by RSS Richard Henderson  |  Nov 18, 2013  |  Filed in: Industry Trends & News

FortiGuard's Global Security Strategist Derek Manky spoke with Network World's Keith Shaw late last week to discuss some hot topics in the threat landscape.

Derek and Keith discuss at length BadBIOS, how it might work and where we may see it or other malware move in the near future. They also touch on the bug found in Supermicro IPMI that could allow low-level control of servers and wrap up with a discussion on the explosion of the Cryptolocker ransomware.

Some more details on Cryptolocker and ransomware in general follows after the video link below.

Ransomware: Everything Old is New Again

Ransomware or similar types of malware have been around a long time. The very first known piece of ransomware was the AIDS Trojan (also called PC Cyborg). The AIDS trojan was spread via floppy disks, and was activated when the infected computer had restarted 90 times. On the 90th boot, the trojan replaced the computer's autoexec.bat and then hid directories and encrypted filenames. The victim was required to send payment of 189 USD via mail to "PC Cyborg Corporation", which operated out of a PO Box in Panama.

aids trojan

Fake Antivirus malware was some of the earliest types of newer ransom malware: your computer becomes infected with a fake antivirus virus, and you are told that your computer is infected with dozens, if not hundreds, of viruses. The only way to get rid of the scores of viruses detected is to pay this company a set amount of money and they'll remove them for you.

Fake AV was very successful; their writers have made a lot of money duping unsuspecting Internet users into paying for their services. But as time moved on, users became better educated and less likely to fall prey to Fake AV scams.

So what was a cybercriminal to do?

Enter modern ransomware.

We first saw modern ransomware in 2005, when gpCode (also called PGPCoder) emerged. MS Office files like Excel spreadsheets and Word documents, HTML files, pictures, and compressed archives like zip files were targeted by gpCode and were encrypted. The only way for the victim to get their files back was to pay a ransom to an account on the now-defunct e-gold and Liberty Reserve online currencies. In the case of gpCode though, there were many weaknesses allowing victims to recover their files without paying the ransom.


After gpCode, a new breed of malware emerged - the "Police" malware. Once infected, your machine is typically "locked" and an alert screen is shown similar to this one:


According to the malware, the "FBI" have detected illegal activity on your computer - illicit downloading or filesharing, child pornography or other distasteful and potentially illegal activities - and you must pay the FBI a "fine" in order to get control of your computer back.

Typically these kinds of malware required you to head down to your local retailer or grocer and obtain a pre-paid credit card, commonly the easy to use Green Dot MoneyPak, and pay for the "fine" that way.

As the malware and its variants evolved over time, we started to see versions that became geographically aware: if you were actually located in the UK, you might see a screen from Scotland Yard. If you were in Canada, you might see an alert from the Mounties.

Much like Fake AV, these viruses were very successful and made their creators incredibly wealthy to the tune of millions of dollars. But just like Fake AV, as time progressed users became better educated and stopped falling victim to these scams.

As old revenue sources dried up, cybercriminals dreamed of the next generation of ransomware. Enter encrypting ransomware. Encrypting malware did something new - it took the files on your computer and encrypted them using methods that were often impossible to crack.

At first, malware researchers were able to determine that early variants weren't intelligent in how they encrypted data: weak encryption was used or the same keys were used across thousands of machines that were infected.

Which leaves us at Cryptolocker. Cryptolocker is unique in that it generates a unique, large encryption key for every single infection it creates. This means that no two infections are encrypted the same, and that the chances of being able to decrypt the data is effectively zero.


Where Cryptolocker takes it one step further is by hunting for open network shares or drives connected to your infected computer and encrypting any data it can gain write access to. What does this mean? Well, if you're using popular online file sharing tools like Dropbox, Cryptolocker will encrypt that data as well.

Thankfully services like Dropbox offer the ability to retrieve earlier versions of files saved to their cloud, so you may have some reprieve.

If Cryptolocker gains hold of your system, there's very little a user can do other than praying they have access to unencrypted backups and wiping their machine and starting fresh.

So how do you keep from getting infected? It's not easy. As FortiGuard has talked about in the past, cybercriminals have embraced the affiliate model in order to rapidly spread infections and infection vectors. Some affiliates may focus on spreading malware via email... others through compromised web sites or social media accounts.

To protect yourself: - Treat every attachment coming into your inbox as suspect. If you're not expecting something, don't open it. Reach out to the sender directly. - Treat clickable links in email and on social media accounts as suspect. Remember: simply visiting a website on a computer that hasn't been fully updated or patched is enough to infect you. - Patch your computer, regularly. Cybercriminals are quick to take advantage of patched exploits in the hopes that they will catch slow fish in their wide nets. - Uninstall things you don't need. If you don't need technologies like Flash, Java or Silverlight, uninstall them. If you do, take the appropriate precautions to prevent things from running in your browser without your express permission. Yes, it can be awkward and a pain to click-to-run every time you want to view something on a page, but when you consider the alternative... - Back up your data. Back up your data both locally and externally. For home or small business users, purchase an external hard drive and some backup software. Get into the habit of creating regular backups that once complete, have you disconnecting your external hard drive from your PC. If you get infected after you've backed up your important data, you'll likely be able to restore those files.

Colleague and noted security reporter Brian Krebs has published a great article on Cryptolocker as well as some great additional tips you can take to help detect and prevent an infection. You can read his article here.

CCIRC published an advisory for Canadians about Cryptolocker and ransomware in August of this year. You can read it here.

The Department of Homeland Security's Computer Emergency Response Team (US-CERT) has issued a recent Cryptolocker advisory, and you can read that here.

Further Readings on Ransomware and Cryptolocker:

A New Look For Ransomware

A Day in the Life of Mobile Ransomware

Ransomware, An Evolution

Ransomware Fueled by Cutwail

by RSS Richard Henderson  |  Nov 18, 2013  |  Filed in: Industry Trends & News