Crypto-mining takes over from ransomware as fastest growing threat

Crypto miners take over from ransomware

 

With the invention of bitcoin, Ransomware was made possible. Prior to bitcoin it was difficult for the bad guys to get paid as it was easy to follow the money back to them. With bitcoin it is very difficult to impossible to follow the money back. Ransomware is a form of virus or malware that infects a computer and encrypts all of your documents, pictures and even music and videos on your computer and generally will then go out over the network and encrypt any other resources that it can find. They then ask for money to give you the keys to unencrypt your information. This has been the single biggest problem for a number of years and there are many of knock-off versions of the original which were not as well written as the first and have caused even more problems in that, even after paying the ransom, people have not got their data back due to several errors in the process.

Read More

Update to the new Ransomware

For the original post see: http://www.cc-computers.com/?p=241

In the original post I talked about the new ransomware that it taking hold all over the world. It has even hit a police station in America that had to pay the “fee” to get back their data.

The latest version of this virus now takes advantage of all the help that has been available on line to “improve their product”. Now if you thought that you could get your data back through shadow copies (Also known as previous versions), think again. The virus now encrypts those too.

Here is what it does now, which is the same as before but better.

Currently the infection vector is through email as an attachment; usually a zip file or pdf that is actually an exe file but as most people have the “Hide extension of known file types” ticked on you would not normally see it. You will see filename.pdf when the actual filename is filename.pdf.exe. I expect that this will change or be improved on as well with links in email and other file types, etc.

When you open this file it infects your computer and immediately contacts a server from a list of around 1000 possible domain names generated through an algorithm. When it finds a live server it exchanges details with it and starts the encryption process. At this point it doesn’t let you know that you have been infected and is not picked up by most antivirus software. The first version would finish its work without interruption of antivirus software.

It encrypts all user content that it can find on your PC, mapped network drives and any shares that it can find on the network and file sharing programs data such as box.net and drop box. It also encrypts any shadow copies and backups that it can get to. When it has finished its work it pops up a message to tell you what it has done, it even gives you a list of the files that it has encrypted so that you can verify that they are your files. It then gives you a countdown timer starting around 72 hours. You have this amount of time to pay the fee and get your files back. Now where the old version used to just delete the key if you didn’t pay up in time the new version will give you a discount for paying within the time frame. Currently it is 1/2 bit coin (which is now about £500). If you fail to pay in time then it goes up to 10 bit coin (About £5000). This “service” is available for an extended amount of time.

In short get yourself protected and keep offline backups and redundant copies.

CritchCorp Computers Ltd.

 

New ransomware takes hold

New ransomware has been taking hold of businesses and households around the world. Be very careful with the email attachments that you open, although this is probably only the first wave; they will find other ways to get to you.

What’s new about this virus then? This virus; actually it is a malware strain named ransomware, named that for a very good reason, is an example of modern encryption done right. They have created a perfect system that can encrypt your data using public key technology that cannot be cracked!!

How does it work? Well, at the moment you get an email about something that is relevant to you (that’s how they trick you in to opening the attachment, or clicking the link). Once the software is running, it quickly establishes a connection to its command and control server, where it generates a random encryption key specifically for your system. This type of encryption is particularly cleaver as the key that encrypts it cannot be used to decrypt it without the other part that is held on the command and control server (it never gets sent to your computer, so there is no record of it for you to find). it then searches your computer and network, any backup drives you have access to, in fact, any resource that contains user created or user data and encrypts them all! Any evidence of the key locally is then destroyed and a page pops up to inform the user that they have been robbed! It can show you a list of the files you once had so that you can verify the threat is real and then gives you the ultimatum of pay $300 or 300 of your local currency or lose your data, you have 72 hours to make your mind up. After 72 hours have passed the only key that could decrypt your data, which is on the command and control server, is deleted, permanently!

If you do not have any backups of your data and you need it, then you have no choice but to pay up, and thousands of people and businesses have done so. They have also been very cleaver with the payment method as they cannot be tracked through the payment either. When law enforcement find the servers and take them offline, the only people hurt are the people who now cannot get their data back. The ad guys have their command and control servers moving around and are not needed for the payment loop; they just create and hold the keys to your data.

The other point on this is that they seems to have written the encryption part exceptionally well, not so good is the decryption side of the program with reports that not all and in some cases none of the data is returned and there is nothing you can do to get it back.

Be careful and watch this space as it will only get worse!!