Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Being held for ransom

Being held for ransom 

Criminals are earning direct revenue with ransomware. As a result, over the past three years it has become a serious threat to individuals and businesses. Three recent developments indicate that the situation is becoming increasingly worse.

On April 1, 2016, The Canadian Cyber Incident Response Centre (CCIRC) released an alert on new ransomware variants named Locky and Samas. According to the alert, “Locky ransomware propagates through spam emails that include malicious Microsoft Office documents or compressed archive attachments, such as .zip and .rar.  The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files. Locky has affected computers belonging to individuals and businesses, including healthcare facilities and hospitals in the United States, New Zealand, Germany, and Canada. Other destructive ransomware variants have also emerged in 2016, such as Samas, which is used to compromise the networks of healthcare facilities.”

If users are tricked into enabling macros in malicious Office documents, or otherwise running the malware, Locky encrypts every file it can access. Like other ransomware, this includes files on the local computer as well as files on any mounted drive including network shares. This places businesses at significant risk, especially if an infected user is logged in to their PC with domain administrator rights.

Samas is a more sophisticated threat. According to Microsoft, “The Samas infection chain … starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications. It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well. When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files.”

Also on April 1, antivirus vendor F-Secure issued an alert on Petya. According to F-Secure, “Petya is a new ransomware with an evil twist: instead of encrypting files on disk, it will lock the entire disk, rendering it pretty much useless. Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files. It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system.”

Petya executes in two phases. First it infects the Master Boot Record (MBR), creates a symmetric key for encryption, wraps the key using an Elliptic Curve algorithm, and restarts the PC to execute the infected MBR. During the second stage, the malware presents a fake checkdisk screen, encrypts the MFT using the encryption key, and destroys the key. At this point the key can only be restored by the person or organization behind the ransomware using the EC algorithm. Petya then displays a red skull screen with URLs to a Tor hidden service demanding a ransom.

Petya is different than other ransomware in several respects. Because it encrypts the MBR, it should only impact files on the local PC. However, encrypting the MBR is much faster than encrypting individual files, and doing so effectively denies access to the entire PC. If the victim refuses to pay the ransom, their only realistic option is to reformat the hard drive. If they choose to pay the ransom, which is not recommended, they will need to do so from another PC. It is conceivable that this could place the new PC at risk.

There are several things that individuals and businesses should do to mitigate ransomware-related risks:

  • Ensure users are aware of safe computing practices, especially with respect to downloads and email attachments.
  • Backup all important data to a remote service or offline media that can not be directly accessed by users. The service should maintain previous versions of changed and deleted files in case ransomware encryption is not noticed immediately.
  • Administrators should log in to their local PC with a standard, non-privileged account and only elevate their privileges when required. In sensitive environments, administrators should use a separate PC for administrative work or remote desktop into a jump server.
  • Keep all computers up-to-date with the latest patches and antivirus software.
  • Consider the use of web proxies or UTM firewalls capable of scanning incoming files at the perimeter.
  • Consider application whitelisting to prevent unapproved programs from executing.

Ransomware infections can result in devastation to personal and corporate information. In the event of an infection, immediately power off all impacted systems and obtain qualified assistance.

Have a security question you’d like answered in a future column? Email

Related posts