ICFE eNEWS #16-22 - July 11th 2016
U.S. Department of Homeland Security US-CERT
National Cyber Awareness
Ransomware and Recent Variants
Original release date: March 31, 2016 | Last revised: July 11, 2016
Systems Affected - Networked Systems
In early 2016, destructive ransomware variants such as Locky
and Samas were observed infecting computers belonging to individuals
and businesses, which included healthcare facilities and hospitals
worldwide. Ransomware is a type of malicious software that infects
a computer and restricts users' access to it until a ransom is paid
to unlock it.
The United States Department of Homeland Security
(DHS), in collaboration with Canadian Cyber Incident Response Centre
(CCIRC), is releasing this Alert to provide further information
on ransomware, specifically its main characteristics, its prevalence,
variants that may be proliferating, and how users can prevent and
mitigate against ransomware.
Description - WHAT IS RANSOMWARE?
Ransomware is a type of malware that infects computer systems,
restricting users' access to the infected systems. Ransomware variants
have been observed for several years and often attempt to extort
money from victims by displaying an on-screen alert. Typically,
these alerts state that the user's systems have been locked or that
the user's files have been encrypted. Users are told that unless
a ransom is paid, access will not be restored. The ransom demanded
from individuals varies greatly but is frequently $200 to $400 dollars
and must be paid in virtual currency, such as Bitcoin.
is often spread through phishing emails that contain malicious attachments
or through drive-by downloading. Drive-by downloading occurs when
a user unknowingly visits an infected website and then malware is
downloaded and installed without the user's knowledge.
Crypto ransomware, a malware variant that encrypts files, is
spread through similar methods and has also been spread through
social media, such as Web-based instant messaging applications.
Additionally, newer methods of ransomware infection have been observed.
For example, vulnerable Web servers have been exploited as an entry
point to gain access into an organization's network.
WHY IS IT SO EFFECTIVE?
The authors of ransomware instill fear and panic into their victims,
causing them to click on a link or pay a ransom, and users systems
can become infected with additional malware. Ransomware displays
intimidating messages similar to those below:
• "Your computer
has been infected with a virus. Click here to resolve the issue."
• "Your computer was used to visit websites with illegal content.
To unlock your computer, you must pay a $100 fine."
files on your computer have been encrypted. You must pay this ransom
within 72 hours to regain access to your data."
PROLIFERATION OF VARIANTS
In 2012, Symantec, using data from a command and control (C2)
server of 5,700 computers compromised in one day, estimated that
approximately 2.9 percent of those compromised users paid the ransom.
With an average ransom of $200, this meant malicious actors profited
$33,600 per day, or $394,400 per month, from a single C2 server.
These rough estimates demonstrate how profitable ransomware can
be for malicious actors.
This financial success has likely led
to a proliferation of ransomware variants. In 2013, more destructive
and lucrative ransomware variants were introduced, including Xorist,
CryptorBit, and CryptoLocker. Some variants encrypt not just the
files on the infected device, but also the contents of shared or
networked drives. These variants are considered destructive because
they encrypt users' and organizations' files, and render them useless
until criminals receive a ransom.
In early 2016, a destructive
ransomware variant, Locky, was observed infecting computers belonging
to healthcare facilities and hospitals in the United States, New
Zealand, and Germany. It propagates through spam emails that include
malicious Microsoft Office documents or compressed attachments (e.g.,
files to download Ransomware-Locky files.
Samas, another variant
of destructive ransomware, was used to compromise the networks of
healthcare facilities in 2016. Unlike Locky, Samas propagates through
vulnerable Web servers. After the Web server was compromised, uploaded
Ransomware-Samas files were used to infect the organization's networks.
LINKS TO OTHER TYPES OF MALWARE
Systems infected with ransomware are also often infected with
other malware. In the case of CryptoLocker, a user typically becomes
infected by opening a malicious attachment from an email. This malicious
attachment contains Upatre, a downloader, which infects the user
with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan
that steals banking information and is also used to steal other
types of data. Once a system is infected with GameOver Zeus, Upatre
will also download CryptoLocker. Finally, CryptoLocker encrypts
files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were
demonstrated through the recent botnet disruption operation against
GameOver Zeus, which also proved effective against CryptoLocker.
In June 2014, an international law enforcement operation successfully
weakened the infrastructure of both GameOver Zeus and CryptoLocker.
Ransomware not only targets home users; businesses can also become
infected with ransomware, leading to negative consequences, including
• temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
• financial losses incurred
to restore systems and files, and
• potential harm to an organization's
Paying the ransom does not guarantee the encrypted
files will be released; it only guarantees that the malicious actors
receive the victim's money, and in some cases, their banking information.
In addition, decrypting files does not mean the malware infection
itself has been removed.
Infections can be devastating to an individual or organization,
and recovery can be a difficult process that may require the services
of a reputable data recovery specialist.
US-CERT recommends that
users and administrators take the following preventive measures
to protect their computer networks from ransomware infection:
• Employ a data backup and recovery plan for all critical information.
• Perform and test regular backups to limit the impact of data or
system loss and to expedite the recovery process. Note that network-connected
backups can also be affected by ransomware; critical backups should
be isolated from the network for optimum protection.
• Use application
whitelisting to help prevent malicious software and unapproved programs
from running. Application whitelisting is one of the best security
strategies as it allows only specified programs to run, while blocking
all others, including malicious software.
• Keep your operating
system and software up-to-date with the latest patches. Vulnerable
applications and operating systems are the target of most attacks.
Ensuring these are patched with the latest updates greatly reduces
the number of exploitable entry points available to an attacker.
• Maintain up-to-date anti-virus software, and scan all software
downloaded from the internet prior to executing.
• Restrict users'
ability (permissions) to install and run unwanted software applications,
and apply the principle of "Least Privilege" to all systems
and services. Restricting these privileges may prevent malware from
running or limit its capability to spread through the network.
• Avoid enabling macros from email attachments. If a user opens
the attachment and enables macros, embedded code will execute the
malware on the machine. For enterprises or organizations, it may
be best to block email messages with attachments from suspicious
sources. For information on safely handling email attachments, see
Recognizing and Avoiding Email Scams. Follow safe practices when
browsing the Web. See Good Security Habits and Safeguarding Your
Data for additional details.
• Do not follow unsolicited Web
links in emails. Refer to the US-CERT Security Tip on Avoiding Social
Engineering and Phishing Attacks or the Security Publication on
Ransomware for more information.
Individuals or organizations
are discouraged from paying the ransom, as this does not guarantee
files will be released. Report instances of fraud to the FBI at
the Internet Crime