RANSOMWARE

A RANSOWMARE is a malware that denies the legitimate user’s access to their own files and devices by encrypting them using advanced algorithms and asking for a ransom (payment) in order to unblock them.

Attack Vectors

The ransomware is the most present malware attack of these days. According to authorities (Interpol, Europol, various CERTS) there are more than 4500 new ransomware attacks every day, but they all share several infection vectors:

Unsolicited message conducting to Drive-by Downloads of malware via malicious URL-s

This attack vector, very similar to phishing attacks, is using the social engineering with the objective to trick the user to click on malicious URL-s contained in the message, leading to the download of ransomware components.

The social engineering technique of the message is very important and diverse:

Messages coming from social networks pretending to validate your account, or inviting you to see a new post or a new photo. Most used networks are Facebook and LinkedIn, but also dating and socialization platforms like Snapchat, Match, OkCupid, EliteSingles, GetItOn, Passion.com or FriendFinderX.
Messaged pretending to come from attractive women in the nearby, or from Russia, China, Japan etc. looking for a sentimental relationship and inviting to see their profile or photos.
Messages that come apparently from retail chains, e-tailers or special offers and discounts platforms, pretending to offer a special offer for a limited time, or limited stock.
Messages coming from your bank or other known bank claiming that they want to validate your account, or that you have received a money transfer, or that there have been some unusual transactions performed from your account.

Unsolicited message with infected attachments

The messages with infected attachments are very diverse as attachment format or extension. The social engineering component, aiming to trick you to execute the attachment, is the most important in this case too:
There are messages pretending to come from tax authorities and asking you to confirm a tax application, or to consult the tax deductions you are entitled to, or informing you about the tax refund.
Some other times the attachment claims to be a transcript of a voice message you have received on WhatsApp, or an online fax.
Some other messages are claiming to be invoices for orders you supposedly placed on known shopping platforms like Amazon, Google PlayStore and Apple iTunes, or local retailers.

Drive-by Downloads of malware from websites containing infected web objects

The infected objects are modified Java scripts, ActiveX, Download&install plugins etc. In this case the user has little interaction, the attackers taking advantage of the user naivety but also of vulnerabilities in various applications we are using daily: browsers, Java machine, Adobe Flash Player or Reader etc.

In the case where user interaction is needed, there is normally a webpage that informs that a browser extension or add-on needs to be installed, or that there is a software that is needed to visualize some active content and is missing. In some cases, the attack is so advanced that the executable is very similar in name and is eventually signed with a certificate that is either fake or expired, or even a valid certificate.

Prevention Tips and Advice

The infected objects are modified Java scripts, ActiveX, Download&install plugins etc. In this case the user has little interaction, the attackers taking advantage of the user naivety but also of vulnerabilities in various applications we are using daily: browsers, Java machine, Adobe Flash Player or Reader etc.

In the case where user interaction is needed, there is normally a webpage that informs that a browser extension or add-on needs to be installed, or that there is a software that is needed to visualize some active content and is missing. In some cases, the attack is so advanced that the executable is very similar in name and is eventually signed with a certificate that is either fake or expired, or even a valid certificate.:

Treat cautiously the unsolicited messages and as a rule of thumb, don’t open them unless you are absolutely certain that they are legitimate.
If the message contains an attachment and comes from an unsolicited or untrusted source don’t execute it! Normally the authorities are not sending messages with attachments. The photos, e-cards or invoices can be consulted online, from the respective websites that you can access eventually by TYPING the direction in the browser, and not clicking on URL-s. And, if you really want to open an attachment, please scan it previously with a reputed and updated antivirus solution.
When you receive special offers from retailers, validate them in browser by manually entering your account and checking whether they are real.
Please maintain your browser and its extensions and add-ons permanently up-to-date from their respective official sources. Please don’t trust all the messages asking you to download add-ons and other executables and never use the RUN option, better download and scan the file instead. If a page is telling you that you need to install an add-on or browser extension, please try to get the original file from their official vendor, check whether they are signed and the certificate is valid.
When you receive messages containing URL-s you can always check the URL structure and real Internet address at mouse over (when you pass with the mouse over it). Be careful as the attackers are using very similar names or trick you by using numbers (ex: Cit1Bank, or Micros0ft, or Gogle/Gooogle, or Aple, or 1NG Bank). Also, be careful at URL structure – for example while https://authentication.mybank.com is a subdomain of MyBank, a construction like https://authenticationservice.com/MyBank/ is a subdomain of authenticationservice.com.
If you receive unsolicited messages pretending to come from social networks and informing you about a new post of photo, you can access the respective social networks by using their mobile apps or by manually TYPING their address in the browser and entering that way, avoiding clicking on URL-s in messages.
All the messages coming from your bank or other financial services should be taking care with special attention. Please use as much as possible the manual access in a secure browser instance, in place of clicking on URL-s or checking e-mail attachments.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.