Blogs

Your money or your documents: how hackers can hold your files to ransom

By Chris Hall | Yahoo News – Tue, Nov 19, 2013

Yahoo News - The Cryptolocker software locks users out of their files, and asks for payment in return for the key - which is unlikely to be delivered. (Symantec)
Britain's National Crime Agency (NCA) has issued a warning to businesses over a wave of hacking attacks that have seen hackers take control of computer files and demand a £900 ransom to unlock each one.

The attackers use spam emails to target small and medium-sized businesses, with attachments that look like invoices, voicemails or other business documents.

An example of a Cryptolocker-infected email, with malware attachment, as found by Symantec

The NCA says that 'tens of millions' of people may have been targeted in Britain, and noted that the attacks seemed to be aimed predominantly at companies. It described the attacks as a 'significant risk'.

The attachments contain a piece of malware called Cryptolocker - an automated piece of ransom software that, if activated, will search for documents and encrypt them so that they cannot be opened or read by the user.

Microsoft Office documents were the most commonly affected, but different variations of the malware also searched for other documents, such as .pdf files.

Cryptolocker then prompts the owner of the files to pay two Bitcoins (each worth £449 as of 19/11/13) for the key to unlock the files.

Bitcoins are a private and anonymous digital currency that can be traded against other major world currencies. The exchange rate can fluctuate wildly.
Ransomware has been on the rise since last year. A report from Symantec Internet Security noted that for a much cheaper ransom, of 5,300 computers infected, 'About three percent of victims paid the ransom, which netted the criminals about $30,000.'

The NCA said in its statement that it 'would never endorse the payment of a ransom to criminals and there is no guarantee that they would honour the payments in any event'.

Lee Miles, Deputy Head of the NCCU says "The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."

The malware should be detected by up to date antivirus software. Users should exercise caution over opening unfamiliar attachments. Some of the attachments are notable for having a double file extension, such as " FORM_101513.pdf.exe."

Decrypting files that Cryptolocker has been able to encrypt is 'not feasible', according to Symantec. But there are ways that affected users can recover their files even if they have been locked out, using free Windows tools.

If you have made backups of your files, Windows Backup will be able to revert the file to its pre-locked state. Similarly, you can right-click on a file before opening it and choose to open a previous version, giving you the chance to retrieve data from the file.

If your computer does become infected, you should disconnect it from your network, and run a full antivirus scan to identify and quarantine the affected files.

A spokesman for Symantec said: 'Symantec does detect and protect against this threat. We continuously work to protect customers against this threat through various technologies, including the Symantec Email Security.cloud solution.'

How hackers turn YOU into a cyber criminal

For around $3 a day, you can ‘rent’ a swarm of PCs around the world - untraceable ‘slave’ machines which you use to browse illegal sites, send spam or launch cyber attacks.

For just a little more, you can rent thousands.

The PCs, of course, are innocent victims - infected machines under total control of cyber crime gangs.

The machines are used for everything from cyber attacks to blackmail to hosting illegal files, all under the command of gang masters far away.

The only sign their owners might notice is that the adverts they see in their web browser have suddenly changed. Today's malware is built to be invisible.

One of the bitterest ironies of cyber crime is that if you are duped into clicking on a spam email, one of the first things that could happen after illegal software has flooded into your computer, is that you’ll become a spammer yourself.

Once computers are remote-controlled by cyber criminals, they are referred to as ‘zombies’ - and for many criminals, the real value in an infected PC is over the long haul.

Gangs tend to specialise. Some criminals will use software that steal bank account details. Others will compromise a PC, then put it up for auction to other criminals.

But for all of them, the main goal is to stay ‘at the helm’ of the PC they’ve breached.

‘They always make sure they’re invisible,’ says Orla Cox, Security Operations Manager at Symantec Security Response, ‘They want to make sure they stay in your computer.’

‘The hacker just wants control,’ says Norton’s Director of Security Response, Kevin Haley, ‘Once he has control, he can use your machine to send spam, or to mount attacks.’

Several reports have claimed that paedophiles use ‘zombie’ computers to remotely store child pornography, including an Associated Press investigation of dozens of such attacks.

By the time the huge ‘botnets’ - networks of infected PCs controlled by spammers - are deactivated by the authorities, the gangs that control them have had ample warning to move their activities elsewhere.

Botnets are so common that prices can be extremely low. A study found that renting 1,000 machines could be as little as $9 (£6) an hour in 2010 - and this year, prices for renting infected machines are as low as $3 a day, according to researchers from Kaspersky, analysing the TDLL-TDS-4 botnet. Payment is accepted via common credit cards such as MasterCard and Visa.

High-profile ‘DDOS’ - distributed denial of service - attacks used to knock company websites off the internet, rely on the same ‘botnets’ - huge networks of zombie computers, which each send dozens or hundreds of requests to the site under attack.

The confidence of some gangs in their weaponry is such that DDOS attacks are used to blackmail sites such as online bookmakers in the run up to major events - or simply in a hi-tech version of protection rackets.

‘Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly,’ said one extortion letter sent out to web masters.

‘Attention! Starting as of now our site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us. The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.’

Zombie PCs also often become spammers themselves, sending out dozens of infected emails to friends, or even people you don’t know - and building the botnets even further, as their criminal masters fade into the background.

‘A huge amount of malware is still spread through email attachments,’ says Orla Cox. 'Although there’s an increase in high-tech methods such as ‘drive-by downloads’, where infected advertising banners and websites are used to spread malicious software, the ‘traditional’ way of spreading infection via spam is still hugely popular.'

‘The social engineering is becoming cleverer,’ says Cox. ‘You’ll receive a fake package order, fake invoices - but when you click on the attachment, your computer becomes infected.’

Up-to-date protection software and an updated operating system such as Windows will help to defend against such infections before they occur - a much easier way to stay safe than the often-lengthy process of repairing the damage after it occurs.

It’s also worth noting that law enforcement won’t treat you as a criminal if you are a victim of this sort of attack. But the best defence of all is, of course, not being a victim in the first place.