Tuesday, May 24, 2016

Ransomware

On Twitter, Ltc Dan asks about the CryptXXX ransomware and whether it's a problem.  It is.

First, Ransomware.  This is a form of malware that looks for data files (Office documents, pictures, that sort of thing) and encrypts them.  It then tells you that it will decrypt them for you if you pay them the low, low price of $59.99 (or whatever).

Nice pictures of the kids you have there.  Be a shame if anything happened to it.

Like I said, nasty.  Enough people pay the ransom that there's an active development in these tools:
Upgrades made to CryptXXX ransomware over the past couple of weeks have rendered a previously available decryption tool useless.
First detected by Proofpoint's security researchers back in mid-April, CryptXXX is one of the newest ransomware variants to prey upon unsuspecting users.
The crypto-malware is currently being shipped as a Dynamic-Link Library (DLL) that is dropped by Bedep malware and the Angler exploit kit.
Once the infection cycle is complete, CryptXXX encrypts a number of different file types and appends the .CRYPT extension to each encrypted file. It then displays a ransom message that demands US $500 and warns the ransom fee will double in value if payment has not been received within a few days.
So what do you do to protect yourself?  You should have an antivirus installed on your Windows (and increasingly Macintosh) computer, but most antivirus is pretty bad at picking up newly released malware.  Basically, you're hoping that someone else will get hit before you do, and the antivirus will get updated to detect the new nasty before it discovers your PC.

More importantly, you should be backing up your data.  This way, if the ransomware hits you, you at least still have copies of the kid's pictures.  USB hard drives are cheap, so there's no reason not to do this every day (or at least every week).  Here's a 1 TB drive that retails for $59.  At that price, you can get two - as with concealed carry pistols, the rule for backups is "Two is one and one is none".

ASM826 does this sort of thing for a living - he may chime in here with his thoughts.  Or not.  ;-)

13 comments:

Eagle said...

Antivirus isn't sufficient: you need a memory-resident program that uses "rules" to determine which programs have the ability to manipulate files on your local Windows filesystem (and any "mapped" filesystem), and to prevent some program-based behaviors that it might think are acting against your best interests.

I use Malwarebytes. BP may remember Cisco's desktop security program (CSA). Malwarebytes also uses rules-based behavior processing which protects against most zero-day attacks (if the behavior isn't allowed, then it isn't allowed). With Bitdefender and Malwarebytes, I haven't been hit with either a virus or malware in, um, years.

Yeah, I've had to mark some programs as "allowed", but that's less of a bother than losing everything I own.

drjim said...

+1 for Malwarebytes!

Been using it on my Windoze systems for years.

Jeff B said...

A couple of our clients have been hit by variants of these Crypto-/Ransomware infections.

Thankfully, we are obsessive about inspecting the backup jobs, and that has saved our bacon a few times.

Other thing we've done or considered doing at clients:
1) Blocking EVERYONE from installing to C:\Program Files or C:\Program Files (x86). Yes, everyone, except the master Domain Admin account. Not even daily helpdesk techs are allowed to install to that path.

2) Block password-protected .zip files

3) Block macros in MS Office.

4) Disable USB ports on PCs.

It's a nasty bugger.

Best,
Jeff B

Aaron said...

Darn good info. Thanks. You wouldn't believe (ok, you probably would) how many of these malware infested emails (the ones with invoice attached, typically a .zip from an unknown contact that only a fool would fail to delete immediately) that I've been receiving lately.

Borepatch said...

Burt, I like Malwarebytes quite a bit, and recommended it in a post here quite some time back.

https://borepatch.blogspot.com/2009/11/recommended-security-tool-malwarebytes.html

And I do remember the Cisco Security Agent. ;-)

Jeff, not a lot of organizations can do that - I certainly couldn't do that for the Queen Of The World's computer. ;-)

Kristophr said...

Find the ransomeware a-holes website, and spam the payment fields with penta-bytes of garbage, hopefully containing bits of SQL code to nuke thier database, if they are stupid enough to unsanitize user input?

Nice victims database you got there. Too bad it has eight landfills-full of sewage in it now ...

Dan said...

Thanks for that. Wilco.

BC said...

Best way I have found to keep crap off the 'puter is:

1: Disable Java by default
-re-enable on a site-by-site basis if needed

2: Disable plugins, especially Flash by default
-re-enable on a site-by-site basis if needed

3: Run an ad-blocker

4: Don't open email attachments, don't download email attachemnts
-unless I know who it is from AND I am expecting it.

Jeff B said...

"4: Don't open email attachments, don't download email attachemnts
-unless I know who it is from AND I am expecting it."

That is wise advice indeed. I've told clients the same, and added the following: "If you aren't sure they sent it, then create a NEW email to that person -- don't just hit 'Reply' -- and ask them if they sent an attachment, what is the name of the attachment, and what is the size of the attachment. If they can't answer all three, don't open it."

The reality, as I think we all know, is that most computer infections (Malware, virus, ransomware) are because of end user actions. If we could just find a way to get people to stop touching their damn computers... :-D

Ruth said...

Not entirely random but only kinda off topic question for you all....

I was using Outpost Firewall, liked it quite a bit. Unfortunately they were bought out. I'm having trouble finding and picking a new firewall software.....any suggestions that won't cost me a fortune?

Borepatch said...

Ruth, it's been a long time since I really looked at firewalls. I really don't know who's good and who's not.

matism said...

For SOME people, Jeff B, that STILL would not be sufficient. After all, there are some people out there who will forward stuff WITHOUT determining whether or not it is bad shiite. And they are still quite likely to be able to answer those three questions. Much to your chagrin.

SiGraybeard said...

So... let's say one does backups faithfully (religiously?), and we end up with a ransomware hijacking. How do you know to trust your backups? Do they sit quietly on a machine for some amount of time before springing the trap door? Is there a chance the backup is corrupted? Or that they "see" backups are happening and use that to make the attack more vicious?