The Rise in Crypto Ransomware
In recent years, we have seen a significant growth in Malware. With enablers such as Bitcoin, RSA 2048-bit encryption, and the TOR network, NetCal predicts there will continue to be a significant rise in Crypto Ransomware. The use of these malicious applications are morphing as we speak. Originally, they were to gain access to computers and steal data (ie spying/snooping). Then it was for ad clicks from popups. Now, malware has taken on the purpose of extorting money directly from the users themselves. Although this shouldn’t be a surprise to anyone, the tools mentioned above makes it a lot easier to achieve success.
Most Crypto Ransomware use the following tactics:
- Use Social Engineering to invoke a user to run an application script
- Avoiding detection
- Encrypting/Encoding it’s payload (e.g. Base-64)
- Using Domain Generation Algorithm (DGA)
- Use Tor network
- Use Bitcoin and a money laundering network
- Use the Registry to reinfect after reboot
- 0x06 and 0x08 byte subkey (hidden using regedit)
- Disable System Restore or VSS type services
- Encrypt all user created files by extension, shares, or folders
- Use an existing OR 0-Day exploit/vulnerability
- Hijack CLSIDs
For example, {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} causes any file in the LocalServer32 subkey to be run any time a folder is opened. By hijacking this CLSID, Poweliks is able to ensure that its registry entry will be launched any time a folder is opened or new thumbnails are created, even if the Watchdog process has been terminated.
- Hijack CLSIDs
10 Prevention Tips:
- Back-up your data
- Patch and keep software up to date
- Run a reputable AV solution (Webroot, Eset, etc)
- User Training
- Filter executable attachments at the email gateway
- Disable files running from AppData/LocalAppData folders (Group Policies)
- Do not give users Local Admin privileges
- Limited end user access to mapped drives
- Use a popup blocker
- Show hidden file-extensions