If you’re planning on taking the Security+ exam, you should have a basic understanding of malware such as the Police virus and CryptoLocker.
For example, can you answer this question?
Q. After Maggie turned on her computer, she saw a message indicating that unless she made a payment, her hard drive would be formatted. What does this indicate?
A. Armored virus
B. Ransomware
C. Backdoor
D. Trojan
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
A specific type of Trojan is ransomware. Attackers take control of the user’s computer and then demand the user pay a ransom to get the control back.
Criminals deliver ransomware via multiple methods:
- Via drive-by downloads. Malicious spam often includes URLs leading users to a malicious server (if the user clicks it).
- Embedded in other software. Criminals often embed malware in attachments such as Word, PDF, and ZIP files in spam email campaigns. If the user opens the file, the malware infects the system.
Two classic ransomware viruses that have attacked many people are the Police Virus and CryptoLocker and they provide good examples of how ransomware works.
The Police Virus
The Police Virus (also known as Trojan Reveton, Police Ukash, and Moneypak virus) accuses users of being involved in illegal activities and demands they pay a fine. It often displays a notification from a law enforcement agency such as the U.S. FBI, the Australian Federal Police, or the Metropolitan Police when the computer boots. In some cases, it takes control of the webcam and displays activity in the user’s room.
It typically demands victims pay an average of $200. It promises to remove the messages and return full control of the computer to the user, but only if the user pays. One piece of good news is that the Police Virus doesn’t actually encrypt or destroy any data. That isn’t the case with CryptoLocker.
CryptoLocker
CryptoLocker doesn’t try to trick the user, but instead uses basic kidnapping and ransom tactics. For example, many kidnappers have abducted a child and then attempted to get a ransom from a parent to release the child. CryptoLocker doesn’t abduct people, but it does take control of valuable user files.
After CryptoLocker takes control of the user’s computer, it encrypts valuable user files, such as photos, videos, and text documents. It then demands the user pay a ransom of an average of $200. It typically displays a message indicating that the criminals will destroy the decryption key in 72 hours if the user doesn’t pay, effectively locking the user’s data forever. In some cases, it shows a timer counting down to zero, adding a sense of urgency to the victim to pay quickly.
Because CryptoLocker uses strong asymmetric encryption techniques to encrypt valuable user files, it is almost impossible to decrypt the data in any reasonable amount of time. In addition to encrypting data on the user’s computer, it also searches for any network drives and encrypts files on them, too.
Just as many parents are willing to pay ransom to save their children, the success of these types of ransomware indicate many people are willing to pay ransom to restore their data. PandaLabs reported in their 2013 annual report that ransomware has been on the rise and is one of the most common types of malware.
Ransomware Variants
Due to the lucrative nature of ransomware, criminals have created multiple variants such as Locky, Xorist and CryptorBit. While attackers were previously focusing on individuals, they have broadened their attacks. For example, in early 2016, criminals launched several targeted attacks against hospitals.
Basic Protection
US-CERT recommends several steps as basic protection against ransomware attacks. Here are a few:
- Maintain up-to-data antivirus software.
- Keep systems and applications up-to-date.
- Do not follow unsolicited Web links in emails.
- Maintain a reliable backup plan (with backups kept offline).
- Do not enable macros in attachments (such as Word and PDF document files).
- Do not open documents from unknown sources (no matter how enticing the subject line or body text might be).
Remember this
Ransomware is a type of malware that takes control of a user’s system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user’s system or data if the victim does not pay the ransom.
Q. After Maggie turned on her computer, she saw a message indicating that unless she made a payment, her hard drive would be formatted. What does this indicate?
A. Armored virus
B. Ransomware
C. Backdoor
D. Trojan
Answer is B. Ransomware attempts to take control of a user’s system or data and then demands ransom to return control.
An armored virus uses one or more techniques to make it more difficult to reverse engineer.
It’s possible that Maggie’s computer was infected with a Trojan, which created a backdoor. However, not all Trojans or backdoor accounts demand payment as ransom.