Ransomware 2.0 Comes to America
by Rob Cheng
This month, we were in Berlin for the VB100 and there was a presentation about Ransomware. As reported earlier this year, ransomware is alive and well in the US in the form of the DOJ and FBI viruses. The news is that the virus mafia has created a new version of ransomware more treacherous than the DOJ and FBI viruses. Instead of locking the computer and demanding payment, the virus first encrypts important files on the target computer, and then demands payment not for the computer but the data. At the time, the researchers reported that the virus was isolated to Russia. As soon as we returned from our trip, I discovered that our researchers had found the virus in the United States.
We have checked our statistics and we have found at least 6 instances of ransomware in the month of September alone. The binary is not signed nor is the vendor or product fields populated. We refer to these viruses as anonymous. The file names appear to be random characters that are either 4, 15 or 16 characters and the file size varies and hovers around 300K. The only telling sign is that it installs in the roaming directory as opposed to one of the Windows or browser temporary directories.
We ran the virus on a test machine and before it delivers it messages, it spends hours encrypting files. The virus ranges from 0 to 50% processor utilization and the hard drive light is blinking although not pegged. During this time, it is possible to continue normal operations although performance suffers. Once the encryption process is finished, it delivers its payload.
I have talked to technicians in various parts of the US and they all know that there is a new threat upon us. Unfortunately once the computer has been infected and the files have been encrypted, there is little technicians can do. This is different than ransomware 1.0, or other strains of viruses. Prior to ransomware 2.0, if you have been infected, security software could remove the virus, and restore normal operations of the computer. In the security business, we call it remediation. With ransomware 2.0, there is no way to remediate the encrypted files. Worse yet, if the virus is removed from the system, there is no way to pay the ransom, so the files at that point are lost forever.
I hope this is a wake up call for the entire security industry. The industry has been over focused on remediation instead of prevention. The only solution for ransomware 2.0 is to make sure the viruses never runs on the target machine. Remediation is futile.
Ransom ware 2.0 is a polymorphic virus which means that it escapes the traditional black list detections.
Note to PC Matic users. Because PC Matic’s security, called Super Shield, uses a white list and a black list, you are protected from ransomware, but you have to make sure Super Shield is properly enabled. We are getting reports of PC Matic users becoming infected because they have not enabled Super Shield. It is not hard to know. Just look at the tray icon and the Super Shield logo should be present and green.