U.S. Department of Homeland Security US-CERT   
      
   National Cyber Awareness System:   
      
      
      
   TA16-091A: Ransomware and Recent Variants   
   03/31/2016 06:00 PM EDT   
      
      
   Original release date: March 31, 2016 | Last revised: July 11, 2016   
      
   Systems Affected   
   Networked Systems   
      
   Overview   
   In early 2016, destructive ransomware variants such as Locky and Samas were    
   observed infecting computers belonging to individuals and businesses, which    
   included healthcare facilities and hospitals worldwide. Ransomware is a type   
   of    
   malicious software that infects a computer and restricts users’ access to it    
   until a ransom is paid to unlock it.   
      
   The United States Department of Homeland Security (DHS), in collaboration with    
   Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to    
   provide further information on ransomware, specifically its main    
   characteristics, its prevalence, variants that may be proliferating, and how    
   users can prevent and mitigate against ransomware.   
      
   Description   
   WHAT IS RANSOMWARE?   
   Ransomware is a type of malware that infects computer systems, restricting    
   users’ access to the infected systems. Ransomware variants have been observed    
   for several years and often attempt to extort money from victims by displaying    
   an on-screen alert. Typically, these alerts state that the user’s systems have    
   been locked or that the user’s files have been encrypted. Users are told that    
   unless a ransom is paid, access will not be restored. The ransom demanded from    
   individuals varies greatly but is frequently $200–$400 dollars and must be   
   paid    
   in virtual currency, such as Bitcoin.   
      
   Ransomware is often spread through phishing emails that contain malicious    
   attachments or through drive-by downloading. Drive-by downloading occurs when   
   a    
   user unknowingly visits an infected website and then malware is downloaded and    
   installed without the user’s knowledge.   
      
   Crypto ransomware, a malware variant that encrypts files, is spread through    
   similar methods and has also been spread through social media, such as    
   Web-based instant messaging applications. Additionally, newer methods of    
   ransomware infection have been observed. For example, vulnerable Web servers    
   have been exploited as an entry point to gain access into an organization’s    
   network.   
      
   WHY IS IT SO EFFECTIVE?   
   The authors of ransomware instill fear and panic into their victims, causing    
   them to click on a link or pay a ransom, and users systems can become infected    
   with additional malware. Ransomware displays intimidating messages similar to    
   those below:   
      
   “Your computer has been infected with a virus. Click here to resolve the    
   issue.”   
   “Your computer was used to visit websites with illegal content. To unlock your    
   computer, you must pay a $100 fine.”   
   “All files on your computer have been encrypted. You must pay this ransom    
   within 72 hours to regain access to your data.”   
   PROLIFERATION OF VARIANTS   
   In 2012, Symantec, using data from a command and control (C2) server of 5,700    
   computers compromised in one day, estimated that approximately 2.9 percent of    
   those compromised users paid the ransom. With an average ransom of $200, this    
   meant malicious actors profited $33,600 per day, or $394,400 per month, from a    
   single C2 server. These rough estimates demonstrate how profitable ransomware    
   can be for malicious actors.   
      
   This financial success has likely led to a proliferation of ransomware    
   variants. In 2013, more destructive and lucrative ransomware variants were    
   introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants    
   encrypt not just the files on the infected device, but also the contents of    
   shared or networked drives. These variants are considered destructive because    
   they encrypt users’ and organizations’ files, and render them useless until    
   criminals receive a ransom.   
      
   In early 2016, a destructive ransomware variant, Locky, was observed infecting    
   computers belonging to healthcare facilities and hospitals in the United    
   States, New Zealand, and Germany. It propagates through spam emails that    
   include malicious Microsoft Office documents or compressed attachments (e.g.,    
   .rar, .zip). The malicious attachments contain macros or JavaScript files to    
   download Ransomware-Locky files.   
      
   Samas, another variant of destructive ransomware, was used to compromise the    
   networks of healthcare facilities in 2016. Unlike Locky, Samas propagates    
   through vulnerable Web servers. After the Web server was compromised, uploaded    
   Ransomware-Samas files were used to infect the organization’s networks.   
      
   LINKS TO OTHER TYPES OF MALWARE   
   Systems infected with ransomware are also often infected with other malware.   
   In    
   the case of CryptoLocker, a user typically becomes infected by opening a    
   malicious attachment from an email. This malicious attachment contains Upatre,    
   a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a    
   variant of the Zeus Trojan that steals banking information and is also used to    
   steal other types of data. Once a system is infected with GameOver Zeus,   
   Upatre    
   will also download CryptoLocker. Finally, CryptoLocker encrypts files on the    
   infected system, and requests that a ransom be paid.   
      
   The close ties between ransomware and other types of malware were demonstrated    
   through the recent botnet disruption operation against GameOver Zeus, which    
   also proved effective against CryptoLocker. In June 2014, an international law    
   enforcement operation successfully weakened the infrastructure of both   
   GameOver    
   Zeus and CryptoLocker.   
      
   Impact   
   Ransomware not only targets home users; businesses can also become infected    
   with ransomware, leading to negative consequences, including   
      
   temporary or permanent loss of sensitive or proprietary information,   
   disruption to regular operations,   
   financial losses incurred to restore systems and files, and   
   potential harm to an organization’s reputation.   
   Paying the ransom does not guarantee the encrypted files will be released; it    
   only guarantees that the malicious actors receive the victim’s money, and in    
   some cases, their banking information. In addition, decrypting files does not    
   mean the malware infection itself has been removed.   
      
   Solution   
   Infections can be devastating to an individual or organization, and recovery    
   can be a difficult process that may require the services of a reputable data    
   recovery specialist.   
      
   US-CERT recommends that users and administrators take the following preventive    
   measures to protect their computer networks from ransomware infection:   
      
   Employ a data backup and recovery plan for all critical information. Perform    
   and test regular backups to limit the impact of data or system loss and to    
   expedite the recovery process. Note that network-connected backups can also be    
   affected by ransomware; critical backups should be isolated from the network    
   for optimum protection.   
   Use application whitelisting to help prevent malicious software and unapproved    
   programs from running. Application whitelisting is one of the best security    
   strategies as it allows only specified programs to run, while blocking all    
   others, including malicious software.   
   Keep your operating system and software up-to-date with the latest patches.    
   Vulnerable applications and operating systems are the target of most attacks.    
   Ensuring these are patched with the latest updates greatly reduces the number    
   of exploitable entry points available to an attacker.   
   Maintain up-to-date anti-virus software, and scan all software downloaded from    
   the internet prior to executing.   
   Restrict users’ ability (permissions) to install and run unwanted software    
   applications, and apply the principle of “Least Privilege” to all systems and    
   services. Restricting these privileges may prevent malware from running or    
   limit its capability to spread through the network.   
   Avoid enabling macros from email attachments. If a user opens the attachment    
   and enables macros, embedded code will execute the malware on the machine. For    
   enterprises or organizations, it may be best to block email messages with    
   attachments from suspicious sources. For information on safely handling email    
   attachments, see Recognizing and Avoiding Email Scams. Follow safe practices    
   when browsing the Web. See Good Security Habits and Safeguarding Your Data for    
   additional details.   
   Do not follow unsolicited Web links in emails. Refer to the US-CERT Security    
   Tip on Avoiding Social Engineering and Phishing Attacks or the Security    
   Publication on Ransomware for more information.   
   Individuals or organizations are discouraged from paying the ransom, as this    
   does not guarantee files will be released. Report instances of fraud to the   
   FBI    
   at the Internet Crime Complaint Center.   
      
   References   
   Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware    
   with ransomware capabilities now targeting U.S.   
   Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up where    
   CryptoLocker left off   
   Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One    
   Month   
   Symantec, Cryptolocker: A Thriving Menace   
   Symantec, Cryptolocker Q&A: Menace of the Year   
   Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network   
   Sophos / Naked Security, “Locky” ransomware – what you need to know   
   McAfee Labs Threat Advisory: Ransomware-Locky. March 9, 2016   
   SamSam: The Doctor Will See You, After He Pays The Ransom   
   Revision History   
   March 31, 2016: Initial publication   
   May 6, 2016: Clarified guidance on offline backups   
   July 11, 2016: Added link to governmental interagency guidance on ransomware   
      
   ----------------------------------------------------------------   
   --------------    
   -   
      
   This product is provided subject to this Notification and this Privacy & Use    
   policy.   
      
      
   ----------------------------------------------------------------   
   --------------    
   -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or    
   have questions, please send an email to info@us-cert.gov. Do not reply to this    
   message since this email was sent from a notification-only address that is not    
   monitored. To ensure you receive future US-CERT products, please add    
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   --------------    
   -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of:    
   United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW    
   Bldg 410 · Washington, DC 20598 · (888) 282-0870  Powered by GovDelivery   
      
   === Cut ===   
      
      
   -+-   
   Keep the faith   :^)   
      
      Ben  aka cMech  Web: http|ftp|binkp|telnet://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC v1.1.5 via Mystic BBS   
    * Origin: FIDONet - The Positronium Repository (1:393/68)