The payment is usually requested in the form of direct credit card payments or via Bitcoins (online payment currency).
Generally speaking there are two main classifications for ransomware, Encryptor (encrypts all important files and demands a ransom to decrypt files) and Screen Locker (locks an infected system, preventing proper access until a ransom is paid). Most of the latest strains intercepted by the Thirtyseven4 lab fall under the Encryptor classification. The top ransomware threats include, Cryptorbit, Cryptolocker, CryptoWall, PornoBlocker, ZedoPoo.
Ransomware is spread using social engineering tricks via social networking sites and email attachments. It is very similar to the infamous FBI Moneypak virus. Spammed email messages are the major contributor in ransomware propagation.
Ransomware targets file types that are most valuable to the user: documents, images, photos, etc. While the file extensions ransomware targets can vary per variation, the general list of targeted file extensions for encryption include:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.pdf, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
The following graphics show the events when trying to access an encrypted file:
Above: Shows the error window displayed when attempting to open an encrypted file.
Above: Shows the password prompt required to decrypt the file. In many ransomware cases, the developer of the malware claim a password would be sent if the desired ransom was paid.
Above: Once the malware finishes encrypting the data, it will change the background wallpaper of the desktop to the image of the payment instructions.
Above: An example of CryptoLocker
Ransomware Detections Increasing
Malware writing is big business for cybercriminals, and ransomware creators are fully aware that millions of dollars were extorted in 2014 from helpless victims through this style of malware.
Below are real world ransomware statistics, based on actual intercepted and prevented infections for Thirtyseven4 Endpoint Security users over the last few months
“Ransomware Detections” reflects the total number of ransomware detections for the month. In other words, Thirtyseven4 proactively prevented 136,990 infections in January 2015.
“Cryptolocker.Susp Email attachments” is the number of malicious emails stopped by the Thirtyseven4 module Email Security though which ransomware infections propagate.
The remaining entries reflect the virus signature associated with the top four ransomware family detections for the month.
Thirtyseven4 Cryptobit Decryption Tool Stats
Another indirect gauge for monitoring ransomware activity is tracking the popularity of the Thirtyseven4 free Cryptobit decryption tool. The Cryptobit decryption tool was made available to the public as a free tool in the Spring of 2014.
Below is a snapshot of the download data captured:
Number of downloads (as of February 17th, 2015):
Top 5- Countries requesting downloads (as specified by the user):
1. USA (47.80%)
2. Australia (7.71%)
3. India (5.50%)
4. Czech Republic (4.18%)
5. Italy (4.02%)
Top 5 - States requesting downloads (as specified by the user):
1. California (15.21%)
2. Florida (12.85%)
3. Texas (11.33%)
4. New Jersey (6.64%)
5. Illinois (5.18%)
Top 5 - Antivirus software installed at time of infection (as specified by the user):
1. AVG (19.03%)
2. Norton/Symantec (14.80%)
3. Microsoft/MSE/Forefront (11.18%)
4. Avast (10.42%)
5. Mcafee (8.93%)
Tips to avoid a ransomware infections
Installing strong antivirus software like Thirtyseven4 Endpoint Security (which includes the Behavior Detection System, as well as, other important proactive security modules such as Email Security and Browser Sandbox).
Above: The graphic is the message displayed when the Thirtyseven4 Behavior Detection System proactively blocks a ransomware infection.
The following suggestions are also recommended:
- Ensure that all important software on your machine, such as the Operating System, Adobe Reader, Microsoft Office, and internet browsers (to name a few) are patched and up-to-date.
- Keep your machine’s security software up-to-date.
- Avoid clicking URLs and opening unsolicited email attachments, particularly from unknown sources.
- Be careful while using removal devices such as pen drives, external hard disks, etc. These devices may be coming from machines not protected by updated security software.
- Always keep a backup of all your important documents using a reliable backup software.