How to Block Ransomware

Hackers can easily put you in a position where you'll need to pay up to get your systems running again.

April 26, 2016 by Andreas Krebs

How Ransomware Finds a Foothold


ransomwareIf your laptop and its contents were suddenly held for ransom tomorrow, how much would you be willing to pay for it? Hackers can easily put you in a position where you'll need to pay up to get your systems running again… and many larger institutes have ended up paying hundreds of thousands of dollars for the privilege.

Ransomware has become the black-hat hacker's biggest cash cow in recent years. This hacking method encrypts a target computer's data; the hacker then offers to unlock the information for a fee payable in Bitcoin. Ransoms on the low end amount to hundreds of dollars for individual users to about US$17,000 paid by Hollywood Presbyterian Medical Center.

Analysis of Bitcoin payments leads IT experts to conclude that one recent ransomware build, Cryptowall 3, is responsible for at least $325 million in ransom payments.

What allows ransomware to slip in? Lack of updated anti-malware, as far as systems are concerned; and trust bordering on gullibility, or poor surfing habits, as far as personnel are concerned. Ransomware generally needs its targets' initial cooperation for it to find a foothold, though drive-by downloads can now let malware through without your clicks.

Spam email is an incredibly popular ransomware entry point, as many of them are ingeniously crafted to grab your attention and compel less suspicious users to click on the attachments. That's the beauty of social engineering: given the right stimulus, you can get people to click on any strange email. Spam emails carrying ransomware look like regular mail from trusted sources: power bills, tax returns, documents for work, and so on.

For instance, early versions of the ransomware variant Locky came as a Microsoft Word Office file presented as, among other things, an invoice or an applicant's CV. Users who opened the file saw a page of gobbledygook, with a note at the top saying “Enable macro if the data encoding is incorrect”. Once macros were activated, Locky kicked in, encrypting system files then sending the user a ransom note.

Peer-to-peer sites prey on users' need for free software: some ransomware variants find a foothold by masquerading as activators for expensive software like Adobe Photoshop. The wide distribution of peer-to-peer networks like Bittorrent allow hackers to spread their mischief far and wide, without resorting to spam emails or fancy hacking techniques.

Compromised websites can infect your computer even if you don't click any links… sometimes you don't even have to actively visit their site to get hit!

Exploit kits that deploy ransomware can be activated by clicking on compromised ads called “malvertising”, or by simply visiting these compromised sites. If the exploit kit finds a vulnerability on your computer, the kit can commence a “drive-by download” of ransomware. Sites hawking pornography and illegal downloads are notorious for hosting such exploits.

Alternatively, legitimate redirects from a traffic distribution service (TDS) vendor can suddenly take you to these sites, even if you never asked to be taken in the first place.

Self propagating ransomware is rare, for good reason: users will likely avoid paying a ransom if their computers are infected a second or third time by mindlessly spreading malware!

That doesn't mean some hackers haven't tried anyway. A variant of Cryptolocker was found to spread via removable drives, and Android ransomware Koler manages the trick of spreading via SMSing its infected users' entire phonebook.

If you haven't implemented basic safeguards that keep ransomware at bay, you might be the hackers' next big meal ticket. If you're looking to protect yourself, you’ll need expert, tailored advice to find out how you can plug those ransomware holes in your system. To get started, contact the IT experts at All Covered at 866-446-1133.