Ransomware 101

Ransomware has become one of the most widespread and damaging cyber threat that the internet has faced in a long time. Since the now infamous CryptoLocker first appeared in early 2013, we’ve seen a new era of file-encrypting Ransomware variants. These have been mostly delivered through spam messages and Exploit Kits, for the purpose of extorting money from home users and companies.

 

The two most popular today are Locker and File-encrypting Ransomware.

 

  • Locker Ransomware locks a victims’ screens and demands a payment to unlock.
  • File-encrypting Ransomware holds the victim’s files as ransom via encryption and only releases (decrypts) them when the ransom demand is paid.

 

The majority of current ransomware are variants of CryptoWall, TorrentLocker, CTB-Locker and TeslaCrypt.  With more variations cropping up almost daily.

 

Ransomware can arrive via various techniques such as drive by downloads or exploit kits using different software vulnerabilities. Unlike other malware, once the user files are encrypted using a complex encryption algorithm, it is nearly impossible to decrypt those files. With no option left for affected users other than to pay the ransom or restore files from backup.

 

Recommendations

 

Backup your files!
The best way to ensure you do not lose your files to ransomware is to back them up regularly, this can not be stated enough. Storing your backup files remotely is also critical.

 

Avoid clicking untrusted e-mail links or opening unsolicited e-mail attachments
Most ransomware arrives via spam e-mail either by clicking the links or as attachments. Having a good email anti-virus scanner would also proactively block compromised or malicious website links or binary attachments that eventually lead to ransomware.

 

Do yourself a favor and disable ActiveX content in Microsoft Office applications such as Word & Excel
Many malicious documents contain macros which can further download ransomware silently in the background.

 

Configure your Firewall to block Tor, I2P (Invisible Internet Project) and restrict it down to specific TCP ports.
Preventing the malware from reaching its call-home server via the network can sometimes disarm an active ransomware variant. Additionally, blocking connections to I2P or Tor servers via a firewall would be a cost effective measure.