Archive

Archive for the ‘ransomware’ Category

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

January 10th, 2018 No comments

Adopting reliable attack methods and techniques borrowed from more evolved threat types, ransomware attained new levels of reach and damage in 2017. The following trends characterize the ransomware narrative in the past year:

  • Three global outbreaks showed the force of ransomware in making real-world impact, affecting corporate networks and bringing down critical services like hospitals, transportation, and traffic systems
  • Three million unique computers encountered ransomware; millions more saw downloader trojans, exploits, emails, websites and other components of the ransomware kill chain
  • New attack vectors, including compromised supply chain, exploits, phishing emails, and documents taking advantage of the DDE feature in Office were used to deliver ransomware
  • More than 120 new ransomware families, plus countless variants of established families and less prevalent ransomware caught by heuristic and generic detections, emerged from a thriving cybercriminal enterprise powered by ransomware-as-a-service

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. Considering that Windows 10 has a much larger install base than Windows 7, this difference in ransomware encounter rate is significant.

Figure 1. Ransomware encounter rates on Windows 7 and Windows 10 devices. Encounter rate refers to the percentage of computers running the OS version with Microsoft real-time security that blocked or detected ransomware.

The data shows that attackers are targeting Windows 7. Given todays modern threats, older platforms can be infiltrated more easily because these platforms dont have the advanced built-in end-to-end defense stack available on Windows 10. Continuous enhancements further make Windows 10 more resilient to ransomware and other types of attack.

Windows 10: Multi-layer defense against ransomware attacks

The year 2017 saw three global ransomware outbreaks driven by multiple propagation and infection techniques that are not necessarily new but not typically observed in ransomware. While there are technologies available on Windows 7 to mitigate attacks, Windows 10s comprehensive set of platform mitigations and next-generation technologies cover these attack methods. Additionally, Windows 10 S, which is a configuration of Windows 10 thats streamlined for security and performance, locks down devices against ransomware outbreaks and other threats.

In May, WannaCry (Ransom:Win32/WannaCrypt) caused the first global ransomware outbreak. It used EternalBlue, an exploit for a previously fixed SMBv1 vulnerability, to infect computers and spread across networks at speeds never before observed in ransomware.

On Windows 7, Windows AppLocker and antimalware solutions like Microsoft Security Essentials and System Center Endpoint Protection (SCEP) can block the infection process. However, because WannaCry used an exploit to spread and infect devices, networks with vulnerable Windows 7 devices fell victim. The WannaCry outbreak highlighted the importance of keeping platforms and software up-to-date, especially with critical security patches.

Windows 10 was not at risk from the WannaCry attack. Windows 10 has security technologies that can block the WannaCry ransomware and its spreading mechanism. Built-in exploit mitigations on Windows 10 (KASLR, NX HAL, and PAGE POOL), as well as kCFG (control-flow guard for kernel) and HVCI (kernel code-integrity), make Windows 10 much more difficult to exploit.

Figure 2. Windows 7 and Windows 10 platform defenses against WannaCry

In June, Petya (Ransom:Win32/Petya.B) used the same exploit that gave WannaCry its spreading capabilities, and added more propagation and infection methods to give birth to arguably the most complex ransomware in 2017. Petyas initial infection vector was a compromised software supply chain, but the ransomware quickly spread using the EternalBlue and EternalRomance exploits, as well as a module for lateral movement using stolen credentials.

On Windows 7, Windows AppLocker can stop Petya from infecting the device. If a Windows 7 device is fully patched, Petyas exploitation behavior did not work. However, Petya also stole credentials, which it then used to spread across networks. Once running on a Windows 7 device, only an up-to-date antivirus that had protection in place at zero hour could stop Petya from encrypting files or tampering with the master boot record (MBR).

On the other hand, on Windows 10, Petya had more layers of defenses to overcome. Apart from Windows AppLocker, Windows Defender Application Control can block Petyas entry vector (i.e., compromised software updater running an untrusted binary), as well as the propagation techniques that used untrusted DLLs. Windows 10s built-in exploit mitigations can further protect Windows 10 devices from the Petya exploit. Credential Guard can prevent Petya from stealing credentials from local security authority subsystem service (LSASS), helping curb the ransomwares propagation technique. Meanwhile, Windows Defender System Guard (Secure Boot) can stop the MBR modified by Petya from being loaded at boot time, preventing the ransomware from causing damage to the master file table (MFT).

Figure 3. Windows 7 and Windows 10 platform defenses against Petya

In October, another sophisticated ransomware reared its ugly head: Bad Rabbit ransomware (Ransom:Win32/Tibbar.A) infected devices by posing as an Adobe Flash installer available for download on compromised websites. Similar to WannaCry and Petya, Bad Rabbit had spreading capabilities, albeit more traditional: it used a hardcoded list of user names and passwords. Like Petya, it can also render infected devices unbootable, because, in addition to encrypting files, it also encrypted entire disks.

On Windows 7 devices, several security solutions technologies can block the download and installation of the ransomware, but protecting the device from the damaging payload and from infecting other computers in the network can be tricky.

With Windows 10, however, in addition to stronger defense at the infection vector, corporate networks were safer from this damaging threat because several technologies are available to stop or detect Bad Rabbits attempt to spread across networks using exploits or hardcoded user names and passwords.

More importantly, during the Bad Rabbit outbreak, detonation-based machine learning models in Windows Defender AV cloud protection service, with no human intervention, correctly classified the malware 14 minutes after the very first encounter. The said detonation-based ML models are a part of several layers of machine learning and artificial intelligence technologies that evaluate files in order to reach a verdict on suspected malware. Using this layered approach, Windows Defender AV protected Windows 10 devices with cloud protection enabled from Bad Rabbit within minutes of the outbreak.

Figure 4. Windows 7 and Windows 10 platform defenses against Bad Rabbit

As these outbreaks demonstrated, ransomware has indeed become a highly complex threat that can be expected to continue evolving in 2018 and beyond. The multiple layers of next-generation security technologies on Windows 10 are designed to disrupt the attack methods that we have previously seen in highly specialized malware but now also see in ransomware.

Ransomware protection on Windows 10

For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.

Controlled folder access, however, is but one layer of defense. Ransomware and other threats from the web can be blocked by Microsoft Edge, whose exploit mitigation and sandbox features make it a very secure browser. Microsoft Edge significantly improves web security by using Windows Defender SmartScreens reputation-based blocking of malicious downloads and by opening pages within low-privilege app containers.

Windows Defender Antivirus also continues to enhance defense against threats like ransomware. Its advanced generic and heuristic techniques and layered machine learning models help catch both common and rare ransomware families. Windows Defender AV can detect and block most malware, including never-before-seen ransomware, using generics and heuristics, local ML models, and metadata-based ML models in the cloud. In rare cases that a threat slips past these layers of protection, Windows Defender AV can protect patient zero in real-time using analysis-based ML models, as demonstrated in a real-life case scenario where a customer was protected from a very new Spora ransomware in a matter of seconds. In even rarer cases of inconclusive initial classification, additional automated analysis and ML models can still protect customers within minutes, as what happened during the Bad Rabbit outbreak.

Windows 10 S locks down devices from unauthorized content by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common entry points for ransomware and other threats.

Reducing the attack surface for ransomware and other threats in corporate networks

For enterprises and small businesses, the impact of ransomware is graver. Losing access to files can mean disrupted operations. Big enterprise networks, including critical infrastructures, fell victim to ransomware outbreaks. The modern enterprise network is under constant assault by attackers and needs to be defended on all fronts.

Windows Defender Exploit Guard locks down devices against a wide variety of attack vectors. Its host intrusion prevention capabilities include the following components, which block behaviors commonly used in malware attacks:

  • Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware; ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
  • Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
  • Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
  • Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors

Additionally, the industry-best browser security in Microsoft Edge is enhanced by Windows Defender Application Guard, which brings Azure cloud grade isolation and security segmentation to Windows applications. This hardware isolation-level capability provides one of the highest levels of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware.

For emails, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers against ransomware attacks that begin with email. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Integrated security for enterprises

Windows Defender Advanced Threat Protection allows SecOps personnel to stop the spread of ransomware through timely detection of ransomware activity in the network. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware attack kill-chain, enabling SecOps to promptly investigate and respond to ransomware attacks.

With Windows 10 Fall Creators Update, Windows Defender ATP was expanded to include seamless integration across the entire Windows protection stack, including Windows Defender Exploit Guard, Windows Defender Application Guard, and Windows Defender AV. This integration is designed to provide a single pane of glass for a seamless security management experience.

With all of these security technologies, Microsoft has built the most secure Windows version ever with Windows 10. While the threat landscape will continue to evolve in 2018 and beyond, we dont stop innovating and investing in security solutions that continue to harden Windows 10 against attacks. The twice-per-year feature update release cycle reflects our commitment to innovate and to make it easier to disrupt successful attack techniques with new protection features. Upgrading to Windows 10 not only means decreased risk; it also means access to advanced, multi-layered defense against ransomware and other types of modern attacks.

 

Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

June 14th, 2016 No comments

Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

Packager warning

Figure 1: Warning message prompts the users to check whether they should open the script or not.

It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.

 

Screenshot of an invitation to unlock contents

Figure 2: Invitation to unlock contents

 

It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

A screenshot of a possible JavaScript variant

Figure 3: Possible JavaScript variant

 

The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

Screenshot of an embedded object variant

Figure 4: Embedded object variant

 

It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

Technical details – downloading and decrypting a binary

On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector – it has a “decryption function”.

This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

Screenshot of the encrypted binary

Figure 5: The encrypted binary

 

The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

Screenshot of the decryption process, part 1

Screenshot of the decryption process, part 2

Screenshot of the decryption process, part 3

Figure 6: Decryption process

Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

Screenshot of the decrypted Win32 executable

Figure 7: Decrypted Win32 executable

Prevalence

Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

We’ve also seen a steady decline since we first discovered it in late May 2016.

Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 8: Worldwide prevalence

Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 9: Daily prevalence

 

Prevention and recovery recommendations

Administrators can prevent activation of OLE packages by modifying the registry key HKCUSoftwareMicrosoftOffice<Office Version><Office application>SecurityPackagerPrompt.

The Office version values should be:

  • 16.0 (Office 2016)
  • 15.0 (Office 2013)
  • 14.0 (Office 2010)
  • 12.0 (Office 2007)

 

Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

The value options for the key are:

  • 0 – No prompt from Office when user clicks, object executes
  • 1 – Prompt from Office when user clicks, object executes
  • 2 – No prompt, Object does not execute

You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530

 

See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:

 

 

Alden Pornasdoro

MMPC

 

Link (.lnk) to Ransom

May 27th, 2016 No comments

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

 

Infection vector

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

zcrypt = {path of the executed malware}

 

It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%zcrypt.lnk

..along with a copy of itself as {Drive}:system.exe and %appdata%zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:usersadministratorappdataroamingzcrypt.exe

Payload

This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Screenshot of Win32/ZCryptor.A  ransom note

 

It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

.accdb .dwg .odb .raf
.apk .dxg .odp .raw
.arw .emlx .ods .rtf
.aspx .eps .odt .rw2
.avi .erf .orf .rwl
.bak .gz .p12 .sav
.bay .html .p7b .sql
.bmp .indd .p7c .srf
.cdr .jar .pdb .srw
.cer .java .pdd .swf
.cgi .jpeg .pdf .tar
.class .jpg .pef .tar
.cpp .jsp .pem .txt
.cr2 .kdc .pfx .vcf
.crt .log .php .wb2
.crw .mdb .png .wmv
.dbf .mdf .ppt .wpd
.dcr .mef .pptx .xls
.der .mp4 .psd .xlsx
.dng .mpeg .pst .xml
.doc .msg .ptx .zip
.docx .nrw .r3d .3fr

 

Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

We have also seen a connection to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %AppData%cid.ztxt

For example, c:usersadministratorappdataroamingcid.ztxt

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

  1. Recover your files in your OneDrive for Consumer
  2. Recover your files in your OneDrive for Business

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restore your files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Create a Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

*Related macro malware information:

 

Edgardo Diaz and Marianne Mallen

Microsoft Malware Protection Center (MMPC)

The 5Ws and 1H of Ransomware

May 19th, 2016 No comments

For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada.

Ransomware geographical distribution for from February to April 2016

The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ransomware. Due to the global ransomware incidents, the Swiss government along with some industry players will also hold the Ransomware InfoDay today, May 19, 2016, as part of the ransomware awareness campaigns.

The following table shows the top 20 countries where ransomware is most prevalent.

Top 20 countries with the most prevalent ransomware incidents

This blog answers the frequently asked questions (who, what, where, when, why, and how) about a malware with an effect so tangible that it manages to lock your files, extort money from you, and disrupt important public and private operations.

Case in point: RANSOMWARE

 

Whom does it affect?

You! Do you use any mobile devices, PC, laptop, or the internet for surfing, emailing, working, or shopping online?Who could be a ransomware victim?

If yes, then you are a potential ransomware victim. Ensure that precautionary measures are taken, see the Prevention section for details.

 

 

What is ransomware?

Ransomware is a malware that stealthily gets installedWhat is ransomware? in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and fromaccessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).

Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you’ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure. See our Ransomware page for details.

 

 

What does a ransomware attack look like?

Ransomware targets your pictures, documents, files, and data that are personally invaluable.

You can tell that you are under attack when you see any of the following:

  • Ransomware note
  • Encrypted files
  • Renamed files
  • Locked browser
  • Locked screen

However, the ransomware attack symptom varies from one ransomware type to another:

Sample ransomware lockscreens and ransom notes

 

What!?! There are several ransomware types?

Yes. From the time that it first surfaced in 1989, ransomware morphed into different forms as it assimilates to people’s computing habits, leverage recent technologies, and monetization strategies available.

There are two types of ransomware – lockscreen ransomware and encryption ransomware.

  • Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
  • Encryption ransomware changes your files so you can’t use them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

Ransomware history from 1989 to 2016

 

Where can a ransomware attack happen?

R_consumer7Computers and mobile devices.

Ransomware employs its encryption and monetization strategies across PC and mobile devices.

 

 

 

 

When can a ransomware attack start?Ransomware attack workflow

Potential victims can fall into the ransomware trap if they are:

  • Browsing untrusted websites
  • Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:
    • Executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
    • Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
  • Installing pirated software, outdated software programs or operating systems
  • Using a PC that is connected to an already infected network

 

Why do malware perpetrators victimize people with ransomware?

Because they have malicious or criminal intentions, and see it as an easy way to make money. They take advantage of people’s ignorance, unpatched software vulnerability, or zero-day vulnerability.

Ransomware in the news affecting crucial public and private services

 

On the other hand, it mars an enterprise company’s security and reputation as some ransomware incidents halt crucial services such as hospitals – thus forcing infected users to pay up if they haven’t backed up their data.

Why must you educate yourself about ransomware?

Because it can take your hard-earned money in exchange of the stuff you already own – your data or files!! Exxroute ransomware, for example, demands $500 and doubles the ransom as you delay the payment. It also starts deleting your files if you delay the payment.

It can also violate your privacy, disrupt your work or personal life, and possibly harm your reputation.

If the ransomware perpetrators are cashing in on people’s ignorance, then educating yourself about it can help disrupt their business.

Download the ransomware infographics here.

How can you avoid and bounce from a ransomware attack?

Prevention

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive.
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
  • Use OneDrive for Consumer or for Business.
  • Beware of phishing emails, spams, and clicking malicious attachment.
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs.
  • Disable your Remote Desktop feature whenever possible.
  • Use two factor authentication.
  • Use a safe and password-protected internet connection.
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

3. Recover your files in your OneDrive for Consumer.

4. Recover your files in your OneDrive for Business.

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restoring the files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal.

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore.

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

Microsoft Malware Protection Center

 

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

Gamarue, Nemucod, and JavaScript

May 9th, 2016 No comments

JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

Sample of an obfuscated JavaScript code

Figure 1: Obfuscated code

 

The decrypted code is shown in the following image:

Sample of a decrypted JavaScript previously-obfuscated code

Figure 2: De-obfuscated code

 

Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

Nemucod detection rate

Figure 3:  Nemucod detection rate

 

Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.

 

 

Nemucod impact

Since the start of 2016, Nemucod has risen in prevalence.

Rising Nemucod prevalence trend

Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April

 

For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

Nemucod geoloc distribution from January to April 2016

Figure 5: Majority of the Nemucod infections are seen in the United States

Overall, however, it still remains relatively low, especially when compared to Gamarue.

 

Gamarue impact

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

Gamarue prevalence chart shows steady pattern from January to April 2016

Figure 6: The Gamarue infection trend shows a steady pattern

 

For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

Gamarue geoloc distribution from January to April 2016

Figure 7: Majority of the Gamarue infection hits third world countries

 

Mitigation and prevention

To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

Some additional preventive measures that you or your administrators can proactively do:

 

———————————————————————–

[1] We’ve published a number of blogs about Crowti, including:

It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):

 

Donna Sibangan

MMPC

 

 

No mas, Samas: What’s in this ransomware’s modus operandi?

March 18th, 2016 No comments

We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.  It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.  This is where Crowti, Tescrypt, Teerac, and Locky have been very active at.

We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS).  Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.  We’ve seen two threats,  Sarento and Enrume, built through this type of service and deployed to infect machines during the second half of 2015.

 

How Samas is different from other ransomware?

 

Ransom:MSIL/Samas, which surfaced in the past quarter, has a different way of getting into the system – it has a more targeted approach of getting installed.  We have observed that this threat requires other tools or components to aid its deployment:

Figure 1:  Ransom:MSIL/Samas infection chain 

Samas ransomware’s tools of trade

 

The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

Java-based vulnerabilities were also observed to have been utilized, such as direct use of unsafe JNI with outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

  1. Look for certain file extensions that are related to backup files in the system.
  2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
  3. Delete the backup files.

Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.

 

So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:


Figure 3:  Version 1 – Ransom:MSIL/Samas.A

 

Figure 4: Version 2 – Ransom:MSIL/Samas.B

 

It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe

 

Mitigation and prevention

But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:

 

Marianne Mallen

MMPC

 

The three heads of the Cerberus-like Cerber ransomware

March 10th, 2016 No comments

Early this month, we saw a new ransomware family that launches a three-prong attempt to get you to hand over your hard-earned cash.

Called “Cerber” (it replaces file extensions with .cerber), we like to think of this three-prong approach as a nod to the mythical multiple-headed hound, Cerberus.

The attack starts with a text-to-speech (TTS) synthesized recording of a text message:

  • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

While it’s not terribly original, originality doesn’t count for much in malware circles – if something works (that “something” usually forcing victims to pay money or lose data), then everyone just jumps on the bandwagon and before you know it, bam macros are being used to deliver malware.

So perhaps expect to see a lot more synthesized, robotic-sounding messages making the rounds, attempting to steal your data and money.

The use of audio files as part of a ransomware attack isn’t particularly new, Tobfy was doing it way back in 2014, but the rise of TTS through the popularity of Cortana, Siri, and Android Now might see a new (easier) way for ransomware authors to annoy their victims into paying, if only to quiet the constant TTS announcement at every logon.

In Cerber’s case, it uses a VisualBasic Script (.vbs file) to call the Microsoft Speech API (SAPI) SpVoice.Speak method at every start up.

VB script used to call the SAPI Speak method

If the API can’t call the speech synthesizer, you’ll see an error message similar to this:

Error returned when TTS is disabled or not available

The other “prongs” in the attack are the usual flavor of current ransomware notices – a simple .html page or .txt file is opened using the native handler. The files include instructions to download the Tor browser, connect to a specific Tor site and start transferring some Bitcoins. It might display the ransom notes in different languages, based on the victim’s IP geolocation.

HTML page with ransom payment instructions

Plain text file with ransom payment instructions

Ransomware has come a long way from the non-encrypting lockscreen FBI and national police authority scare warnings, and this newer “low-cost approach” is both frustrating and effective.

Unlike other current ransomware (like Crowti) it completely renames the extension and the file name for files it targets. It’s also very selective in choosing the folders where it won’t infect. The list of folders it avoids mostly includes system folders, such as Program Files, the Users folder, the Recycle Bin and various others. It does, however, encrypt files in folders in network shares, and in all drives on the machine, and uses RSA encryption.

The list of file types it targets is extensive, and includes common types such as Office documents, some database files (including .sql, and .sqlite), and archive files (for example, .rar and .zip).

It stores configuration data in JSON format, which it decrypts and loads directly to memory at run time. The data includes:

  • The list of file extensions it targets
  • The folders it avoids
  • The public RSA key used for encryption (the private key is stored on the attacker’s server)
  • The mutex name format
  • The .html and .txt content used in the ransom note
  • The IP of a server it sends statistical data to

See our malware encyclopedia entry for details on the file types and folders it targets.

Encrypted files are given a randomized jumble of 10 characters for the file name, and the extension is changed to .cerber. Therefore, a file called kawaii.png could be renamed to something like 5kdAaBbL3d.cerber.

The instructions presented to a victim will lead them to a website where they can choose their language (considerate!) and must enter a CAPTCHA or anti-spambot challenge (ironic!). The language-choice page begins with an instruction to “choose your language”. This phrase rotates between the 12 languages the user can choose from.

Choice of 12 languages

CAPTCHA to access the payment site

After they’ve passed these gates, the site provides details on how the victim can obtain and transfer Bitcoins to the attackers. There will be a “special price” that increases based on how quickly the victim pays the ransom, which is reminiscent of Crowti and others.

Cerber payment site, requesting Bitcoin

Our strongest suggestion to prevent attacks from Cerber and other ransomware remains the same: use Windows Defender as your antimalware client, and ensure that MAPS has been enabled.

Both ransomware and macro-based malware are on the rise, users can disable the loading of macros in Office programs, and administrators can disable macro loading using Group Policy settings.

Categories: ransomware Tags:

Locky malware, lucky to avoid it

February 24th, 2016 No comments

You may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.

We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:

If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.

While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there.  You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.

 

Disable all except digitally signed macros in Microsoft Word

To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros.

To do this:

1. Open a Microsoft Word document.
2. Click the File tab.
3. Click Options.
4. In the Trust Center, click Trust Center Settings.

Trust Center settings

5. Select Disable all macros except digitally signed macros.

Macro settings in Trust Center

6. Click OK.

 

Block macros from running in Office files from the Internet in your enterprise

Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. Read about how to block macros from running in Office 16 files from the Internet.

 

Only enable trusted content

If you have disabled macros, when you open a file that has macros you’ll see a message bar similar to the following:

Enable macro message

Only click Enable Content if you trust the file, that is, you know where it’s from and are certain that running the macro is harmless.

 

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and also enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

 

Help prevent malware infections on your PC

There are a number of other things you can do to help prevent malware infections, for example:

 

So to wrap this up: this ransomware is bad, but infection is preventable! Microsoft detects and removes this threat, but by ensuring that you only run known, trusted macros, you’ll help prevent a Locky infection – and any other malware that relies on malicious macros. Generally, a good approach is to only allow digitally signed macros that you trust to run on any of your documents.

Stay safe, from all of us at the MMPC.

-Jasmine Sesso, MMPC

FireEye and Fox-IT tool can help recover Crilock-encrypted files

August 13th, 2014 No comments

Since file-encryption ransomware Crilock (also called CryptoLocker) has reared its head, the security industry has been hard at work finding ways to mitigate and neutralize these threats. We've also been hard at work finding ways to recover from the encryption and restore affected files – such as our recommendations on using version control and recovery options in SkyDrive and Windows.

This week, researchers from FireEye and Fox-IT have released a tool that may be able to recover files encrypted by Crilock – without having to pay the malware authors.

It's important to note that the tool comes on the heels of a takedown of a Zeus/Gameover CnC server that was previously being used to authenticate and generate the encryption keys. This means the tool can only provide decryption keys for files that were encrypted by keys generated by that server. In other words, the tool comes with a caveat: it may not work in all instances.

Ultimately, however, it's still worth a try when you've tried everything else, and we want to share as many options and techniques to recover and protect your systems as possible

The tool, created as a collaboration between FireEye and Fox-IT, is hosted at www.decryptcryptolocker.com (note that you’ll need to consent to their Terms of Use and Privacy Policy; Microsoft doesn’t own or operate the tool and we won't be able to help you if it doesn’t work).

The user uploads an encrypted file (it probably makes sense to use something without sensitive information or data) to the recovery portal, which searches for a matching private key from the database. If there is a match, the user receives an email with the actual private key which they can use to in a stand-alone command-line tool to decrypt each encrypted file on their own.

File upload

Figure 1: Uploading a file to their online service

 

We tested it out with files that were encrypted in November 2013 and received positive results (via email) for each file that was encrypted:

Receipt

Figure 2: Instructions from the DecryptCryptoLocker team

 

Once downloaded, the tool can be launched with a command prompt:

​Decryptolocker.exe –key "<key>" <encrypted file>

 
The command line operation would look like this (you just need to copy and paste the key from the email and specify the file):

Key decryption tool

Figure 3: Decryption per file

 

After applying the decryption key, you'll receive an acknowledgement and consent request, and the file will be decrypted. 

Successful decryption

Figure 4: File successfully decrypted

 

It's important to note that this tool will not work in every case – it depends on when the file was encrypted (and, therefore, if the CnC server that Crilock used was part of the takedown).

You can read more about the tool at the FireEye blog Your locker of information for CryptoLocker decryption.

Acknowledgements

We would like to extend our thanks to colleagues at FireEye and Fox-IT for providing this kind of support for users whose files have been compromised by Crilock (CryptoLocker).

Marianne Mallen
MMPC

 

Disclaimer

The tool described in this blog is used at your risk. Read the instructions carefully on the tool's website at https://www.decryptcryptolocker.com. In particular, note that you will be asked to consent to the site's Terms of Use and the Privacy Policy. The site is not owned or operated by or affiliated with Microsoft.

 

Follow us on Twitter (@MSFTMMPC) and like us on Facebook to get notifications of our blog posts and industry news.

Categories: crilock, ransomware Tags:

Help! Someone is holding my computer hostage

March 18th, 2014 No comments

If you see a pop-up window, webpage, or email message warning you that your computer has been locked because of possible illegal activities, you might be a victim of a criminal extortion scam called ransomware.

Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI).

The aim of ransomware is to prevent you from using your computer until you pay a fee (the “ransom”). If you get an email message or a warning like this, do not follow the payment instructions. If you pay the ransom, the criminals probably won’t unlock your computer and might even install more viruses or steal your personal and financial information.

 

Example of ransomware

What to do if you think you’ve been a victim of ransomware

If you’ve already paid the scammers, you should contact your bank and your local authorities, such as the police. If you paid with a credit card, your bank may be able to block the transaction and return your money.

To detect and remove ransomware and other malicious software that might be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products can detect and remove this threat:

More information about how to prevent and get rid of ransomware

 

 

 

Using SkyDrive this holiday season can help protect your personal information

It’s no surprise that the holidays are one of the busiest times of the year for online shopping.  But did you know it’s also one of the busiest times for uploading pictures to photo sharing and social media sites?  On average, more than 250 million photos per day were uploaded to Facebook alone during October, November and December of 2011.

That only includes the number of photos uploaded online, it doesn’t take into consideration, the photos being stored on personal devices and computers.  This number only continues to grow.

Think about all those special get-togethers with family and friends that we capture and store on our devices. Now imagine, all of those precious moments in time, being locked and held for ransom.  Well that’s exactly what’s happening with an emerging type of malware scheme known as ransomware.

Ransomware is a type of malware designed to infiltrate your computer and hold your files (photos, documents, reports, etc.) hostage until you pay the demanded amount of money to a cybercriminal.  These files are being held ransom for money in some cases as much as $500.  And paying the money doesn’t necessarily mean you’ll get your files back.

According to the recently published Microsoft Security Intelligence Report volume 15, ransomware is on the rise.    So what does it look like? 

Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI) or the Metropolitan Police Service of London.  It can look like a pop-up, accusing you of committing a computer-related crime, or a locked screen requiring a password.  If you see these indicators, don’t pay the ransom.  It’s most likely the latest scam created by cybercriminals to try and extort money.

One of the best ways to protect your files is to back them up using a removable drive or a cloud service like SkyDrive.

In addition to backing up your files, there are best practices that can help prevent ransomware from infecting your computer: 

  • Keep all software installed up to date. 
  • Use modern software that provides the latest security technologies and protections.
  • Install and use an up-to-date, real time anti-malware solution from a vendor you trust. Some anti-malware software options are available on Microsoft’s security partner webpage.
  • Don’t click on links or open attachments from untrusted sources.

You can also visit What is ransomware? for more information about ransomware and how computer users can avoid being taken advantage of by these threats.   For additional guidance, regularly check our Safety & Security Center, where all of our tools and materials are available, including our Digital Citizenship in Action Toolkit. “Like” our page on Facebook, and follow us on Twitter.  Get proactive and get involved – in online safety.  

Ransomware is on the Rise, Especially in Europe

November 19th, 2013 No comments

The recently published Microsoft Security Intelligence Report (SIRv15) contains a section on ransomware. Ransomware is a type of malware that is designed to render a computer or its files unusable until the computer user pays the demanded amount of money to the attacker. It often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI) or the Metropolitan Police Service of London. Some examples are provided in Figure 1.

Ransomware has emerged as a relatively prevalent threat primarily in Europe. With the exception of New Zealand, all the locations where ransomware families made it onto the top ten list of threats in the second quarter of 2013 were in Europe; these locations include Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Finland, Germany, Ireland, Norway, Portugal, Slovakia, Slovenia, Sweden, Switzerland, and the United Kingdom.  Read more.

…(read more)

Have authorities detected illegal activities on my computer?

July 16th, 2013 No comments

John writes:

I got an email saying that illegal materials were found on my computer and it would be locked until I paid a fine. Is this a scam?

Yes, this sounds like a common blackmail scam called ransomware. Ransomware is an email, website or pop-up window that displays warnings about possible illegal activities and demands payment before you can access your files and programs again. Delete the email and report it immediately.

Do you think you might have already fallen for a ransomware scam? Find out what to do.

Ransomware: Playing on your fears

March 16th, 2012 No comments

The last two years have seen an increase in malware which takes control of, and holds hostage an infected machine, locking the user out until a payment of some form can be extorted. This threat type is also known as ‘ransomware’.

Various tactics have been used by the malware writers in an attempt to intimidate users into paying a ransom in order to get back control of an infected machine. We wrote a blog post last December that describes malware extortion tactics, here.

Scare tactics include displaying fake Windows activation warnings: : 

Trojan:Win32/Serubsit.A

Figure 1: Ransom message displayed by Trojan:Win32/Serubsit.A

to other scare tactics: 

Trojan:Win32/Serubsit.A

Figure 2: Ransom message displayed by Trojan:Win32/Serubsit.A

The most recent of these comes in the form of the following variant we detect as Trojan:Win32/Ransirac.G (280bb31602a5dcb3674c7718f947ee0f4e44784f). In this case, an infected user is accused of illegally downloading music.

Trojan:Win32/Ransirac.G

Figure 3: Ransom message displayed by Trojan:Win32/Ransirac.G

The malware writers attempt to add an air of legitimacy to their creation by using the HTML style sheets and image content for the actual organization GEMA (Gesellschaft für musikalische Aufführungs).

To thwart these and similar threats, we recommend using a complete and up-to-date antivirus solution such as Microsoft Security Essentials.

–Raymond Roberts
MMPC-Melbourne

Categories: ransomware, Win32/Serubsit Tags:

Beware of Ransomware

January 6th, 2012 No comments

Cybercriminals use social engineering to prey on our weaknesses. Sometimes they take advantage of our goodwill towards others, like in the “I’ve been mugged scam” I wrote about in a recent blog post. More often they try to trick us with deals that seem too good to be true

Cybercriminals can also sneak software (called “ransomware”) onto your computer. This will pop up a window warning that illegal material has been found on your computer, and lock you out of your computer unless you pay a fee. We’ve been reporting on this kind of scam at least as far back as 2008, but the Microsoft Malware Protection Center recently blogged about its resurgence in several languages, including English, Spanish, German, and Dutch.

Get more information about this scam from the Microsoft Malware Protection Center blog.