Tag Archives: Ransomware

First Apple Mac Ransomware Poses Serious Risk

The prevalence of ransomware continues to increase this time affecting Apple Mac OS X devices. Earlier this month users of the Trasnmission BitTorrent client (specifically the version for Mac OS X) were at risk of having their data stolen since the downloadable version of the client had extra code added to it by attackers seeking to obtain a ransom to recover your data after stealing it from you.

Why Should This Issue Be Considered Important?
If you had downloaded and installed version 2.90 of the Transmission app after 3 days, it would have encrypted your personal data and demanded 1 bitcoin (approx. USD $400) in order to retrieve it. This would have not only been a huge inconvenience but also could possibly lead to you being unable to carry out routine tasks or your job if you are small business owner using your personal Mac system for business.

The fact that the malicious code included with the hijacked Transmission app would have encrypted your data only after 3 days since you installed it would have made narrowing down the source of the malware infection much more difficult.

An analysis of the malware by Palo Alto showed that malware had partial support for encrypting the data stored within Apple’s Time Machine backup software which if it had been operational would have caused far more data loss.

As discussed below, while this particular malware infection has now been resolved by the combined efforts of Apple, Transmission, Palo Alto and other security companies; the ramifications for future malware to be made available using similar techniques to steal data will be present from now on.

How Can I Protect Myself from This Issue?
As per Transmission’s recommendation, if you use their BitTorrent client on your Mac OS X system, please update it to version 2.92 or later. If you have anti-malware/anti-virus software installed, please run a full system scan and remove any traces of the malware that may be present. Alternatively, easy to follow manual instructions to remove the malware are provided here.

As mentioned in previous ransomware blog posts, please back up your critical data and ensure to have at least one full copy that is not connected to your computer. This will ensure that it is not available to the ransomware for it to be encrypted too. Recommendations for using Apple’s Time Machine backup software are provided here.

Separately Apple revoked the fake app development certificate (when Palo Alto Networks informed them of it’s misuse) that allowed the malware to bypass it’s Apple’s Gatekeeper security feature. They also updated their XProtect malware protection software to detect and remove the malware.

Meanwhile Transmission updated their software to version 2.92 to remove the malware from the app and to remove any existing malware traces that may have been present on a Mac system after installing version 2.90. All of the mentioned companies/teams should be applauded for their thorough and swift response to this threat.

Thank you.

=======================
Further References:
ComputerWorld: First Mac ransomware had sights on encrypting backups, too
The Safe Mac: First Mac ransomware spotted

Blog Post Shout Out March 2016

With the growing prevalence of ransomware; it’s prudent to take steps to avoid becoming infected with this malware and losing your data as well as being able to recover quickly without paying the ransom.

For these reasons I wanted to provide a respectful shout-out to the following blog posts that provide practical advice to businesses and consumers/personal users on how to protect yourself from ransomware and the “Locky” variant of ransomware:

The Simple Way to Stop your Business from Being Extorted by Ransomware by Graham Cluley (writing for Bitdefender)

“Locky” ransomware – what you need to know by Paul Ducklin (Sophos Security)

Update: 12th March 2016:
Got ransomware? What are your options? by Paul Ducklin (Sophos Security)

Massive Volume of Ransomware by Rodel Mendrez (SpiderLabs) : Details how to defend against the Locky ransomware being spread using JavaScript within spam messages.

Further information/discussion on ransomware is provided in a previous blog post. I hope that you find the above posts useful. Thank you.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

JavaScript Ransomware Poses Increased Risk of Data Loss

On January the 1st this year, security software vendor Emsisoft presented an analysis of a new variant of ransomware (defined in a previous post of mine) that demonstrates a concerning evolution in this type of malware. This type of ransomware is available for purchase by those with malicious intent following the growing popularity of the Software as a Service (SaaS)(defined) model.

Why Should I Be Concerned About This Malware?
This new variant is written in JavaScript (defined) but uses the NW.js framework to allow JavaScript apps to be installed and run (execute/carry out their purpose) just like traditional desktop applications (that you use every day) on your computer. This flexibility is also what makes this malware of particular concern since the NW.js framework is a portable framework it has the potential to enable this malware to spread to Linux and Apple OS X computers (however as noted by Emsisoft so far no such malware has been seen “in the wild” (namely being present on computing devices used by the general public in their professional and personal lives)).

Initially the number of anti-malware signatures for this variant was very low (3) but has since increased significantly to 32 (out of a possible 57) anti-malware vendors on the Virustotal website (at the time of writing).

Moreover, this malware arrives within spam email which begins the download of the complete malware package. Once the malware has encrypted your files you will be unable to retrieve them since the encryption is well-implemented (i.e. has no implementation flaws). Recovering the files from a backup is the best option. Paying the ransom doesn’t necessarily mean you will be able to retrieve your files.

How Can I Protect Myself From This Malware?
The advice within my previous posts on ransomware still applies. Emsisoft again emphasized the importance of backing up your files to avoid the loss of your data from these kind of infections. Their advice of how to access/use your backup after it’s been created may also be of assistance to you.

I hope that you find the above information useful in preventing infection from this malware and/or recovering from an infection.

Thank you.

Preventing A CryptoWall v4 Ransomware Infection

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it

Thank you.

=======================
Original Post:
=======================
Early last week the technical support website BleepingComputer announced the discovery of a new version of the well-known CryptoWall ransomware.

Why Should I Be Concerned About This Malware?
As was previously mentioned in my post concerning ransomware, such malware infections encrypt your important files usually making them irretrievable. However, this new version of ransomware also encrypts the files names of the files that it encrypts making it hard to tell just what files you have lost since the names are now replaced with random characters. This also means that you will be unable to carry out a forensic data recovery of the encrypted files.

This means that you will be unable to recover any files that have been encrypted unless the ransom is paid (which I do not recommend doing, for the reasons given in my previous ransomware blog post). Some strains of ransomware had implementation in their encryption methods. This version of CrypytoWall doesn’t.

How Can I Protect Myself From This Malware?
As well as following the advice in my previous post on ransomware to prevent an infection, for this version of CryptoWall the most important action that I would recommend taking is a full backup of your most critical data (business and/or personal) and at least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.

Moreover, be very cautious of any attachment received within an email from people you know or from a company (well known or otherwise) stating that they have a delivery confirmation, a business document or an invoice for you to view. This malware can be installed when such documents are viewed. Furthermore ransomware infections can originate from phishing (defined) emails.

Finally, this thread on the BleepingComputer website can be used to discuss this infection or to receive support if you have been affected by it.

Thank you.

Defending Against Ransomware

What is Ransomware?

Ransomware is malware that stops you using your computer in some way. This can be either by showing a lock out screen (not allowing you to login) or by encrypting your personal data. For each of these possibilities a ransom is demanded in order to use your computer or recover your (now) lost data.

Ransomware has been around for many years becoming most prevalent from late 2011 onwards with Reveton being one of the most well-known variants from approximately 3 years ago. Despite this category of malware being several years old, newer variants such as CryptoLocker, TeslaCrypt and most recently Los Pollos Hermanos continue to cause disruption, stress and cause financial loss to their victims. Further information on ransomware is provided in this blog post and explained further in this podcast.

Should you pay the ransom?

Since paying the ransom convinces the malware authors that their scheme is working and funds a black market economy, you should not pay the ransom. I realize that if the ransomware has encrypted irreplaceable data that is not backed up you may have no choice to pay it, but there is no guarantee that you will get your data back. The human impact of ransomware is detailed in this analysis by FireEye. One possible outcome is that the ransom is paid but the files cannot be decrypted.

How To Remove an Existing Ransomware Infection?

If you have an existing ransomware infection I would suggest following the advice from this short Sophos blog post. That blog post also references an explanatory YouTube video. The Sophos Bootable Antivirus CD mentioned in the above blog post can be created using the steps in this knowledge base article.

An alternative approach is detailed by Mark Russinovich of Microsoft in this blog post (see the section titled “The Hunt”). He provides further easy to follow steps to remove the malware should scans with Microsoft Security Essentials or Windows Defender Offline fail.

If the above advice is not successful in removing the ransomware infection, please consider using one of the 3rd malware removal services mentioned in this Symantec forum post. Please note this forum post does not list services that Symantec wishes to promote or advertise, these services are provided by trusted and highly successful 3rd parties independent of Symantec.

Preventing A Ransomware Infection:

In order to prevent a ransomware infection I would recommend the following steps:

  1. Keep your operating system and web browser up to date. I detail how within this page.
  2. Install and use anti-malware software (ensure that it offers real time protection (continuous monitoring)).
  3. Don’t open attachments from an untrusted source or attachments you weren’t expecting from someone you do trust (their email account could have been hijacked).
  4. Backup up your data regularly. At least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.
  5. Further advice is also provided by FireEye in the blog post that I mentioned above (please see the final section titled “Individuals and Small Businesses Should Consider Basic Steps to Protect Themselves”).
  • Note: Please ensure that if you use cloud storage e.g. Google Drive, Dropbox etc. to not have the cloud drive accessible (in the same way as a standard folder) on your computer when you are not actively using it. If you get a ransomware infection it could also encrypt the backup cloud drive (since it works just like another folder on your computer) and this makes restoring your data more difficult.

Update: 29th May 2015:
If you are using an edition of Windows (compatible editions listed here) that incorporates AppLocker (for Windows 8.0 and later only corporate versions of Windows incorporate AppLocker), please enable it to Enforce executable rules to prevent ransomware and other malware from running on your PC.

Update: 10th November 2015:
This detailed post from Susan Bradley provides easy to understand further advice on defending against ransomware.

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it.

Update: 31st January 2016:
This Computerworld article provides further defensive tips e.g. restricting mapped network drives and knowing the users of your devices.

Since AppLocker is another name for application white listing only executable files that you pre-approve (i.e. files that run code, usually applications) will be allowed to run. AppLocker can also prevent unauthorized Windows Installer files (*.msi and *.msp) and scripts e.g. PowerShell and batch files (among others, more details provided here) from running without prior approval. Further resources for configuring AppLocker are provided in this article and this series of articles.

Update: 6th March 2016:
For advice on preventing a ransomware attack from affecting your business, please see this more recent blog post. This post also provides a resource to defend against the “Locky” variant of ransomware and provides an excellent explanation of your options/what to do when ransomware has already infected your computing device (complimenting the existing information in this post) and how to defend against the Locky variant of ransomware being spread via spam messages.

Update: 17th March 2016:
In February 2016 very large numbers of websites powered by WordPress (a blogging tool/content management system) were compromised and used to spread ransomware to those who visited the websites. This threat and recommendations to remove/prevent it are also available in a previous blog post.

In early March 2016, Apple Mac OS X systems that had the Transmission BitTorrent client version 2.90 installed were at risk from a ransomware infection. Further discussion and recommendations are provided in a more recent blog post.

Update: 26th March 2016:
This more recent blog post provides further advice on preventing ransomware (not previously documented within this blog). Please review it to further defend yourself against this increasingly prevalent threat.

Thank you.