by Andy Patrizio
The behavior of malware continues its evil evolution, as “ransomware” is fast becoming the latest form of malicious software to bedevil unsuspecting users. Ransomware is just what its name sounds like. The malicious code takes over the user’s computer and/or encrypts their data and demands payment to unlock the PC. The user is instructed to buy an unlock code through a Web site, which then frees the PC. Usually. Some times they don’t release the computer.
Ransomware was initially viewed as a niche form of malware, with most forms of malware trying to get login information to online banking or other financial services. However, it’s making a resurgence in Western Europe and Russia and now it’s coming to North America, according to a report from Symantec. In a recent campaign discovered by Symantec, almost 70,000 computers were infected in a single month, of which 2.9 percent of the people infected paid the ransom to unlock their systems. That came out to $400,000 for a single month.
The good news is that just 2.9% are paying the ransom. That means 97.1% didn’t fall for it. The majority of them either got some help to remove the software or used Windows’ rollback feature to roll back their OS installation to just prior to the infection, said Vikram Thakur, principal manager at Symantec Security Response and a co-author of the report.
The 3% shows a lot of people are not falling for it, but if you look at just the 3% by itself, that’s a huge absolute number and much more profitable than spamming people with hair loss and erectile dysfunction drugs. “I think that’s enough motivation for people around ransomware to continue their campaign and even better their conversion rate to something higher,” said Thakur.
Users are infected through a Web exploit or a drive-by download, where the user is redirected to a Website with the malicious payload without even knowing it. Usually the user has no idea anything has happened, unless they have good security software. The majority of people infected had weak or no security at all, said Thakur.
This ransomware is particularly sleazy, in that the popup window the user gets is made to look like something from the U.S. Department of Justice, as if the DoJ is in the business of taking over individual PCs like that, and warns victims that their IP address was used to visit explicit child abuse sites and that spam “with terrorist motives: were also sent from the computer. These ransomware apps lock the system by gaining system level access and blocking certain components from running. The user then has to pay a fine, usually ridiculously small given the severity of the charge. The program shows a threat to have them arrested if they do not pay a fine within 72 hours.
It’s very difficult to remove this code, said Thakur. “There are some variants that allow you to get into safe mode to run antivirus tools. In some cases you can. But in a good amount of cases even in safe mode they seem to have injected themselves to lock your computer,” he said. In that case, the user has to boot a non-infected device, like a CD or bootable USB, to load an antivirus program and clean the PC.
Removing ransomware is not the problem, says Randy Abrams, research director with NSS Labs, a security firm. The problem is that it usually encrypts files and simply removing the malware will not decrypt the files. The best defense for ransomware is a good backup system. “It is important for people to know that paying the ransom almost never results in data recovery. Users who regularly back up their important files cannot have their data held hostage,” he said.