Tag Archives: Cryptowall

What Would You Pay for Your Own Files? The Cost of Ransomware

Alina Simone’s gripping 2015 account of her mother’s extortion ordeal was the first time many non-tech people had heard the term “Ransomware”. It presented a threat that felt intensely personal. It blocked access to data we use to define ourselves: family photos, letters to relatives, tax and financial records, and beloved music and movies.

Flash forward a year, and ransomware is all over the media. The reason for its rise is simple: money.

Before the emergence of ransomware, criminals mainly used (and still use) malware to take control of machines. Malicious code harvested user names, passwords, and credit card numbers. It might have also used infected PCs in a botnet for sending spam or launching attacks that shut down major websites, usually as a decoy while hackers broke in elsewhere.

For Criminals, Ransomware Is Lucrative

Ransomware cuts out the digital middlemen. Rather than collect credit card details that must then be sold on the dark web for a few cents to a few dollars, ransomware demands money directly from the victims. While the amount varies, it tends to be few hundred dollars for individuals.

Yet these small sums are taking a heavy toll. The exact number of ransomware attacks is hard to gauge, as many go unreported. But according to our data they are rising fast. While official complaints about ransomware (and ransoms paid) to the US Department of Justice amounted to only around $24 million in damages in 2015, other numbers are much higher. In April, CNBC estimated the cost of ransomware at around $200 million in the first three months of 2016 alone. Late last year, the Cyber Threat Alliance stated that a single piece of ransomware, CrytopWall v3, resulted in an estimated $325 million in damages worldwide over the course of its lifetime. And as far back as June 2014, the FBI issued a report saying CryptoLocker swindled more than $27 million from users over a two-month period.

Bigger Targets May Mean Bigger Paydays

These numbers speak to the audacity of ransomware purveyors. The long-tail effect of attacking individuals has proven so lucrative, it is unlikely to ever go away. But many organizations also hold sensitive customer data that needs to be protected both to ensure effective service and consumer privacy. That makes them particularly juicy targets to hackers.

Healthcare provides are a case in point. If they lose control of patient information, they may be unable to deliver treatment when needed. There are also strict legal requirements governing the protection of patient data. Both make them subject to lawsuits that could cost them far more than what they would have to pay in ransom. A hospital in Hollywood, California, paid $17,000 in bitcoin to hackers after being locked out of their data. Fortunately, so far, other reported attacks have fared less well. Healthcare providers in Kentucky and Ottawa refused to pay, as no patient data was compromised; and an attack in Germany was quickly contained by fast-acting IT staff.

Still, the hospitals have had to invest considerable time and resources into fighting the attacks. They will also need to launch multiple efforts internally and externally to restore patient trust.

And hospitals are not alone.  A 2016 report by the Institute for Critical Infrastructure Technology, an industry think tank, declares 2016 the year of ransomware, suggesting few organizations are safe. For instance, systems at an Israeli electrical utility were infected by ransomware after a phishing attack. A utility in Michigan has been allegedly attacked. Multiple police stations have been hit and paid ransoms to regain access to their systems. Local governments are increasingly feeling the pressure, with attacks reported in places as diverse as Alto City, Texas, and Lincolnshire, UK. And criminals have subverted online adverts of venerable media organizations, such as the BBC and NYT, turning their websites into potential sources of drive-by ransomware.

The Right Protection Saves Money

This is why protection is essential, especially for individual users, most of whom lack the expertise and resources of even modest city councils and small hospitals. Over a three-month period earlier this year, a conservative estimate by AVG is that its antivirus prevented around $47 million in extortion demands through the interception of just three types of ransomware: Cryt0L0cker, CryptoWall, and TeslaCrypt. And that number says nothing of the mental and emotional costs that would have resulted from feeling violated or the costs of replacing machines, software, and media if a victim decided not to pay.

AVG does not recommend paying. There is no guarantee criminals will release the files. They may also leave a piece of malicious code behind that allows them to strike again. It is better to call tech support, salvage what you can, make frequent backups, and build a fortress around your PC – and thus prevent the writing of another news story like Alina Simone’s.

Ransomware on the rise – how to protect your devices and data

Dozens of active ransomware variants such as TeslaCrypt, Locky and Crypt0L0cker continue to extort victims daily. And Ransomware-as-a-Service threatens to make matters worse.

Ransomware – you will not find a more frequently used word in the antivirus industry in these past few months. AVG’s viruslab have analysed dozens of different ransomware “families” in that time.

Based on the number of new unique samples per day, it seems that the ransomware trend is steadily increasing.

Some ransomware families appear to have been created by amateur programmers eager to earn easy money (Radamant, LeChiffre, or Hidden-Tear derivatives, just to name a few), while others are developed by professionals and operated by cyber gangs (e.g. CryptoWall).

At present, the most active families are TeslaCrypt, CryptoWall, and Crypt0L0cker (aka TorrentLocker) with each of these families spreading in multiple ways. The most common infection methods are via exploit kits and phishing emails (as links or attachments).

We’ve noticed many different approaches to creating ransomware, such as the programming language used. While C, C++, C#, and Delphi are very popular among malware authors in general, we have seen ransomware created in JavaScript, Java, and even purely in Windows .bat files.

More worryingly, we have identified “Ransomware-as-a-Service” offerings that are threatening to make things much worse. These often Tor-hosted (anonymous) websites make it possible to generate custom ransomware with just a few clicks – in return for a share (5-20%) of future earnings, i.e. ransom revenue.

But it’s also the brazen attitude and apparent confidence of some ransomware authors that is disturbing. We have found the Nanlocker ransomware contains a now famous (and very unfortunate) statement that was made by a member of the FBI at a security conference.

How to protect your computers and networks against ransomware.

  1. Don’t trust any links or attachments in email – this remains the most common way that ransomware takes hold. If you weren’t expecting the email, do not open it. If unsure, always seek a second opinion from a tech savvy friend – or just delete the email.
  2. Keep your software and operating system updated. Ransomware is targeting not only Windows, but also Linux (e.g. Linux.Encoder) and even Mac.
  3. Uninstall unused or notoriously vulnerable applications – for example, if you don’t need Adobe Flash Player, remove it and any other applications you’re not using. Stick to the minimum.
  4. Use the latest protection software. AVG Internet Security is great choice because it offers multiple layers of protection – we take the ransomware threat very seriously, and our software is capable of detecting the ransomware families mentioned earlier, plus more.
  5. Backup your files regularly and don’t forget to keep your backup media disconnected from your PC. Otherwise, your backups might get encrypted as well. This also applies to cloud storage and network drives (e.g. Dropbox, Google Drive).

What if it’s too late, and your files are already being held to ransom?

  1. If your files have already been encrypted by ransomware, the most important thing is to stay calm.
  2. You should immediately contact technical support (e.g. your IT department, your AV vendor) for further assistance, if available to you.  You need to seek expert advice as early as possible.
  3. We strongly advise against paying the ransom. You’ve got no guarantee from the criminals that your files will be restored. And, if every ransomware victim refused to pay the ransom, this type of crime would quickly reduce in occurrence.
  4. It is quite possible that the decryption key is still located in the computer. Many ransomware families contain weaknesses in their encryption algorithm, which may lead to decrypting your files even without paying the ransom! It may take some time to spot and exploit such weaknesses, but in the meantime don’t delete your encrypted files, there may still be hope. (so call tech support). 

Click-fraud evolved, and it has a plan

We all know what malware is capable of and that’s why we use a good and reliable antivirus like Avira. But while most of the things malware does sounds horrible and scary there are some that … well, do not.

The perfect example would be click-fraud malware, a kind of malware that does exactly what its name says: It clicks on advertisement. Basically the advertiser has to pay each time a real person or – in the case of malware – a bot-infected device clicks on an ad. A recent report claims that businesses are losing as much as $6.3 billion a year to click-fraud. Crazy, right? But still nothing to lose any sleep over since you are not the one paying the bill.

According to the security researchers from Damballa though, click-fraud can evolve: “Click-fraud malware infections can become something more sinister. In May, Damballa Failsafe tracked and recorded the activity of a click-fraud infection that pulled in three additional click-fraud infections plus CryptoWall, which encrypts the files on the host system to render them inaccessible to the user. Within a couple of a couple hours a simple click-fraud infection escalated to a crippling malware infection. Suddenly, that infected device became a high-risk priority.“

If there is one lesson to be learned from all of this: No malware is too small or “unimportant” to become really dangerous at some point.

The post Click-fraud evolved, and it has a plan appeared first on Avira Blog.

Cryptowall 3.0 Infections Spike from Angler EK, Malicious Spam Campaigns

SANS Institute reports that Cryptowall 3.0 ransomware infections emanating from the Angler Exploit Kit are on the rise, and coincide with a spike from malicious spam campaigns.

As Ransomware Attacks Evolve, More Potential Victims Are at Risk

In early December, as most people were dealing with the stress of looking for the perfect holiday gifts and planning out their upcoming celebrations, police officers in a small New England town were under a different sort of pressure. The vital files and data the Tewksbury Police Department needed to go about its daily business had been encrypted […]