Skip to content

Ransomware

Ransomware is a type of malware that prevents or limits users from accessing their system. To make the infected system usable again, the victim is forced to pay (a ransom) to a remote threat actor thru certain online payment methods.

Users may encounter this threat through different means. They can either download ransomware unwittingly by visiting malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware.

It is important to note, however, that paying for the ransom does not guarantee that users can eventually access the infected system.

Once executed in the system, a ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with a password. In the first scenario, a ransomware shows a full-screen image or notification, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files.

Ransomware is considered a “scareware”, as it forces users to pay for a fee (or ransom) by scaring or intimidating them. In this sense, it is similar to the FAKEAV malware, though using a different tactic. Instead of capturing the infected system or encrypting files, FAKEAV coax users into purchasing their bogus antimalware software by showing fake antimalware scanning results.

HISTORY
Early Years

First cases of ransomware infection were seen between the years 2005 – 2006 in Russia. We first reported this incident back in 2006, in which a ransomware variant (detected as TROJ_CRYZIP.A) zipped certain file types and overwrites these, thus leaving only the password-protected zip files in the user’s system. It also created a notepad, which poses as the ransom note to inform users that they can retrieve their files in exchange for $300.

During its initial phase, ransomware were typically files that encrypt particular file types (.DOC, .XL, .DLL, .EXE, just to name a few).

By 2011, we first reported about SMS ransomware threat, in which users with infected systems were asked to dial a premium SMS number. Detected as TROJ_RANSOM.QOWA, this variant also displays a ransomware page repeatedly to users until they finally pay up the ransom via dialing a certain premium number.

To up the ante, we uncovered a ransomware that infects the Master Boot Record (MBR) of a vulnerable system. By targeting the MBR, this variant prevents the operating system from loading. To do this, the malware copies the original MBR and overwrites it with its own malicious code. After doing this routine, it automatically restarts the system for the infection to take effect. When the system restarts, the ransomware displays its notification (in Russian).

Ransomware Leaps Outside Russia

Ransomware infection was initially limited to Russia. But its popularity and profitable business model soon found its way in other countries across Europe. By March 2012, we have noticed the continuous spread of ransomware infection across Europe (and the United States, Canda). Similar to TROJ_RANSOM.BOV, this slew of ransomware displays a notification page from the victim’s local police agency instead of the typical ransom note (see Reveton, Police Ransomware below).

We also uncovered a different tactic to spread ransomware variants. Certain threat actors compromised a popular French confectionary shop’s website to serve TROJ_RANSOM.BOV. This watering hole-like tactic resulted to widespread infection in France and Japan (where the shop has a significant fan-base). Instead of the usual ransom note, TROJ_RANSOM.BOV displays a fake notice from the French police agency Gendarmerie Nationale.

The Rise of Reveton or Police Ransomware

Reveton (also known as Police Ransomware or Police Trojan) is a type of ransomware that impersonates law enforcement agency. These malware typically shows a notification page purportedly from the victim’s local law enforcement agency, informing them that they were caught doing an illegal or malicious activity online.

To know which local enforcement agency is applicable to users, Reveton variants track the geographical location of their victims. Thus, affected users living in the US receive a notification from the FBI, while those located in France are shown with a notice from the Gendarmerie Nationale.

Reveton variants also employ a different payment method in comparison to early ransomware attacks. Once system is infected with Reveton variants, users are prompted to pay through UKash,  PaySafeCard, or MoneyPak. These payment methods afford ransomware perpetrators anonymity, as both Ukash and PaySafeCard have faint money trail.

In 2012, we have seen different types of Reveton variants exhibiting new techniques. During the latter part of that year, we reported about variants that play an audio recording using the victim’s native language and another one bearing a fake digital certificate.

Future of Ransomware

In our 2013 Security Predictions, we predicted that conventional threats like ransomware are likely to evolve gradually, as cybercriminals will focus mainly on refining existing tools. This is partly propelled by the ongoing arms race between certain cybercrime groups and security researchers. Because of the positive developments in catching these groups, like the arrests of certain FAKEAV groups and ransomware key figure, we can expect ransomware variants to contain new functionalities and other improvements in terms of stealth mechanism.  

Within a couple of years, we have seen ransomware evolved from a threat targeting Russian users into an attack affecting several European and North American countries. With profitable a business model and payment schemes affording anonymity for its perpetrators, we may be seeing more of ransomware in the coming years. Thus, it is crucial for users to know how ransomware works and how to best protect themselves from this threat.

What Can Users Do?

Prevention

Users infected by ransomware should do the following:

Note that some ransomware requires extra removal steps such as deleting ransomware files in Windows Recovery Console. Be sure to follow all required steps to completely remove the specific ransomware your computer has.

To prevent ransomware infections, keep these things in mind:

  • Backup your files regularly.
  • Apply software patches as soon as they become available. Some ransomware arrive via vulnerability exploits.
  • Bookmark trusted websites and access these websites via bookmarks.
  • Download email attachments only from trusted sources.
  • Scan your system regularly with anti-malware.

Trend Micro™ Smart Protection Network™ offers protection for users by blocking this threat from possible points of infection. Specifically, it prevents access to malicious websites hosting ransomware variants. It also blocks spam and email messages verified to carry ransomware disguised as attached files. Most importantly, it detects and deletes ransomware variants if found in the system.

Below are some Trend Micro products and services that uses the power of Smart Protection Network in combating the ransomware threat:

Latest Notable Ransomware


Below are the latest notable ransomware that Trend Micro analyzed:


Trend Micro Detection Notable Features Month-Year discovered
TROJ_RANSOM.NTW
  • Downloaded by exploits taking advantage of CVE-2013-0422
  • Downloaded by WhiteHole Exploit kits
 Feb 2013
TROJ_REVETON.RG
  • Downloaded by Cool Exploit kits
  • Gathers infected system’s IP address, location, and ISP – all details appear in the ransom image
Jan 2013
TROJ_REVETON.RJ
  • Downloaded by Cool Exploit kits
  • Displays Police Central e-crime Unit (PCeU) warning, urging the user to pay 100 GBP
 Jan 2013
TROJ_REVETON.IT
  • Shows a “treaty” between anti-malware companies
 Dec 2012
TROJ_REVETON.HM
  • "Speaks" – verbal read out of the alert. Language is adjusted based on the country setting of the infected computer.
 Dec 2012

Connect with us on