Crypto Ransomware is rampant. Most variants of it (CryptoLocker, TeslaCrypt) are malicious binary files that are very intelligent, aware of their surroundings, and highly polymorphic. Cryptographic ransomware that can morph on the fly makes it extremely difficult for standard signature-based antivirus programs to detect, as well as making it difficult to detect with “Anti-Malware” programs. Intelligent malware requires intelligent endpoint protection to identify, sandbox, and alert before the actual encryption happens to the endpoint.
Cryptographic ransomware is a genre of malicious software that has three goals once it successfully infects a system.
The first goal is to detect if it’s inside of a sandbox or being disassembled. The malware performs checks against the environment like, checking items like hard drive space (usually sandboxes are small), the uptime of the machine, how many programs are installed, etc. If the crypto ransomware feels that the environment is real,
The second goal is to encrypt all of the users’ files using GPG/PGP or sometimes even using their spin on curve25519 or completely unique algorithms written by the author.
The third goal of the ransomware is to perform cryptosporidium or attempt to spread itself across all network shares and machines around it.
Once the crypto malware has infected a machine, it then demands payment to decrypt the encrypted files. This is usually on a time-based system, making every hour more expensive. The attacker requests this payment is usually in bitcoin, but more recent variants have been seen asking for Monero or Ethereum instead, due to the anonymous nature of the crypto coin.
The author of the crypto ransomware will usually target large organizations like hospitals, banks, or cities who cannot afford to lose the data and are willing to pay.
Once criminals gain access to a host, their typical infection chain is to drop the ransomware-birthday package that later installs a second stage cryptocurrency locker system, encrypting the whole system.
Utilizing standard antivirus protection that basis it’s protection on signatures is not enough to protect against an advanced persistent threat like CryptoLocker, or it’s variants.
The infection chain begins with remote command execution to download a malicious script that retrieves the code from a known command and control center known only to the attacker.
The issue is not if the target chooses to pay the ransom or not – remember that once an organization has been infected the attackers have already started extracting useful data from the compromised machine and one can now assume that all data on the machine/network has been totally compromised.
This means that network share usernames & passwords personal information, PCI or payment data, internal passwords, customer information, and more has already been exposed and abused, despite paying the ransom.
Generic ransomware is never (or at least rarely) targeted but rather a blast-like attack approach will be performed where attackers acquire lists of emails or compromised websites and blast out ransomware either via e-mail campaign or spearphishing.
A big misunderstanding when it comes to crypto ransomware is not if the target chooses to pay the ransom or not – remember that once an organization has been infected the attackers have already started extracting useful data from the compromised machine(s) and the entire company may now assume that all data on the machine/network/global intranet has been compromised and all information is now in the hands of the attacker.
This includes data on network shares, usernames & passwords, personal information, PCI or payment data, internal passwords, customer information and all other important documents that the enterprise holds has already been exposed and abused, despite paying the ransom.
