Beware of the Three Faces of Ransomware

Ransomware_webCryptoWall, CryptoLocker and CoinVault promise to destroy data if ransom demands are not met.

“Ransomware” has been making news lately due to the rise of CryptoWall – a nasty combination of malware and extortion that encrypts files and demands money in exchange for the key. If the ransom isn’t paid by a certain deadline, data will be lost forever. The only way to regain access to the files is to pay the ransom or restore from a recent backup that was not actively connected to the infected machine.

CryptoWall ransomware infected millions of users in September and October of this year. Hackers infiltrated the advertising networks that delivered ads to a number of reputable, high-profile websites such as AOL, Yahoo and as part of a sophisticated “malvertising” campaign. Users didn’t even have to click the ads to be infected. CryptoWall was automatically downloaded to user computers when pages with malicious ads loaded. Although the ad networks compromised in these attacks claim to have addressed the problem, an even more serious threat lurks on the horizon.

Primarily delivered via email attachments, CryptoWall 2.0 has been enhanced to fortify “deficiencies” that allowed security professionals to stop the earlier version in recent months. Simply put, enhancements to CryptoWall 2.0 make it more difficult for users to recover data and easier for hackers to compromise computers and receive ransom payments.

CryptoWall 2.0 copies and encrypts data and securely deletes the original data files, forcing users to recover data from backups or pay the ransom. CryptoWall 2.0 also assigns user-specific bitcoin payment addresses for each victim, which prevents victims from stealing another victim’s payment and using it to pay their own ransom. Gateway servers through the Tor anonymization network are now being used for ransom payments in order to stay hidden from authorities and control access to their servers.

CryptoLocker Locks down Data

Although CryptoWall made headlines as part of a widespread malvertising campaign, most ransomeware such as CryptoLocker is spread via phishing emails designed to look as if they come from legitimate businesses, or through phony UPS and FedEx tracking notices. CryptoLocker has also shown up on computers attacked by a separate botnet infection.

Typically, the emails have a malicious attachment in the form of a .zip file that contains an executable program disguised as a PDF. When the victim clicks on the file, it installs itself in the Documents and Settings folder. After contacting one of the hackers’ command-and-control servers to generate an encryption key, it encrypts all documents, graphics and other files on the victim’s internal and external hard drives, removable media, and any shared network drives.

Once the files are encrypted, CryptoLocker displays a message demanding payment of $300 within 72 hours in order to obtain the private key needed to decrypt the files. Recently, the developers launched a new “service” in which victims can get their files decrypted after the deadline has passed. Reportedly, the cost is more than $2,000. So far, CryptoLocker has eluded antivirus software, Microsoft security updates and firewalls. That’s because it continually morphs into new variants that are difficult to detect. Even if antivirus software is able to detect it, it will already have begun encrypting files.

Law enforcement officials from the U.S. and other countries have managed to seize servers used for the CryptoLocker ransomware, although recent activity has been reported. According to the U.S. Department of Justice, Cryptolocker had infected nearly a quarter-million computers by April 2014, mostly in the U.S., with victims estimated to have paid more than $27 million in ransom in the first two months after the malware emerged.

CoinVault Adds Mind Games to the Equation

Cybercriminals have introduced a psychological component into a new form of ransomware called CoinVault. Like CryptoWall and CryptoLocker, CoinVault is a program that encrypts data and stores the key on a remote server. It also eliminates the Windows Volume Shadow Copy Service, making it impossible for users to restore the most recent autosaved version of the file.

CoinVault is different in that it shows the victim a list of encrypted files and allows the user to choose one file to have decrypted for free. Some security experts believe this functionality is offered to prove that files can actually be decrypted. CoinVault even shows a clock that counts down to the payment deadline. If the clock reaches zero and a bitcoin payment hasn’t been made, the cost for the key increases.

Although many hackers using these three ransomware programs have provided the key needed to decrypt files after the ransom is paid, some victims have reported that they did not receive the decryption key. Because there is no guarantee that criminals will live up to their end of the deal, US-CERT is urging victims not to give in to extortion but rather to report the incident to the FBI’s Internet Crime Complaint Center.