Ransomware – The Evolving Face of Spyware

Traditionally spyware and viruses have been mostly a nuisance as it relates to your PC or laptop. You might notice that your system is sluggish, and you might have to clean up or even rebuild your operating system, or worst case, pay someone to perform a cleanup and spyware removal for you if you don’t know how to do it yourself. Recently however a new and far more malicious form of spyware has started appearing on unprotected PCs, and its payload is far more dangerous and the cost of recovering from it is far higher than ever before. Its name, Ransomware, says it all – it is spyware that takes over your data or your system itself and holds it hostage from you unless you hand over your hard earned money to the criminal who has infected your PC in exchange for your data or access to your computer back.

With threats like this in the wild, it is prudent to be aware of how you could become infected, what you can do to protect your data and your PCs, and what you should do if you suspect your computer has been compromised.

What are Some Examples of Ransomware?

Two recent examples of Ransomware that have infected systems over the last few months are the National Security Agency Virus (aka the MoneyPack Virus) and the Cryptolocker Virus.

NSA Virus

The National Security Agency Virus plays off of the current news stories of the spying on of American citizens by the NSA which has been in news headlines over the last few months. Similar in effect to the FBI Virus of 2012, the NSA Virus gets onto a system via a Trojan horse approach – i.e. the user of the PC clicks on an infected file or hyperlink and the virus payload is then installed onto the system. The file or link containing the virus might be on an infected web site, a SPAM email attachment, torrents, or compromised social media content.

Once installed the NSA Virus embeds itself deeply into the user profile as well as the base operating system on the PC itself. Upon boot up the system will not allow the user to proceed into the operating system, and a somewhat official looking splash screen indicating that the machine has been “locked” by the NSA due to detection of inappropriate content on the system is displayed. The splash screen informs the user to pay a fee of $300 via Green Dot Money Packs in order to get access to their system restored.

Once resident, the NSA Virus is extremely difficult to remove, and successful removal might involve deletion of the infected user profile, deep scanning of the system with up to date virus removal software, manual extraction of malicious files and registry information, restoring of the system to a point prior to infection by the virus, or even a complete rebuild of the system. Some or total data loss is possible, and the best bet is to avoid infection if possible. However, compared to Cryptolocker, the NSA Virus offers a higher possibility of data and system recovery.

Cryptolocker Virus

The Cryptolocker Virus also is deployed via a Trojan horse vector, most commonly as an email attachment. Many times this is a PDF, Voicemail, Word Document, etc. Cases of the email coming from a source known to the person receiving the email have been reported. The PC user in clicking on the attachment infects the system with the virus. Once it is run the virus installs itself to the local user profile, and writes specific registry entries that are activated upon the next reboot of the system. Upon reboot the virus “phones home” to command and control servers on the Internet in order to obtain / create a 2048 bit encryption key. The virus then uses this key to encrypt the system hard drive and any network or USB drives that are known to the system.

The encryption of network drives makes Cryptolocker particularly dangerous in a business network situation, as it has the potential to encrypt data that is housed on network servers that would not otherwise be exposed to the virus payload. In a remarkably short amount of time, large volumes of data can be encrypted by the virus. Once the encryption of all of the drives on the system is complete, a splash screen appears on the computer informing the user of the system that the virus has encrypted their data.

The virus itself is easily removed, but you cannot decrypt the files unless you pay a $300 ransom. You generally have 72 hours to pay the ransom. If you miss that date you can pay 10 Bitcoins (aprox. $2000) through a hidden Tor network and retrieve the key. Unofficial numbers say paying the ransom works 80-90% of the time.

An Ounce of Prevention

It is always best to avoid spyware infection of your PC or laptop, but in the case of Ransomware this is especially the case. Once infected removal is either extremely difficult and can cause data loss (NSA Virus) or impossible unless the ransom is paid (Cryptolocker). In order to avoid being infected Thrive Networks offers the following tips which should be followed and shared with all users in a business environment:

1. Be suspicious of strange emails – especially with attachments and hyperlinks! If the subject line is generic (i.e. “This is funny!”, “Check this out”, “Important”), misspelled, or unusual – do not click the attachment. If you don’t recognize the sender – do not click the attachment. If you do recognize the sender but something seems off – send the person a note asking if they meant to send you the email in question – but do not forward the email to them lest you expose them to the virus in the process.
2. If you are on a web site you do not know well, do not click on ads or links on the page.
3. If you are a social media user – be aware that games, apps, add-ons and other ancillary elements of the social media experience are the most likely areas of the social media platform to be compromised with spyware, so beware if you use them.
4. Have anti-virus / anti-spyware software installed to your PC, keep it up to date, and run scans regularly as well as using real time protection. Features such as web security and email scanning are ideal as well if the product you are using offers them.
5. Vigilance is key! As the user of the PC you know how it behaves and what seems odd. If something seems off, take action by scanning the system with anti virus software or contact a professional for assistance.

It is clear that spyware creators are upping the ante, and are looking for ways to use their malicious software to generate revenue. It is likely that Ransomware will continue, new versions will be created, and indeed they will evolve into new forms in an effort to trick PC users into infecting themselves with a virus that extracts money from their wallets in order to resolve. Stay alert, and if you think you have been infected, or if you see a new variant of Ransomware, please reach out to Thrive Networks to report it.