In the recent variant of Zeus Botnet, a ransomware feature was added. So, what exactly is ransomware?
Well, ransomware is a unique class of malware. It's main purpose is to extort money by restricting access to victim's computer. The restriction will only be lifted when "ransom" is paid. It's concept is similar to real world kidnapping, with the exception that it is digital assets rather than humans.
How it works? The kidnap (payload) can be perform in a variety of ways.
Lock down access to certain computer function ie. no internet access, OS not allowed to start.
Encrypt all datas (This is evil and scary)
Does nothing but display fake notices to pay for removal of the ransomware
So in the case of Zeus variant, it isn't so nasty as encrypting all your data. What it does is restricting access to internet and open the internet explorer to a certain webpage (The webpage is currently down. However, it is likely to exhort money by coaxing them that their access to Internet will be restored, once the ransom is paid. It is also likely to include payment instruction).
The good news for this variant is that, the ransomware feature isn't sophisticated. In fact, by tweaking the registry, you will be able to recover your Internet access.
After the initial payload, it will attempt to display notices on how to pay the ransom. They come in a variety of ways to display the demand for "ransom":
Pop up display;
Open your browser and direct them to a certain webpage that show the demand;
Spamming text file all over your directory; etc.
I have personally encounter one ransomware before. After the infection, it encrypted all my data and displayed the following text message in the form of .txt, in all my directories.
"Some files on your machine are encrypted and your private informations were collected and sent to us. To decrypt files so you could use them again, you have to buy our decryptor. After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
To buy decryptor, contact us at: firstname.lastname@example.org or email@example.com
If you don't contact us, your private informations will be shared and you will loose all your data."
Sometimes, the ransomware include other payload. Such payload can be
Keylogger (to further entice you to pay the ransom in return for deleting your credential off their server);
How does the ransomware spread?
They spread via convention methods such as drive-by downloads, PDF exploits, autoruns, malicious email, etc.
What to do when I got infected?
Attempt removal of the ransomware. eg. using Antivirus
Search online about the ransomware to see if there is any way to reverse the effect of ransomware (But don't bang too hard on this. Malwares writer are getting more clever and sophisticated nowadays)
Once removal is complete, change all credential you have. (Just in case the ransomware contain keyloggers)
What should I not do when I got infected?
NEVER Never plug in any other removable devices.
Reason being is some ransomwares spread through removable devices such as thumbdrives. By doing so, you are risking your data in the thumbdrive. If you plug the thumbdrive into another computer, you are risking the other computer too.
What are some pro-active action I can take, to ensure I can recover my data if one day my computer is infected with ransomware?
BACKUP. BACKUP. BACKUP. Always backup critical data. It will be better if it is store in another location disconnect from the computer.
Be vigilant. Disable autorun on your computer. Update your PDF reader to the latest version (to reduce attack surface). Update your virus definition on a regular basis.
Some interesting facts about the ransom
Unlike kidnap shown on tv, the ransom demand is usually of reasonable price eg. 60 Euro. Reason being is, they want to entice the victim to pay them the ransom. If they set like 1 million or 10 millions, similar to TV drama, the victim will just simply ignore the lost of access/data and carry on with life. With a reasonable price, the victim is more likely to be tempted and pay the ransom to get back the access/data. However, paying ransom does not implies you will get back your data/access for sure. They are hacker/malware writer. They can possibly take your money and ignore your request.
They usually asked for payment via Western Union, rather than PayPal, where their account will sure be closed down after abuse report by victim. Chances is that their account will be freeze and they will not be able to get the money.