It's the stuff of more than a few movies: A villain kidnaps the helpless damsel in distress, holding her for ransom until the hero swoops in to save the day. The villain's motives in such a scenario are transparent – the bad guy takes what the good guy cares about the most, holding it as collateral until the good guy comes up with the payment.
For the past few years, hackers have been taking cues from this page in clichéd scoundrel's handbook as part of ransomware attacks. Ever since the emergence of infections like CryptoLocker – the likes of which many security experts hadn't seen before in the digital space – the use of ransomware has been skyrocketing.
Although this style of threat has been widely publicized and users have been urged to better protect their systems and sensitive files, ransomware attacks are still taking place. Worse still, cybercriminals are creating new ransomware samples to carry out their bidding.
A primer on ransomware: How does it work?
Before looking at the latest samples, let's examine how a ransomware infection works. Although there are numerous ransomware samples being used today, each infiltration is largely the same.
The infection typically begins when users visit or are tricked into visiting a malicious website. Once the link is clicked, the malware begins to download itself onto the victim's system, and more often than not, the individual has no idea that his or her machine is being infiltrated.
Next, the malware works to lock down the user's system, preventing them from opening or altering any important files. Normally, a warning screen will appear, alerting the victim that they have been infected with ransomware, and that he or she can pay a ransom – typically it Bitcoins or other digital, untraceable currency – to unlock the files.
This video from Trend Micro further explains how a ransomware infection operates in a real-world setting.
There have been more than a few infections that have taken place in this manner. However, researchers and victims have found that whether or not files are returned – even when the ransom is paid – is little more than a guessing game. In the past, victims have paid black hats the amount they are asking, and have not been returned access to their files.
Let's take a look at some of the newest ransomware infections, and what users can do to protect themselves.
Newest additions to the ransomware family: CTB Locker
One of the first new ransomware samples discovered this year was CTB Locker, which was uncovered soon after the U.S. Justice Department, the FBI, Europol, Trend Micro and other security agencies worked to take down networks connected with CryptoLocker. Heimdal Security blog copywriter Aurelian Neagu noted that while the takedown of the Russian hacker-controlled network was a huge step forward in the fight against ransomware and malware at large, many experts expected a comeback.
This came in the form of CTB Locker, a ransomware trojan fairly similar to its predecessor CryptoLocker.
CTB Locker typically infects victims via spam and malicious email attachments, just like other ransomware infections seen in the past. However, this sample does have a defining advantage: its use of Curve-Tor-Bitcoin. This refers to a process of blocking access to files with persistent cryptography based on elliptic curves being controlled from a server in The Onion Router, or Tor. Black hats then demand ransom payment in Bitcoin, completing the infection.
"The malware is deployed through a binary code, which is executed if you open the email spam archive," Neagu explained. "Further on, when running CTB Locker, it immediately and automatically downloads its harmful main component from multiple domains. And it's all done through a https:// secure connection."
This makes the sample a considerably dangerous one, and an infection to be reckoned with.
Another new malware sample discovered this year was TeslaCrypt, first uncovered in January by SophosLabs. What makes this infection different is the fact that it not only targets Windows users, but specifically seeks to lock down files related to games, configurations, maps and replays, noted Naked Security blog contributor John Zorabedian.
And it's not just the run-of-the-mill Minesweeper games being sought out by the sample. Zorabedian reported that the ransomware targets some of the most popular games played by users today, including Call of Duty, World of Warcraft, Minecraft and others. In addition, researchers have also found that TeslaCrypt looks for other sensitive files, including those related to tax returns and personal finance in programs like Intuit's Quicken and iTunes.
Besides targeting a certain subset of files, this infection presents like other ransomware infiltrations: locking users out of their files and displaying a warning screen providing instructions on how to pay in Bitcoin for the return of this important information.
In April, FireEye reported the discovery of KRIPTOVOR, a ransomware sample targeting Russian businesses and international firms partnering with these organizations.
Whereas other samples came with strict functionality, researchers found that KRIPTOVOR is modular, enabling hackers to add capabilities as they see fit.
"Analysis of an early variant shows that it was first used to steal cryptocurrency wallets from its victims," FireEye contributor and threat researcher Erye Hernandez wrote. "Over time, it evolved to include a ransomware component."
Like many ransomware samples, this infection also has protections in place to disguise its presence as it works to obtain information and lock down files. KRIPTOVOR includes evasion capabilities and removes any evidence of its activity – whether or not it is able to successfully steal information and encrypt files.
However, unlike other infections that display a flashy warning screen to alert victims of the infection, KRIPTOVOR adds a "MESSAGE.txt" file in every folder as it sweeps the system. This file, once stumbled upon by the user, advises him or her on how and where to send the ransom.
Protecting against ransomware
One of the factors that makes ransomware so dangerous is that there is no cure-all to prevent infection. However, users can protect themselves and considerably reduce their chances of infection through a combination of awareness, education, activity monitoring and backups.
"[I]t is essential to educate users about security and social engineering attacks to prevent them from becoming victims," Hernandez wrote. "It is also crucial to have backups of important files, both to prevent being a victim of ransomware and as a good practice for disaster recovery."
When individuals are aware of these types of threats, they can better understand what to signs to look for which could signal the beginning of an infection. Users should avoid suspicious emails and attachments, and ensure that they have a monitoring program in place that can alert them to suspicious activity within their systems. Finally, users should ensure that all security protections and general software is up-to-date, and that all available patches and updates have been installed.