little bit of luck, and a whole lot of better security practices, ransomware won’t be anybody’s sort of thing anymore in 2017.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s