Ransomware Viruses: Am I Infected?

Featured article by Stu Sjouwerman is the founder and CEO of KnowBe4

It’s fairly straightforward to find out if you are affected by a ransomware virus. The symptoms are as follows:

– You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.

– An alarming message has been set to your desktop background with instructions on how to pay to unlock your files.

– The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.

– A window has opened to a ransomware program and you cannot close it.

– You have files with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML

Here is an example of a Ransomware Screen, the infamous CryptoLocker:

Infection Vectors:

In order to become infected by a strain of Ransomware, a user will have to have at least downloaded and run some sort of file.

Email Vector:

By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives an email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.

File Extension sidebar

How do hackers obfuscate file extensions? File Extensions are the last three parts of a filename after the period. A file may be called note.txt where the “.txt” section determines the type of file and what program opens it.

The reason this is important in ransomware, is often times your computer will be set to hide file extensions. Let’s say someone sends you a file called “Payroll Accounts.xls”. Often your email will show the file extension, but when you download the file, you may not see the extension anymore. The “Payroll Accounts.xls” file is actually “Payroll Accounts.xls.exe”. This is a simplified example, since there are other ways to get around this. A hacker may include a Zip file called “Family photos” that contains multiple files inside with altered extensions. Your email program only sees a Zip file, but in reality the Zip file contains a single file called “photo_album.jpg.exe”.

The last thing to realize is that .exe files are not the only dangerous type of file out there. The following is a short list of potentially dangerous file types: .exe, .bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh, .jar

Drive-by-Download

Increasingly, infections happen through drive-by downloads, where visiting a website with a compromised or old browser or software plug-in or an unpatched third party application can infect a machine. A typical office worker is constantly using various types of software on a daily basis. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.

Free Software Vector

Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! A recent Ransomware attack exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.

One method hackers will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an un-patched version of Adobe Flash, a bug in Java or an old web browser all the way to an un-patched operating system.

Protecting yourself against ransomware

Protecting your network from these types of attacks is an integral part of any network security framework for both individuals and companies. Protecting yourself requires securing your main layers of defense by utilizing Security Awareness Training and Antivirus/anti-phishing software.

Think of your computer network as a series of layers. The outermost layer is the user. It takes user action to initiate or allow a network intrusion. Your secondary and tertiary layers (firewalls and antivirus) come into play after a user has clicked or visited a malicious link. Software alone cannot be relied upon as a catch-all for these types of situations. Users must be trained to prevent such attacks from happening in the first place.

Security Awareness Training

“People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics.”
-Kevin Mitnick

IT professionals understand that simple knowledge of red flags to be aware of can make a huge difference in giving the ability to discern malicious links/software from legitimate traffic. The methods hackers and malware creators use to trick users are constantly changing. Users not only require the basics of IT and email security, but awareness of changing attack types and threat vectors. Not everyone is going to question the ambiguous origin of a well-crafted phishing email, especially with a juicy attachment like Q4 Payroll.zip. HR may receive 20 resumes a day, but only one of those needs to be malicious to cause an incident.

Increasingly, hackers and attacks utilize “social engineering” to entice or trick a user into installing or opening a security hole.

Phish your employees

Simulated phishing attacks that will let your IT group know who is vulnerable and train them to avoid potential harm. With simulated phishing campaigns, you can send fully randomized and completely customizable simulated phishing attempts to any number of users in your environment, making your users constantly on the lookout for these attacks. When they know that the organization is phishing them, they will pay extra attention to what is coming through their inbox. The consequence of clicking on a simulated phishing email is far less destructive than the alternative.

Software based protection: Anti-Virus, Anti-spam/phishing & Firewalls

Software based protection of every computer is vital. Microsoft has a feature called Software Restriction Policies that can be used in a secure environment to ONLY allow certain software as (defined in the policy) to run. There are certain directories that ransomware infections will typically start in, and by isolating these directories with a software restriction policy, you can cut down on the susceptibility of infections. For more information on Software Restriction policies, see our Ransomware Knowledgebase.

You can also reduce the chance of ransomware infections by using specialized software for scanning for these types of infections. Microsoft has developed a Cryptowall active alerter/scanner which will actively scan for ransomware-type activity and alert users. You can find it here. For a list of ransomware-specific prevention applications, see our Ransomware Knowledgebase

Backups

The last piece of the puzzle in any ransomware protection must include a regular backup of your files as well as a regularly TESTED restore procedure.

There are so many options available for both on-site backup and cloud-based backup, there is no excuse for not executing very regular backup. To help prevent your backups being compromised, you should always have an off-site or redundant backup in place. Do not overlook the fact you should be testing that your restoration of files actually works! Always ensure you have adequate access to your backup sources and a function restoration method in place (DropBox, Google Drive and OneDrive are not set up or designed to be a backup service).

You can get the complete hostage rescue manual on ransomware here – http://info.knowbe4.com/ransomware-hostage-rescue-manual-0. It also includes a Ransomware Attack Response Checklist and Ransomware Prevention Checklist.

Stu Sjouwerman is the founder and CEO of KnowBe4, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, Sjouwerman teamed with Kevin Mitnick, the world’s most famous hacker, to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.