26 Ransomware

There is a particularly nasty type of malware known as 'ransomware' which holds you to ransom by encrypting your documents, so you cannot access them or completely locks you out of your own computer, sometimes stopping it from starting at all. You then have to pay the criminals to get everything back, sometimes this in the form of a ‘helpful’ but unknown anti-virus program, which conveniently spotted the virus. It's just the virus itself though and even if you pay up (the criminals now have your card details) the original virus and other trojans will remain. You'll get access to your files again, but you'll be in a worse situation. Your machine will still be infected, probably with additional trojans, password watchers, keyloggers and you could now be part of a large zombie network. The ransomware viruses that lock you out of your screen may claim that your Windows licence isn’t valid and ask you to call Microsoft Tech Support on the number provided. or you have broken the law in some way. The Mac OS X Lockscreen ransomware claimed the ‘FBI’ had locked your computer and you were being fined, which was of course a lie. 

More recently the trend has been to make the user aware that their files have been encrypted using military grade encryption and in return for paying the ransom, they will get the encryption key to restore their files. A time limit is also added ranging from 24 - 72 hours before the encryption key is automatically deleted. Some are more malicious and start deleting files after each hour that passes or if you restart your computer, inflict a heavy penalty. Without the encryption key, accessing your files is pretty much impossible. One of the worst ransomware viruses was CryptoLocker, this Windows virus not only encrypted files on the infected computer, but also on network shares and external drives, making this really problematic for businesses. Whatever network shares the user has write access to will get encrypted, effectively stopping everyone in the company from opening these files. The only solution is to either pay the ransom using hard to trace crypto-currency transactions like Bitcoin, or recover your files from an external or cloud backup. The ransom demands typically range from $200-$2000, depending on the amount demanded and the crypto-currency exchange rates. CryptoLocker was so successful that a whole array of newer ransomware viruses like TeslaCrypt evolved, earning one criminal gang over €300 million over 3 years (we know this from the public ledger component of Bitcoin) so is now a major source of income for many criminals. Encryption based ransomware has continued to evolve and many now feature a dedicated helpdesk you can contact, to you help with purchasing Bitcoins or other crypto-currencies needed to pay the ransom. The criminals realised that many of their victims wanted to pay the ransom but didn’t understand how to purchase the crypto-currency required. One ransomware virus even goes so far as to offer to decrypt all your files for free if you share an affiliate link and two other people end up paying the ransom as a result. Please never consider this as you could be investigated by the police and end up in a lot of trouble.

If you are a victim of ransomware, you will need to choose whether to pay up or not, depending on the value you place on your files or inability to access your computer. It is important to understand that you may be breaking the law by paying a ransom demand, for example in the USA, it is illegal to pay a ransom to anyone on the Office of Foreign Asset Control (OFAC) list. There are also calls in the UK for new laws to stop businesses paying ransomware demands, so the legality of paying may change or may already be illegal depending which country you are in.

Also, the instructions given by the criminals within the ransom demand to buy the type of cryptocurrency they are asking for may also be nothing more than an exercise in collecting your bank or credit card details, as well as other information necessary to commit identity theft. 

It could also be a cryptocurrency exchange that the criminals earn referral fees from or a cryptocurrency online wallet service that they also control, allowing them to steal any remaining cryptocurrencies in the wallet at a future date. If you intend to purchase any cryptocurrencies, it is best to stick to established firms with good reputations. Remember, paying a ransom is no guarantee that you will receive a working decryption key and that the ransomware virus will not do anything else untoward on your computer.

To help, law enforcement and IT Security companies have joined forces and created The No More Ransom Project (www.nomoreransom.org) which needs to be the first place to check if you get a ransom demand. Their ‘Crypto Sherriff’ lets you upload an encrypted file to determine the type of ransomware affecting your device and check whether there is a solution available. The antivirus firm ESET has also created a free TeslaCrypt decryption tool at https://support.eset.com/kb6051/ so do not immediately assume help is not available, just use another computer though to check.

Another area where people have become stuck is that in order to decrypt any data, the ransomware virus still needs to be active on your machine. If you allow an antivirus program to quarantine or remove the ransomware virus, then there is nothing to enter any decryption keys into, even if you have received the key from a legal source. Unless of course there is a decryption tool available for your particular variant of the ransomware.

Either way you will need to eventually remove the virus (never trust a virus to confirm that it is no longer active on your computer) and hope that your recent backup is not full of encrypted data. At one point, an online CryptoLocker Decryption Service offering to decrypt your files after the ransom period has ended, was actually by the same people behind the CryptoLocker virus and cost up to $2,300.

Sometimes these viruses arrive via browser messages or alerts claiming that a missing video codec needs to be downloaded, or a missing font file needs to be installed. According to one recent study by security start-up Barkly.com, in 2016 over 59% of ransomware arrived via email. Be on the alert for email attachments with disguised file extensions (e.g. sample.pdf.exe) so make sure that file extensions are not hidden if you are using a Windows computer. To do this, remove the tick in 'Control Panel – File Explorer Options - View - Hide extensions for known file types' while in Windows 10 it is also available in the View ribbon under ‘File name extensions’ and needs to be ticked.

There are also both free and paid for anti-ransomware solutions you can install if you are not using premium antivirus software, addressing some of the gaps, see:

Avast Anti-Ransomware Protection Tool (www.avast.com/c-ransomware-protection-tool)

Acronis Ransomware Protection (www.acronis.com/en-us/solutions/ransomware-protection) 

Criminals will try a wide variety of tricks to get you to install their ransomware software, like this email notice to appear in court. They are hoping you panic and open the attached zip file which contains a Visual Basic Script file ending in .vbs. Opening this file will cause it to run, despite often not appearing to have done anything at all.

Sometimes though, you are redirected to a webpage that continues the deception, displaying a court notice letter and instructions to verify your identity in order to dispute the notice. This just adds to your problems as you are helping the criminals commit identity theft and possibly phish your email credentials and credit card details. So, be wary of any unexpected emails that cause alarm, criminals lie, so pause, take a breath and reread the email. Chances are it’s fake, but it you really need to check, telephone the organisation concerned by looking up their number independent of what is written in the email.

Lastly, there are also the opportunists, who don’t even bother to actually encrypt your data or infect you, but instead just email you to say they have. Like this fake extortion spam email:

Hello!

My nickname in darknet is 0j0xKong.

This mailbox was hacked more than seven months ago, through it, your operating system was infected with a virus (trojan) created by me and you have been monitored by myself for a long time.

You may not belive me, so please check 'from address' in your header, you will see that this email was sent from your very own mailbox. (info@booleanlogical.com)

Even if you changed the password after that - it does not matter, my system intercepted all the caching data on your pc and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history.

Besides that, I have the data of all your contacts, files from your computer, photos and videos.

I was most shocked by the intimate content sites that you occasionally visit.

I tell you, you have a very wild imagination!

I took screenshot through the camera of your device during your pastime and entertainment there and i managed to synchronize them with what you are watching.

Oh my god! You are so funny and excited!

I don't think that you will want all your contacts to get these files, right?

If you are of the same opinion, then I think that $750 is quite a fair price to destroy the dirt I created.

Just send the above amount on my BTC wallet (bitcoin): 3L5beMF92sb1zBSzrBZUAaDPw2rw9PBj3u

When the above amount is received, I definitely guarantee that the collected data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will be sent to all your contacts from your device.

After reading this letter, you will have 48 hours!

I'll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson.

Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere!

Good luck!

Ignoring the blatant typos and grammar, the criminal will try to convince you that what they say is true. Firstly, there is the claim that the email has been sent from your own email service. This is easy to spoof because believe it or not, email was designed with little or no security, so what is in the FROM section of the email can be easily faked.

Next is reference to the intimate content websites that you visit. At this point they are hoping that you have been watching porn and you panic. I have been called by friends who weren’t quite sure what their partners have been getting up to and asked if they should pay. The answer is no, it’s all a lie.

Lastly, they are hoping you have a webcam, chances are you have if you use a laptop. So, the combination of the ‘from’ email address, your porn viewing habits and that you have a webcam (if you are wealthy enough to afford the extortion ransom) is enough to convince you to pay up. Remember it’s all a lie, don’t start an argument as a result of an email from a criminal and do not follow any links in the extortion email or open any attachments.

Apple iPhone and iPad users have also been targeted with ransom demands after their devices had been remotely locked by criminals. The criminals accessed the users Apple iCloud accounts via stolen data from hacked websites. Make sure that any service that has a remote wipe or lock feature has a strong password that is only used for that service.

More worrying is the development of Android smartphone ransomware, which encrypts all the users’ files on the smartphone, including files on the external storage card, if there is one. Once users are tricked into installing the fake app, the device will then be locked from use until a payment is made, though restoring everything from a backup is the best course of action. Encrypting lots of files takes time, so if you do find yourself faced with this issue, immediately power off the phone (remove the battery if you have to) as many of the files may not have been encrypted yet. While your phone is off, no additional damage can be done. Remove any external storage and depending on your device, starting it in ‘safe mode’ or a factory reset may be your only options.

Some antivirus companies have removal apps for Android ransomware, but you will need access to a computer to add the removal app to your Google Play store account and for any additional instructions and steps you may need to take. Either way, it is probably best to take your phone to someone who knows what they are doing. 

Ransomware is basically digital extortion and is proving to be a lucrative undertaking for criminals. Ransomware is now so advanced and has developed into a major problem for individuals and businesses alike, so good backups are now more important than ever, no matter what device or system you use. 

Index or next chapter Using A Shared Computer