Spam Leads to Locky, TeslaCrypt
- Locky: This ransomware has been tied to many recent attacks, most notably against hospitals.
Ransomware Gets Commoditized
But like banking Trojans, much of the ransomware being used by attackers today is functionally equivalent: It will forcibly encrypt sensitive files on a PC, then demand a ransom payment - in bitcoins - in exchange for a decryption key. Then it's up to organizations or end users to either wipe the infected system and restore a recent backup, or else to decide if they're going to pay the ransom (see Ransomware: Is It Ever OK to Pay?).
As is typical with many types of malware or ransomware campaigns, attackers will then quickly discard the URLs and move to new ones, so that by the time security firms blacklist the URL - so that future, infected endpoints can't "phone home" to it - the URL is no longer in use.
To guard against these types of attacks, Microsoft recommends employing related defenses at the following levels:
- Gateway: Ensure email gateways are scanning for malicious code and blocking it there.
- Endpoint: Use up-to-date and fully patched anti-malware and anti-spyware software.
- Macros: Disable macros in Office programs, and set Group Policy settings to disable macro loading.
- Training: Educate users to never click or open email attachments that carry files with .js or .jse.
Bad Bet: Crypto Coding Failures
In some cases, for example earlier this month with Petya ransomware, or last year with a previous version of TeslaCrypt, ransomware developers make coding mistakes that allow researchers to crack their crypto and release a free decryption tool.
Attackers fumbling their ransomware crypto is a "lucky break" for anyone whose systems were infected, says Johannes Ullrich, CTO of the Internet Storm Center, in a recent SANS Institute newsletter. But there's never a guarantee that ransomware coders will screw up, and it's a sure bet that when they do, the next iteration of their ransomware will avoid making the same mistake.
"Remember that the real defense against crypto ransomware is offline backups - which also helps against a number of other disasters," Ullrich says.