Ransomware: The Digital Kidnap

In the recent variant of Zeus Botnet, a ransomware feature was added.

What is Ransomware?

Ransomware is a unique class of malware. Its main purpose is to extort money by restricting access to the victim's computer. The restriction will only be lifted when "ransom" is paid. Its concept is similar to kidnapping in the real-world, with the exception that it is digital assets rather than humans that is held ransom.

How Does It Work?

The kidnap (payload) can be performed in a variety of ways.

1. Lockdown access to certain computer function ie. no Internet access, OS not allowed to start.

2. Encrypt all data (This is evil and scary).

3. Does nothing but display fake notices to pay for removal of the ransomware.

In the case of the Zeus variant, it isn't so nasty as encrypting all your data. What it does is restricting access to the Internet and open Internet Explorer to a certain webpage. (The webpage is currently down. However, it is likely to extort money by coaxing them that their access to the Internet will be restored, once the ransom is paid. It is also likely to include payment instruction).

The good news for this variant is that the ransomware feature isn't sophisticated. In fact, by tweaking the registry, you will be able to recover your Internet access.

After the initial payload, it will attempt to display notices on how to pay the ransom. They come in a variety of ways to display the demand for "ransom":

1. Pop up display;

2. Open your browser and direct them to a certain webpage that shows the demand;

3. Spamming text file all over your directory; etc.

I have personally encountered one ransomware before. After the infection, it encrypted all my data and displayed the following text message in the form of .txt, in all my directories.

Some files on your machine are encrypted and your private informations were collected and sent to us. To decrypt files so you could use them again, you have to buy our decryptor. After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
 
To buy decryptor, contact us at: xxx[at]gmail.com or xxx[at]yahoo.com  If you don't contact us, your private informations will be shared and you will loose all your data.

Sometimes, the ransomware includes other payloads. Such payload can be

1. Keylogger (to further entice you to pay the ransom in return for deleting your credential off their server); or

2. Botnet; etc.

How does the ransomware spread?

They spread via convention methods such as drive-by downloads, PDF exploits, autoruns, malicious email, etc.

What Do I Do If I Get Infected?

1. Attempt removal of the ransomware eg. using antivirus.

2. Search online about the ransomware to see if there is any way to reverse the effect of ransomware (But don't bang too hard on this. Malware writers are getting more clever and sophisticated nowadays).

3. Once removal is complete, change all credential you have (just in case the ransomware contain keyloggers).

What Should I Not Do When I Get Infected?

NEVER Never plug in any other removable devices.

The reason being is some ransomware spread through removable devices such as thumb drives. By doing so, you are risking your data in the thumb drive. If you plug the thumb drive into another computer, you are risking the other computer too.

What Are Some Pro-Active Actions I Can Take to Ensure I Can Recover My Data If I Get Infected By Ransomware 1 day?

1. BACKUP. BACKUP. BACKUP. Always backup critical data. It will be better if it is stored in another location, disconnect from the computer.

2. Be vigilant. Disable autorun on your computer. Update your PDF reader to the latest version (to reduce attack surface). Update your virus definition on a regular basis.

Some Interesting Facts About the Ransom

1. Unlike kidnap shown on TV, the ransom demand is usually of reasonable price eg. 60 Euro. The reason being is, they want to entice the victim to pay them the ransom. If they set like 1 million or 10 million, similar to TV drama, the victim will just simply ignore the loss of access/data and carry on with life. With a reasonable price, the victim is more likely to be tempted and pay the ransom to get back the access/data. However, paying the ransom does not imply you will get back your data/access for sure. They are criminals. They can possibly take your money and ignore your request.

2. They usually asked for payment via Western Union, rather than PayPal, where their account will be closed down after abuse report by the victim. Chances are that their account will be freeze and they will not be able to get the money.

Author

Tan Jun Hao.