Ransomware 2.0 Comes to America

hostage

Ransomware 2.0 Comes to America

by Rob Cheng

This month, we were in Berlin for the VB100 and there was a presentation about Ransomware. As reported earlier this year, ransomware is alive and well in the US in the form of the DOJ and FBI viruses. The news is that the virus mafia has created a new version of ransomware more treacherous than the DOJ and FBI viruses. Instead of locking the computer and demanding payment, the virus first encrypts important files on the target computer, and then demands payment not for the computer but the data. At the time, the researchers reported that the virus was isolated to Russia. As soon as we returned from our trip, I discovered that our researchers had found the virus in the United States.
ransom

We have checked our statistics and we have found at least 6 instances of ransomware in the month of September alone. The binary is not signed nor is the vendor or product fields populated. We refer to these viruses as anonymous. The file names appear to be random characters that are either 4, 15 or 16 characters and the file size varies and hovers around 300K. The only telling sign is that it installs in the roaming directory as opposed to one of the Windows or browser temporary directories.

We ran the virus on a test machine and before it delivers it messages, it spends hours encrypting files. The virus ranges from 0 to 50% processor utilization and the hard drive light is blinking although not pegged. During this time, it is possible to continue normal operations although performance suffers. Once the encryption process is finished, it delivers its payload.

I have talked to technicians in various parts of the US and they all know that there is a new threat upon us. Unfortunately once the computer has been infected and the files have been encrypted, there is little technicians can do. This is different than ransomware 1.0, or other strains of viruses. Prior to ransomware 2.0, if you have been infected, security software could remove the virus, and restore normal operations of the computer. In the security business, we call it remediation. With ransomware 2.0, there is no way to remediate the encrypted files. Worse yet, if the virus is removed from the system, there is no way to pay the ransom, so the files at that point are lost forever.

trayMake sure the Super Shield logo is present and green in the system tray to avoid Ransom Ware.

I hope this is a wake up call for the entire security industry. The industry has been over focused on remediation instead of prevention. The only solution for ransomware 2.0 is to make sure the viruses never runs on the target machine. Remediation is futile.

Ransom ware 2.0 is a polymorphic virus which means that it escapes the traditional black list detections.

Note to PC Matic users. Because PC Matic’s security, called Super Shield, uses a white list and a black list, you are protected from ransomware, but you have to make sure Super Shield is properly enabled. We are getting reports of PC Matic users becoming infected because they have not enabled Super Shield. It is not hard to know. Just look at the tray icon and the Super Shield logo should be present and green.

(Visited 50 times, 1 visits today)

53 thoughts on “Ransomware 2.0 Comes to America

  1. I got this screen demanding payment. I tried to click away from the screen but I couldn’t. I forced the shutdown of my PC and when I bought it up again my PC started and seem OK. I noticed that my virus detection had quartented the software. My PC is working fine. What is the likely hood that something is still hiding in my PC?

  2. The crypto virus variants are hidden in double extension file attachments. You can't get it by going to a website….. yet

  3. Heather Artrip Rauscher; You did not have this new crypto virus. You cannot unencrypt your files without paying the ransom. The encryption used is 2048 bit and would take months to break on a supercomputer.

  4. Hello,even though I have antivirus|antispyware,etc,Inever use them,I have the best anyone could have,I make a full backup of my pc,every time I install a new program,other than that,I don’t waste my time making backups,or letting norton or McAfee use my pc resources,only “anti”I have today is MalwareBytes Antimalware,which I seldom use,the full Backup,is on an external drive of course,when I restore my pc,there is no virus,malware or “ramsom ware”,etc that can survive,it only takes 5 to 7 minutes to restore,but of course I don’t store anyting on drive C:,only content of drive C,is Program Files and Windows,thats why it takes only 5 minutes to restore my pc….Roberto

  5. I had this virus on my computer & my computer guy was able to get rid of it. I had updated my backup the night before and that is what saved me.

  6. Why not use a proggy like DeepFreeze which basically takes a picture of your drive and locks it in. No matter what you do or which website you visit, when you reboot it reverts to the original picture of your as if you had not done a thing to it. You can unlock it to save files that are clean. I would recommend optimizing your PC before you install it or while it unlocked. This proggy is used by thousands of schools because kids on PC’s can ruin a PC in no time if you don’t have some kind of protection.

  7. Your basic assumption is somewhat questionable;that these hackers are highly ethical young men who will “release” your computer as soon as ransom is paid.
    In your dreams!!!

  8. Acronis Backup Software is what I use to create full backups onto an external hard drive which is only connected to the PC during backing up operations and the internet connection is disconnected. It’s been a real time saver a few times over the years.

  9. I think that the first thing I'd do, while the computer was still running, is open 'er up and unplug the drive. That buys you time to figure out what to do next. I have a few ideas what to do after that but I'm not going to post them here, that's for sure.

  10. In theory if you do full drive encryption on your system that should prevent them from encrypting it. win7 and such have bitlocker built in.

  11. Most security issues come from going to web sites you shouldn't be visiting in the first place. When you play in a sewer your bound to get covered in ….

  12. I regularly do image backups to external drives, and keep those drives unattached when not in use. If my PC gets infected, would a full disk format along with an image restore fix the problem?

  13. THE HACKER FIND A SERVER WITH A EASY PASSWORD THROUGH THE PORT 3389, CREATE A USER AND INSTALL THE SW, THEN DELETE HIS TRACES,
    AND AFTER ALL FILE AND SW ARE LOCKED AND EVER DIRECTORY HAVE A TXT MESSAGE WITH INSTRUCTIONS FOR UNLOCKED.
    (the cap-words are for better visibility, only!

  14. Jeff Walters when you have a problem with a virus, search the internet : kaspersky, f-seure and sophos can be the solution

  15. What are we talking about here:

    “THE HACKER FIND A SERVER WITH A EASY PASSWORD THROUGH THE PORT 3389, CREATE A USER AND INSTALL THE SW.” (I don’t quite understand the broken English, but also not the “password through port 3389” part. Is that an actual identified port that the malware uses, or can it be any random port?)

    “Try eSet NOD32 Security.” (Is this a product or configuration parameter?)

    What is the actual functional method of preventing an infection? I Know everybody’s trying to sell their own product, but what function does a product need to perform to prevent this from happening? I’ve had some recent unexplained activity on my system over the course of a couple of days…unexplained high CPU usage mostly. My remedy is to shut down the system (power down), then power on again to reboot. My system is set to hibernate after 2 hrs of inactivity…can’t be activated by anything but keyboard or mouse (according to Windows 7 settings, anyway). I have firewalls enabled on all systems on my LAN (two ethernet-connected, three to four WiFi-connected with WPA2 security), but I’m not sure if the router has a separate firewall. Is that secure enough? All systems also have anti-malware software and anti-spam/popup blockers active.

  16. My solution: Clone your main drive to an ezxternal drive or an internal second drive (with come caveats). In between clonings, save changes to USB drive. If infected, switch drives and format both infected and USB dives. No matter what it still is a PITA.

  17. for prevent the attack
    install a external Firewall(for example activate the fw of gateway)
    close all port
    and don't use e-mail without a spamfighter!
    Install the latest version of sw : java/pdf and don't download free sw through a website unknow, no php!
    and delete the suspect e-mai immediatly
    remember, the hacker could to know the e-mail of your friends!

    ps the hacker read the post of the forumer!

  18. Max Atwork Well, I'm no computer tech, just an average guy and everything I know about computers is self-taught. I had a 2001 model HP computer running XP, and the only solution I could come up with was to wipe and reinstall the OS which leaves you 10 to 12 years of software updates behind. Getting updated to XP service pack 3 from that point can be a real pain in the ass.

  19. I clear 3 pc from virus,it's not difficult to delete the
    ransomware 1.0, 2 to 4 hour and I resolved the problem!
    very difficult is delete the ransomware 2.0. there isn't solution
    this time

  20. Exploit kits
    An exploit kit is a type of a tool that exploits various security holes in the software installed
    on a machine. A cybercriminal buys such an exploit kit and includes the malware that they
    wish to deliver by exploiting compromised legitimate websites.
    For example, Blackhole takes advantage of the vulnerabilities that exist—often Java or PDF
    software—to install malware on end users’ computers without their interaction, in a drive-bydownload
    manner

  21. the ransom was paid through the purchase of vouchers U Cash (Europe)to the criminal is sent an e-mail with the codes of vouchers;
    at the later time, comes the sw with the decoder, however, the programs are almost all to reinstall including the activation codes
    I suggest you make a copy of BACK-UP every day, BUT do not keep THE NAS ACTIVE ON THE NETWORK WHEN is not necessary,
    THE VIRUS infected PC AND ALL CONNECTED NAS ON THE NETWORK!
    THE HACKER FIND A SERVER WITH A EASY PASSWORD THROUGH THE PORT 3389, CREATE A USER AND INSTALL THE SW.
    AND AFTER ALL FILE AND SW ARE LOOCKED AND EVER DIRECTORY HAVE A TXT MESSAGE WITH INSTRUCTIONS FOR UNLOOCKED.

    NB SORRY FOR MY ENGLISH

  22. GREAT, Ransomware 1.0 (the FBI virus) basically destroyed my old computer. It is back up and running now after about 20 hours of intensive effort on my part to recover the 10 year old OS and bring it up to date. My Mom is now using it. I bought a new HP with Windows 8 because I thought it better to spend $400 than to take the time to fix the old one. I really don't understand the mentality of people who spend hundreds of hours writing code to create something to destroy other people's expensive computers. It's sociopath behavior.

  23. What is the difference if they hold us hostage to buy their junk or you hold us hostage to buy super shield? Either way we are stuck with the bill. Personally, I think the anti-virus people create most of the viruses so they look like they are needed!

  24. According to an article on several sites like Computer World it comes as an attachment in email:
    “The payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or money transfer.”

    This is another reason why people should never open email from people they dont know. Also people should understand that companies dont normally send you emails with attachments unless you specifically asked for it to be sent. If in doubt, delete. I am personally afraid of this thing because I have people that never listen to me and open everything they get. I got into doing security for my office back when NIMDA was huge and no one knew what to do. This one is a data killer.

  25. And so it goes. Someone builds a better mousetrap, and then someone else builds a better mouse. And on, and on, and on, and on……

  26. Someone at work had this on their laptop this week. Trawled through the accessible files in the laptop them worked its way through network shares too. Fortunately we could restore most files from backups.

    The corporate AV (Trend) didn’t pick it up; from what I can tell it doesn’t pick up a lot.

    The people who write these things are not thick; why can’t they put their skills to more legitimate use?

  27. @John, the attack vector is likely different from case to case, but as I understand it, this one comes as an exe within a pdf. The vast majority of major A/V vendors detect it, but by that time, it’s too late. This is the point Rob is making in this write up and what sets Super Shield apart from traditional A/V. If an exe *isn’t* on the whitelist, it cannot run, period.

    Btw, here’s a sample uploaded to virustotal.com so you can see who detects it.https://www.virustotal.com/en/file/363f7b78de8d642da8a76e100d1281c420dba9673a1d677ac2bf0b63d3691f96/analysis/

  28. I would recommend browsing the net on a tablet vs. a computer for this reason or just simply set up a Virtual Machine just for browsing. That way you can simply kill & reimage the VM & nothing happens to the actual os. Usually these attacks are more common on seedier sites such as porn or warez sites.

  29. This is a crime that should be not tolerated by any country. Why is it that they can not be caught? It seems to me that our PC security experts are not very good or something else more sinister is the problem.
    It also seems to me that not many PC users or PC industry or the Gov cares.

    • @Mike: Oh they care but the thing is you can’t really chase something that doesn’t leave an easy trail for example the money transfers they fail yet the money is transferred to a country who’s laws say that banks don’t have to give out information on money transfers so there is no way to trace it beyond that bank or take the emails they are send from public places at first then it automatically spreads from pc to pc so you maybe find the email address it was send from when you received it but you have to find out where that email address got it from and so on and quite often it leads to a temporary email address that has no personal information or a mail server that is no longer there so again an dead end

      if you want to catch the guys who are doing it its up to a group of people who have the knowledge, power, money and time to deal with everything that comes into play for tracing it to the source because they said the virus itself has no signature to show where it came from who made it or anything(like it sometimes happens to be the case) so there is no easy way to track it

  30. I listened to the audio at the link you posted. Everyone should see it and share with friends. This thing is horrible. If I understand correctly not only my main drive , but also the 3 external drives where I store all my files are at risk since they are listed drives on my PC, as well as my dropbox and sky drive storage. I have backed up most of my files on DVD but am wondering if the PC will still be usable or will this encrypt my windows files also? I rarely click on links in email even from people close to me but I also wonder if there is another way for them to get in?

  31. Back up important files regularly on a separate device, NOT regularly attached to the machine, eg large capacity flash drive or external drive. if infected, remove the virus, reinstall the files.

  32. Like far too many "Help, there's a new virus loose!" articles, this one fails to answer basic questions:
    How is the virus transmitted and acquired? In my boss's attachments, or only from an infected Website?
    Will a highly rated commercial anti-malware suite prevent it?
    Will other good firewalls (besides the writer's employer) stop it?
    How near in time are preventions from MS and/or other AV houses?

    • @Jon von Gunten: Steve Gibson, security expert from GRC.com just completed a podcast on this very subject last Wednesday 10/23/13.

      To listen in, check out the podcast at http://twit.tv/show/security-now/427 or google twit.tv security-now 427

      Click on “Audio” at the far left of the screen under the picture — Not the play > button (doesn’t let you advance position)

      Advance the slider to 39 minutes, 30 seconds and listen for about 20 minutes.

      This is a Nasty one!

  33. Why can’t Microsoft put out a Security Update across all of their Operating Systems to pop-up a User Access Control window asking for permission whenever the Cryptologic services are requested similar to when one tries to install software?

  34. Can someone not just follow the money, see where it ends, and put the head on a pike of those who got the ransom money for the world to see. This should discourage this type of tactic.

  35. I back up all my files through Carbonite. The backup occurs only when there has been activity on or in my files. Two questions. Can I assume that any file I have not accessed in the recent days or weeks are still ok on Carbonite’s server? Second question, will the activity of ransomware be interpreted as file activity and will the encrypted files then be stored on their server as well?

    • I will answer your second question first. Yes, if you are backing up online, the encrypted files will replace your good files on your backup. This is in fact that something bad has happened. At that point, you can contact and they might have a back up of the back up.

Leave a Reply

Your email address will not be published. Required fields are marked *