In the McAfee Labs Threats Report: November 2014, McAfee predicted nine major threats that would occur in 2015. Regarding ransomware, we said this: “Ransomware will evolve its methods of propagation, encryption, and the targets it seeks.”
Almost immediately, we began to see a huge rise in ransomware, especially with the family CTB-Locker, followed by new versions of CryptoWall, TorrentLocker, and spikes of BandarChor. We also saw the new family Teslacrypt and Vaultcrypt surface in the first quarter.
The most famous ransomware family—CryptoLocker—appeared in September 2013. The then-current form of CryptoLocker was stopped in May 2014 by the takedown of one of its major distribution vehicles, the GameOver Zeus network. Currently the top ransomware families are CryptoWall (Versions 2 and 3), TorrentLocker Version 2, and CTB-Locker. (McAfee Labs dissected CryptoLocker, GameOver Zeus, and its takedown in the McAfee Labs Threats Report: August 2014.)
Many ransomware families have used the name CryptoLocker to mislead victims and the security industry. Some families, like TeslaCrypt, are based on CryptoLocker code. Other ransomware families—CryptoWall was an example of this when it first appeared—show the name “CryptoLocker” on their “ransom note” screens even though the ransomware is not CryptoLocker or a derivative. A mix of detection names from various security vendors has added to user confusion.
The most frequently asked question about ransomware is “Can we recover the encrypted data?” The answer is generally “No”—unless you pay the ransom and the thieves provide the private key. Ransomware private keys are stored on the criminals’ servers and unless you have access to that server or a copy of it, there is no other way to obtain the private key.
Occasionally, a law enforcement agency executing a takedown is able to seize the ransomware campaign’s control server. If officials can gain access to the database containing the private decryption keys, an encrypted file recovery tool can be built. Recently, the Dutch National High Tech Crime Centre seized the control server commanding the CoinVault ransomware family. Working together with Kaspersky, the Crime Centre created a recovery tool.
In some instances, files can be recovered. If the Windows System Restore option has been turned on (the default for most systems), then files can be recovered from the shadow volume copies. The shadow volume copy service, also known as VSS, is a technology that performs manual or automatic file backups, even when files are in use. From Windows XP through Windows 7 and Windows Server 2008, it is implemented in the Volume Shadow Copy service.
For Windows 8, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, the built-in command “Vssadmin list shadows” will list the available copies for the given volume. There are various ways of mounting a VSS copy through the command line and browsing for the files. There are also a variety of open-source tools that can be used to browse volume shadow copies. It may be possible to restore ransomware-encrypted files using one of those tools.
Safe practices to protect against ransomware
By tightly monitoring intelligence feeds, McAfee Labs stays ahead of most ransomware campaigns. Staying ahead allows us to detect and stop most ransomware before it can execute. It also means that no Bitcoins will flow into criminals’ pockets.
Good policies and procedures include the following:
- Back up data. Although this seems obvious, far too often there is no backup available or the backup process was never tested and didn’t work. Removable storage is widely available, inexpensive, and simple to use. Home users should create a backup, disconnect the device, and store it in a safe place. For cloud-based backup services, be aware of the chance that the victim’s endpoint could have copied encrypted files to the cloud, too. Some cloud-based backup services offer to restore the most recent versions of files.
- Perform ongoing user-awareness education. Because most ransomware attacks begin with phishing emails, user awareness is critically important and necessary. For every ten emails sent by attackers, statistics have shown that at least one will be successful. Don’t open emails or attachments from unverified or unknown senders.
- Employ antispam. Most ransomware campaigns start with a phishing email that contains a link or a certain type of attachment. In phishing campaigns that pack the ransomware in a .scr file or some other uncommon file format, it is easy to set up a spam rule to block these attachments using McAfee Email Gateway. If .zip files are allowed to pass, scan at least two levels into the .zip file for possible malicious content.
- Protect against polymorphic ransomware. The worst ransomware variants, including CryptoLocker, are polymorphic. This makes it incredibly difficult for traditional antimalware technology to stop them. However, McAfee Threat Intelligence Exchange is specifically designed to stop threats like these by using the newness of files as threat indicators. Recognizing files as new to the environment and combining that with other behavioral detection techniques, McAfee Threat Intelligence Exchange can stop polymorphic ransomware.
- Protect endpoints. Use McAfee VirusScan Enterprise endpoint protection and its advanced features. In many cases, the client is installed with just default features enabled. By implementing some advanced features—for example, “block executable from being run from Temp folder”—more malware can be detected and blocked. Additionally, stay up to date with daily antimalware definition files (DATs). McAfee Labs works around the clock to identify and fight ransomware, but the value of that work is realized only if the latest DATs are deployed.
- Block unwanted or unneeded programs and traffic. Blocking Tor, often used by ransomware to communicate anonymously, is simple with McAfee network security products such as McAfee Network Security Platform and McAfee Next Generation Firewall. Blocking Tor will often block ransomware from getting the public RSA key from the control server, thereby stopping the ransomware encryption process. For customers without McAfee network security products, our Endpoint Intelligence Agent is a good alternative. It runs on the endpoint and identifies malicious outbound traffic and its associated application.
- Keep system patches up to date. Many vulnerabilities commonly abused by ransomware can be patched. Keep up to date with patches to operating systems, Java, Adobe Reader, Flash, and applications. Have a patching procedure in place and verify whether the patches were applied successfully. McAfee Vulnerability Manager can spot vulnerabilities within your trusted network.
In the upcoming McAfee Labs Threats Report: May 2015, McAfee Labs will explore ransomware and the huge rise in the volume of attacks in Q1. Stay tuned; this episode of the ransomware wars has just begun.