The Rise in Crypto Ransomware

In recent years, we have seen a significant growth in Malware.  With enablers such as Bitcoin, RSA 2048-bit encryption, and the TOR network, NetCal predicts there will continue to be a significant rise in Crypto Ransomware.  The use of these malicious applications are morphing as we speak.  Originally, they were to gain access to computers and steal data (ie spying/snooping).  Then it was for ad clicks from popups.  Now, malware has taken on the purpose of extorting money directly from the users themselves.  Although this shouldn’t be a surprise to anyone, the tools mentioned above makes it a lot easier to achieve success.

Most Crypto Ransomware use the following tactics:

  1. Use Social Engineering to invoke a user to run an application script
  2. Avoiding detection
    1. Encrypting/Encoding it’s payload (e.g. Base-64)
    2. Using Domain Generation Algorithm (DGA)
    3. Use Tor network
    4. Use Bitcoin and a money laundering network
  3. Use the Registry to reinfect after reboot
    1. 0x06 and 0x08 byte subkey (hidden using regedit)
  4. Disable System Restore or VSS type services
  5. Encrypt all user created files by extension, shares, or folders
  6. Use an existing OR 0-Day exploit/vulnerability
    1. Hijack CLSIDs
      For example, {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} causes any file in the LocalServer32 subkey to be run any time a folder is opened. By hijacking this CLSID, Poweliks is able to ensure that its registry entry will be launched any time a folder is opened or new thumbnails are created, even if the Watchdog process has been terminated.

10 Prevention Tips:

  1. Back-up your data
  2. Patch and keep software up to date
  3. Run a reputable AV solution (Webroot, Eset, etc)
  4. User Training
  5. Filter executable attachments at the email gateway
  6. Disable files running from AppData/LocalAppData folders (Group Policies)
  7. Do not give users Local Admin privileges
  8. Limited end user access to mapped drives
  9. Use a popup blocker
  10. Show hidden file-extensions