Q
quietman7
Since we receive a lot of questions from victims in regards to how they were infected with file encrypting ransomware, I thought it might be helpful to post the following explanation.
Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment.
Some attackers will use Shortened malicious URLs to mask a malicious link, obfuscating a malicious destination and malicious script (i.e. JavaScript (.js) file) downloader. Still another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Social engineering has become one of the most prolific tactics for distribution of malware, identity theft and fraud.
Crypto malware can also be delivered via malvertising attacks, exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A). An Exploit Kit is a malicious tool with pre-written code used by cyber criminals to exploit vulnerabilities (security holes) in outdated or insecure software applications and then execute malicious code. Currently the Angler, Magnitude, Neutrino, and Nuclear exploit kits are the most popular but the Angler EK is by far the largest threat.
Some victims have encountered crypto malware from ransomware malware executables, packaged NW.js application using JavaScript or following a previous infection from one of several botnets such as Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see US-CERT Alert (TA13-309A).
Another scenario has involved attackers installing and spreading ransomware by targeted Remote Desktop or Terminal Services Attacks, especially on servers. The attacker brute forces weak passwords on computers running Remote Desktop or Terminal Services. Once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back to the hacker via the terminal services client. Kaspersky has reported brute force attacks against RDP servers are on the rise.
There also have been reported cases where crypto malware has spread via YouTube ads and on social media, a popular venue where cyber-criminals can facilitate the spread of all sorts of malicious infections.
If anyone encounters a new malware (ransomware) spreading vector, be sure to post it here so we can keep this information current.
About Encryption: Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on how thorough the malware creator, what algorithm the creator utilized for encryption and discovery of any flaws.
Some of the more popular crypto malware ransomware use RSA encryption, AES Encryption or a combination such as ECC (Elliptic Curve Cryptography) to encrypt data.
RSA uses asymmetric key encryption algorithm which utilizes a key pair system (two different keys)...a public and a private key. Encryption with the public key can only be decrypted by the private key generated and stored on the command-and-control server used by the malware creators. Since the private key cannot be calculated from the public key, these properties make decryption impossible.
AES uses symmetric key algorithm encryption and shares the same (single, secret) cryptographic key for both encryption and decryption. AES has a fixed block size of 128-bits and permits the use of 128, 192, or 256-bit keys. Breaking a symmetric 256-bit key by brute force requires several thousand times more computational power than a 128-bit key.
ECC (Elliptic Curve Cryptography) uses a combination of symmetric and asymmetric encryption to encrypt files. AES is used for encryption and the means to decrypt the files are encrypted with the ECC public key ensuring that only the malware developers have the corresponding private key required to decrypt the files. Since the cryptographic scheme uses asymmetric encryption, it is impossible to decrypt encrypted files without having the private key. A benefit that ECC has over RSA is that equivalent security levels can be achieved with much smaller key sizes.
Continue reading...
Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment.
Some attackers will use Shortened malicious URLs to mask a malicious link, obfuscating a malicious destination and malicious script (i.e. JavaScript (.js) file) downloader. Still another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Social engineering has become one of the most prolific tactics for distribution of malware, identity theft and fraud.
Crypto malware can also be delivered via malvertising attacks, exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A). An Exploit Kit is a malicious tool with pre-written code used by cyber criminals to exploit vulnerabilities (security holes) in outdated or insecure software applications and then execute malicious code. Currently the Angler, Magnitude, Neutrino, and Nuclear exploit kits are the most popular but the Angler EK is by far the largest threat.
- Angler EK Drops TeslaCrypt Via Recent Flash Exploit
- Angler Exploit Kit pushes a new variant of TeslaCrypt/AlphaCrypt ransomware
- TeslaCrypt Distribution...exploit kits such as Angler, Sweet Orange, and Nuclear
- CryptoWall 4.0 being distributed by Angler Exploit Kit as part of large Malware Campaign
- CryptoWall 4 being distributed as a NSIS installer through Exploit Kits
- Exploit Kit Infrastructure Activity Jumps 75 Percent in 2015
Some victims have encountered crypto malware from ransomware malware executables, packaged NW.js application using JavaScript or following a previous infection from one of several botnets such as Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see US-CERT Alert (TA13-309A).
Another scenario has involved attackers installing and spreading ransomware by targeted Remote Desktop or Terminal Services Attacks, especially on servers. The attacker brute forces weak passwords on computers running Remote Desktop or Terminal Services. Once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back to the hacker via the terminal services client. Kaspersky has reported brute force attacks against RDP servers are on the rise.
There also have been reported cases where crypto malware has spread via YouTube ads and on social media, a popular venue where cyber-criminals can facilitate the spread of all sorts of malicious infections.
- Ransomware Tops List of Social Media Security Threats
- How ransomware scams on social media often work
- Experts Warn of Mobile Ransomware Deluge on Social Media
If anyone encounters a new malware (ransomware) spreading vector, be sure to post it here so we can keep this information current.
About Encryption: Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on how thorough the malware creator, what algorithm the creator utilized for encryption and discovery of any flaws.
Some of the more popular crypto malware ransomware use RSA encryption, AES Encryption or a combination such as ECC (Elliptic Curve Cryptography) to encrypt data.
RSA uses asymmetric key encryption algorithm which utilizes a key pair system (two different keys)...a public and a private key. Encryption with the public key can only be decrypted by the private key generated and stored on the command-and-control server used by the malware creators. Since the private key cannot be calculated from the public key, these properties make decryption impossible.
AES uses symmetric key algorithm encryption and shares the same (single, secret) cryptographic key for both encryption and decryption. AES has a fixed block size of 128-bits and permits the use of 128, 192, or 256-bit keys. Breaking a symmetric 256-bit key by brute force requires several thousand times more computational power than a 128-bit key.
- Time and energy required to brute-force a AES-256 encryption key
- How secure is AES against brute force attacks?
ECC (Elliptic Curve Cryptography) uses a combination of symmetric and asymmetric encryption to encrypt files. AES is used for encryption and the means to decrypt the files are encrypted with the ECC public key ensuring that only the malware developers have the corresponding private key required to decrypt the files. Since the cryptographic scheme uses asymmetric encryption, it is impossible to decrypt encrypted files without having the private key. A benefit that ECC has over RSA is that equivalent security levels can be achieved with much smaller key sizes.
- A new generation of ransomware: Elliptic curve cryptography
- The current state of ransomware: CTB-Locker
Continue reading...