At a public sector customer’s site, our shared project mail account received a quite legitimate-looking email with an invoice in a .docm document and a request to verify its contents.
The sender seemed to be a lady employed at the customer’s organization. But at second look, something was wrong with it. She was not employed there, nor has she ever been. I showed it around to the project team, and we quickly got skeptical, deleting the email. According to the information security staff at the organization, we evaded an attempt to infect our IT infrastructure with Locky, a piece of malware infecting more than 5,000 PCs per hour in mid-February 2016, just in Germany. Locky encrypts the data on the PCs it infects.
But not everyone has been that careful: At least four employees at the organization opened the alleged invoice. One of them, an employee who had access to many network drives, noticed the mistake briefly after opening the file and shut down the PC before damage occurred. Another employee only noticed the attack after a couple of days, losing, in spite of recovery via backup, one and a half days of work.
For this customer, Locky was just a nuisance, as backups are taken seriously here. Other organizations have been less lucky: Another cryptolocker, the versions 2.0 and 3.0 of Tesla-Crypt, has completely shut down several public sector organizations in the past few weeks. In one organization alone, a damage of 500.000 Euros has been caused because all its data became unusable. An improved Tesla-Crypt 4.0 was also already seen in the wild.
Locky and other ransomware are still as destructive and widespread. Nearly every fifth spam mail harassing us worldwide contains a Locky variant. In mid-February, Locky has infected 17,000 Windows PCs in one single day. It strikes computers especially in France and Germany, but also in other countries like the U.S. and the Netherlands. In February 2016, there were five times as many attacks with cryptolockers as in the preceding five months.
Locky is not the only type of Ransomware that makes our IT unsafe. Another encrypting ransomware that appeared in 2013, CryptoLocker, may actually be the most dangerous piece of malware that exists. It is an especially nasty type that sets a deadline for when ransom needs to be paid. If the deadline is not met, the private key necessary for decryption is destroyed and the files are lost forever. If this is not enough, for the first time, even Macs are not spared. In the beginning of March 2016, a cryptolocker called KeRanger infected OS X devices via a Transmission BitTorrent client installer.
What factors lead to the high success of cryptolockers, a type of ransomware that scrambles your files and asks for a ransom to recover them again?
Let us first begin with explaining how such a cryptolocker works on the example of Locky.
By activating a macro in the alleged invoice or running an executable file in a zip-folder contained in what seems to be an application for a job, the trojan horse will be downloaded, installed and executed. Only the CPU utilization chart in the task manager may show you that there is something going on in the background. At this point, your files could still be saved if the malware is stopped. If you are like most of us and not watching the chart in the task manager all the time, you will note the unwelcome guest when it is already far too late and eating up your files.
Locky attacks any local data, including network drives and files in cloud services. If, for example, SharePoint is used, files stored there will not only be encrypted but also synchronized to other end devices. The malware also deletes shadow copies of the files. The files will be encrypted with RSA and AES ciphers and cannot be decrypted by yourself or anyone else except for the malware authors. The encryption will give the affected files the morbidly funny ending .locky, leading to the malware’s name. Further, file names are transformed into hashes. It is not possible to use or open these files any more. When all files are encrypted, an extortion text message appears on the screen to prompt you to pay a ransom to get your data decrypted again. In case of Locky, the ransom may range from half a bitcoin (which was a steep 200 Euros as of February 2016) to several bitcoins. Cryptolockers generally prefer to use bitcoins as currency to pay the ransom as it is anonymous and thus does not disclose the extortionist. YouTube videos like this illustrate the destructive work of Locky.
What is the reason for cryptolockers being so successful and spreading so quickly without being detected by anti-malware programs?
There are a variety of reasons for cryptolockers’ success. These include the relative ease to make users pay the ransom and the effortlessness to infect the user’s computers with malware. Thus, ransomware is highly profitable for the attackers. In the case of CryptoLocker, attackers gained about $3 million US Dollars. More than one third of affected users will pay the usually high fee, which is more than enough revenue if thousands or even millions of devices are affected. Users may be willing to pay because they:
- Did not make backups and want their personal photographs and other files back as quickly as possible.
- Have made backups connected to the infected computer, thus the backups are encrypted as well.
- Are unwilling to report the incident in cases where the backup is managed as service by an external provider.
- Believe “if I pay the ransom, they will let me alone in the future.”
- Believe that restoring the affected system and files is more costly and slower than paying the ransom. In the case of a hospital under attack, the encrypted data are vital and need to be recovered as quickly as possible. Paying the ransom may seem to be the best way.
So why can cryptolocker Trojans easily infect end devices?
- Vulnerabilities in system configuration are widespread. For example, office documents with macros are allowed in many email systems. Segmentation of networks is often not implemented. Thus, malware may spread to other devices in the affected network.
- The macros used to download a cryptolocker in office documents like Word or Excel are nearly indistinguishable from common and permitted office tools. Thus, they are easily concealed.
- The ransomware uses a strong polymorphism. New versions of the ransomware are developed at very fast rate. The malware authors test these versions with antivirus software until they are not detected any more. As of 26th of February, there were 60 variants of Locky
- Sneaky social engineering is conducted. As shown in the introductory example, these mails do look very legitimate. There will always be a user who is unsuspecting enough to open the attachment. The receivers are prompted to activate the macros in a very sophisticated way. For example, the attachment may contain nonsense strings of characters. The victim may then be prompted to “activate the makro to make the contents readable.”
- Vulnerabilities, including the use of old PDF readers and Microsoft Office versions, prevail in enterprise environments.
- Access right concepts may be defective. For example, too many users may have administrator rights, even though it is not necessary for conducting their work tasks. If the victim of a cryptolocker has administrator rights, the damage can be especially extensive.
- Training of users in security awareness may be insufficient. In addition to this, IT security staff may not be properly trained.
- Use of backups may be insufficient, and a proper disaster recovery concept is missing.
To avoid being infected, the following actions cannot be repeated often enough:
- Do not open attachments of suspicious emails you have not expected.
- Disable macros in Microsoft Office documents per default. For Office 365 used in organizations, the system administrator can deactivate macros in the trust center and disable other users to change settings.
- Use regular backups that are not permanently connected to the infected computer, and use the newest firewall and antimalware software.
- An additional preventive action is the use of the newest versions of your browser, Java and other software.
- If you already opened the devil’s box by somehow activating the download of the trojan horse, shut down the device immediately, install a new OS and use your backup to recover your files.
- Never attempt to pay the ransom, as it is not guaranteed that your files will actually be decrypted then. In addition to this, further attacks may not be prevented.
- The Amor solution offered by Minerva Labs may prevent the devastating effects of Locky and TeslaCrypt if an infection already occurred. It is recommended especially for enterprise environments. The solution works by creating a system environment that seems hostile to the malware. The cryptolockers believe that certain antivirus products are installed and will then remain inactive. However, registry modifications will be needed to make this method effective. These should only be done by persons who know exactly what they do, as faulty registry changes may damage the system.
- Further, the following hint can prevent the cryptolocker from deleting shadow copies: Disable the windows process vssadmin.exe that manages the shadow copies. Cryptolockers usually use a command in this process to destroy this type of backup. To prevent this, the process can be disabled by renaming it.
There are now methods and software offered to remove the trojan horse from your device, like updated antivirus software. There are also some specialized tools, like the Locky Blocker offered by Malwarebytes. These programs will, however, not recover files already encrypted. In addition, inactive remains of the malware may stay on your system unnoticed and strike again in the future. Thus, the importance of regular backups cannot be stressed enough.
We believe that the current strikes of different cryptolockers are not a temporary phenomenon but that they will remain an abundant and widespread type of malware in the future. Further, we are convinced that, with the growing implementation of the Internet of Things, the type of cryptolocker attacks will rise in the future. For example, there is a trend to connect medical devices to networks, making further dimensions of cyberattacks possible.