Some of the nastiest exploits going around are the many variants of the CryptoLocker and CryptoWall malware that encrypt all your personal files and hold them for ransom. Payment in bitcoin is required, in amounts starting at $200 and ranging upward to the $17,000 (400 BTC) that Hollywood Presbyterian Hospital just paid to unlock their files. Or even more. The amount will be whatever the attackers think they can extract from the victim.
- The latest variant, called Locky, changes the file extensions on all your files to .locky after encrypting everything, of course. This exploit starts as an email with a Word attachment that is intentionally a bunch of jumbled letters, with instruction to enable macros to unscramble the message. This is a ruse, and enabling macros simply allows the embedded malware code to install on the affected system. You can read more about it on Naked Security.
- And for all the Mac users our there who are feeling left out, you now have your own OSX ransomware, called KeRanger. You can read about it on Silicon Beat and Symantec. It appears that it is a rewrite of a Linux exploit, which is likely since OSX and Linux share Unix roots.
- And now there is also crypto-ransomware for websites. Called CryptWeb, this malware is designed to encrypt the back end database of CMS websites built on WordPress, Drupal, and other systems. In this case the site owner or manager is held for ransom, and the website is unavailable until restored from a backup or the ransom is paid to the attackers. You do back up your website, right?
- Another recent article on We-p details a new threat called CTB-Locker that targets web servers, and actually defaces the home page and holds web site scripts, documents, photos, databases and other important files for ransom after encrypting them with AES-256 encryption. A unique key, generated for each site, can be purchased according to the instructions provided by the attackers.
- Back in December, Heimdal Security published an article outlining how CryptoWall 4.0 was being spread as a drive-by download by the Angler exploit. This is a sophisticated multi-stage exploit that also tries to steal system user names and passwords, uncover website access credentials in order to install malicious Angler code that will infect site visitors, and allow CryptoWall 4.0 to be downloaded and installed to their computers.
- A recent post (Feb 26) on the Information Security Newspaper discusses how the authors of the Angler EK have modified their code to take advantage of a Silverlight exploit (CVE-2016-0034 vulnerability) that was recently discovered. The flaw was fixed by Microsoft in January with the MS16-006 critical bulletin. If you are not keeping your systems patched and updated, this new exploit could be used on your systems.
- Over at Sophos, they published a pair of articles in January outlining how ransomware works, and a bit of history on the evolution of ransomware.
- And finally a bit of good news from Malwarebytes. They have released a beta of their Anti-Ransomware security software, that you can download from the announcement page. This has the potential to solve what has been a difficult problem for traditional anti-malware products, which have failed to block encryption exploits successfully.
And of course, the best protection against cryptoware is to maintain a good set of backups for all your important data. Here at CIT we use Datto to backup client data, and our experience has been that this allows us to recover clients from CryptoWall exposure on their networks in a matter of hours versus days.
If you are managing a website, you need to be backing up your website files too, and if you are using WordPress, there are several excellent plug-ins that will perform that function. And implementing some form of website security, through products such as Sucuri, a good multi-platform product, and WordFence, which is targeted mostly at WordPress sites.
- Locky article on Naked Security
- Silicon Beat on KeRanger
- Symantec on KeRanger
- The Register – KeRanger and Linux Encoder exploits
- FXInter on CryptWeb
- Angler Exploit and CryptoWall 4.0
- Info Sec News – Angler EK Silverlight mod
- We-P – CTB-Locker Ransomware, Infects Thousands of Web Servers
- Naked Security Ransomware paper
- Naked Security – How Ransomware Works
- Malwarebytes Anti-Ransomware Beta