The Ransomway

There are always different ways to make money. Cybercriminals know it, and their imagination is unlimited as far as we can tell. Sometimes they lure users into downloading a rogue AV as a treatment for an “infected computer”, other times they literally extort users to pay to get their own data or computer access back. Let's have a look into the infamous malware called ransomware.

In general we can divide this sort of malware into three separate categories:

1. file encrypters

2. system lockers

3. application lockers

Even though their application varies, the aim is always the same. The victim has to pay, otherwise the data/access will be lost for ever.

File encrypters

The first group represents the most notorious extortion tactic from the real world – “pay now otherwise you will not see it again”. It all started around 1989, when the first ransomware was introduced – PC Cyberg Trojan alias AIDS trojan horse. The basics have remained unchanged since. Once the trojan launches on a victim's computer, all custom data (files that are important from the user perspective) is encrypted and is therefore inaccessible to the user. With PC Cyberg the victim was asked to post the ransom to a PO Box in Panama; nowadays the criminals ask users to send either an SMS to a premium mobile number, or transfer money to online payment services such as Egold, Liberty Services or others. The payment varies from $20 up to $200 depending on the sophistication of the malware and greediness of the authors.

In 2004 Gpcode (known also as PGPCoder - Trojan-Ransom.Win32.GpCode) emerged into the world. Unlike PC Cyberg, which used a weak symmetric key for the whole encryption, Gpcode starts with RC4 and carries on up to AES-256concealed into RSA-1024 public encryption - the symmetric encryption key is in the body of the virus encrypted by the RSA public key. This sophisticated method makes the cipher unbreakable and the victim has to either pay the ransom and hope for “honesty” from the attacker, or restore all data from the backup – if it exists. Once Gpcode finishes the encryption, the desktop changes and shows a notification of what has just happened with a message window explaining the same (Picture 1).

Picture 1 : Gpcode notification about encrypted files and the ransom request

Every folder with encrypted data contains a new file explaining the situation – either !_READ_ME_!.txt or HOW TO DECRYPT FILES.txt, and every encrypted file has a new extension added – either ._CRYPT or .ENCODED (Picture 2).

Picture 2 : Every folder contains the extortion text explanation

Files are not deleted so the recovery is theoretically possible unless the criminals are completely unscrupulous. You want to believe so, don't you?

The virus uses Microsoft Enhanced Cryptographic Provider to encrypt files built by default in Windows, which makes the whole operation extremely fast.

Since the first version of Gpcode has been discovered we have seen many different versions and also copycatting with weak or embedded keys. Nevertheless, this kind of malware can cause real harm to the victims unless all data has been freshly backed up.

System lockers

The second category contains malware that blocks access to the vital or essential parts of the system. From samples we have seen we could divide them into two types:

1. screen lockers

2. boot lockers

The former is performed by either blocking the access to the system interaction completely and showing an extortion message (Picture 3), or just partially covering the screen with an embarrassing image and message (Picture 4) – e.g.Trojan.Ransomlock or Trojan.SMSlock. As the message can “reveal” unwanted details about the victim (“you surfed porn sites for free now you have to pay”) the victims often pay without contacting any professionals to help them out.

Picture 3 : The access to the machine is blocked by the malware's notification screen

Picture 4 :  Embarrassing ad ransomware tactic.

Both of these were first seen around April 2009, and mostly in Russia where there is no problem getting hold of anonymous premium numbers - as opposed to other Western countries who ask for strong proof of identity. As with the previous category there is no assurance that the victim will receive the unlocking key once the text is sent. As happens with ransoms in general, the criminals can ask for more once they see the victim is willing to pay. Fortunately, this malware is not as sophisticated as the previously-mentioned one, so there is a chance to get hold of an unlocking utility or a code generator from the Internet.

The second type, boot lockers, replaces the MBR on the disk with an infected one blocking the booting sequence of the computer completely – e.g. Trojan.Bootlock. The message informs the victim about a way how to decrypt the disk by sending a text to a premium number (Picture 5). The criminals claim the whole disk has been encrypted and the only way to get the data back is to pay via uKash or paysafecard on www.safe-data.ru (Picture 6). Again, fortunately for the victims, there is no encryption on the hard drives, only a simple MBR replacement. Also, this particular malware has been using the same passwords continuously - aaaaaaciip and aaaaadabia.

Picture 5 : Ransomware replaces the MBR with an infected one blocking the PC boot sequence completely

Picture 6 : The criminals ask for a payment via online payment services

Application lockers

The last category is probably the least widespread and least dangerous one. The malware blocks access to specific applications or Web sites asking either for ransom, or more often for the victim to fill out a survey subscribing them to the premium rate mobile services – e.g. Yimfoca IM worm. If the victim declines to fill in the survey, access to the page remains blocked. Even restarting the machine does not help. However, other browsers can access the site with no problems.

Malware delivery

The delivery of malicious files is done via the usual malware channels – fake codecs or video players, embedded in illegal copies of programs, via spam, IM chats, comments on personal pages, or USB drives containing "special bonuses”. There is nothing new about the ways in which criminals try to compromise victims. Having said this, protection against such attacks is possible and Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Is ransomware a successor of scareware?

We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.

Restoration and Protection

Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored off the machine all the time. With cheap memory accessibility this should not be an issue at all. And, of course, services from Websense protect potential victims even against such obstacles as restoring data from backups.

To see how Websense protects our customers from Ransomware you can watch the following YouTube video: