# New Internet Scam - ‘Ransomware’ Locks Computers, Demands Payment



## Nick (Apr 23, 2002)

*New "drive-by" virus on the Internet carries fake threat and fine -purportedly from the FBI.*

From www.FBI.gov:


> *Citadel Malware Continues to Deliver Reveton Ransomware in Attempts to Extort Money*
> 
> 08/07/12-The IC3 has been made aware of a new Citadel malware platform used to deliver ransomware named Reveton. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user's IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.
> 
> ...


Image of fake FBI notice *here*


----------



## dpeters11 (May 30, 2007)

It looks like this uses things like the BlackHole exploit pack. Of course this just adds to the need to keep things up to date. Windows patches, Java, Acrobat and Flash etc etc.

Secunia has a nifty program called PSI, which looks at all the programs on a system and identifies the ones that are out of date. It really helps keep up on security updates.


----------



## AntAltMike (Nov 21, 2004)

> Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user's IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.


Aw, shucks, my computer screens have been displaying warnings like that for years. They even use the same language that's been on the arrest warrants.


----------



## billsharpe (Jan 25, 2007)

The clue here is "ransomware lures the victim to a site."

The lockup is not automatic.

People need to pay attention.

Thanks for the warning, though...


----------



## SayWhat? (Jun 7, 2009)

> An operation to break up a ransomware network estimated to be worth one million euros a year has been successful.
> 
> European police agency Europol says that Spanish police, working alongside the European Cybercrime Centre (EC3), have broken up a gang which allegedly ran a ransomware scheme which demanded money from online users in 30 countries.


http://www.zdnet.com/ransomware-cybercrime-gang-broken-by-spanish-police-7000011302/


----------



## dpeters11 (May 30, 2007)

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.


----------



## SayWhat? (Jun 7, 2009)

No doubt the bots are still active some where.

They'll have to kill those and distribute the unlock keys so people can clean their machines.


----------



## ghontz1 (Mar 25, 2010)

Boot up in safe mode and use system restore. Worked for me after one of my nephews somehow caused my PC. to become infected. Make sure to run malwarebytes and scan for viruses after you do system restore to make sure it's gone for good.


----------



## wingrider01 (Sep 9, 2005)

dpeters11 said:


> Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.


why prosecute - I here that tehre are plenty of open suites at GTMO


----------



## wilbur_the_goose (Aug 16, 2006)

They're becoming more sophisticated. New variants encrypt the victim's hard drive and you don't get the encryption key without payment.

Booting into safe mode won't do squat for this attack vector.


----------



## houskamp (Sep 14, 2006)

fdisk always works


----------



## wingrider01 (Sep 9, 2005)

houskamp said:


> fdisk always works


move all user profiles, public profiles off the c drive to another drive, image the boot drive then if anything happens pull the drive and put a new one in, then restore the image.


----------



## Marlin Guy (Apr 8, 2009)

I've seen them change attributes and make the files hidden, but I have not seen a single one that encrypted the users' data.

Show me


----------



## dpeters11 (May 30, 2007)

Here's an article from Sophos, though they say only the first 10% of the files were encrypted in this case.

http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/

Older Krebs column
http://voices.washingtonpost.com/securityfix/2008/06/ransomware_encrypts_victim_fil.html

But if Wilbur_The_Goose says they are becoming more sophisticated, then that's cause for concern.


----------



## Marlin Guy (Apr 8, 2009)

First article is 3 years old and the second one is 5 years old. :nono:

Ransomware attacks are prevalent and some are sophisticated, but the vast majority of them simply try to trick the user into paying a fee to remove viruses that were never there to begin with.

I've been cleaning them up for years, and I've never seen one from which I couldn't retrieve the customer's files.


----------



## SayWhat? (Jun 7, 2009)

> An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.





> According to the report, upon execution, the malware randomly spawns either ctfmon.exe or svchost.exe and injects its own code there. The injected system process then reportedly executes a copy from the %TEMP% folder, creating ctfmon.exe or svchost.exe child processes with the injected code, which is apparently where things take a turn for the interesting.
> 
> First the malware generates a unique computer ID, then it uses that ID and the fixed string "QQasd123zxc" to produce an encryption key with crypto API functions like "advapi32!CryptHashData" and "advapi32!CryptDeriveKey" so that the attacker can create the same key each time he uses that string. Now the malware sends requests with the computer ID back to its command and control server, encrypting its communications on the server with the first key and allowing the Trojan to decrypt them on the infected computers.
> 
> ...


http://threatpost.com/en_us/blogs/new-ransomware-encrypts-victim-data-013013


----------



## SayWhat? (Jun 7, 2009)

> Some of the newer versions 'lock' the computer by encrypting key parts of the operating system and making it unusable. But, continued Corrons, "As some antivirus could break the encryption and release the files, the criminals changed to a more sophisticated technique using server-based encryption; and the only way to decrypt files in this state is to get the key from the criminals. So even if you remove the infection, you have still lost all your information."


http://www.infosecurity-magazine.com/view/30443/ransomware-threat-on-the-increase/

Also see: http://blogs.avg.com/news-threats/attention-data-hardrive-encrypted/


----------



## dpeters11 (May 30, 2007)

Marlin Guy;3182875 said:


> First article is 3 years old and the second one is 5 years old. :nono:
> 
> Ransomware attacks are prevalent and some are sophisticated, but the vast majority of them simply try to trick the user into paying a fee to remove viruses that were never there to begin with.
> 
> I've been cleaning them up for years, and I've never seen one from which I couldn't retrieve the customer's files.


Ok, agreed those are a few years old, but does show that the issue did exist then, and there is no evidence that they don't do it anymore. It might be more targeted, in a spearfishing attack.


----------



## wilbur_the_goose (Aug 16, 2006)

Encryption Ransomware:
"Pay up or we'll notify the police!

Variants of this malware are infecting computers in Europe and they are devilishly sophisticated. They encrypt all the files on the hard drive. This prevents the owner from accessing them until the ransom is paid to get the decryption key.

"The bad guys have improved the nastiness of this attack," said Chester Wisniewski, a senior security advisor at SophosLabs. "They basically steal all of your documents and lock them in a vault. And only they have the key."

From http://www.nbcnews.com/business/latest-ransomware-attacks-are-scarily-sophisticated-969766
-----------
Obviously, there's no "vault". They attackers are the only ones with an encryption key.

Earlier variants used symmetric encryption, which is relatively easy to break. These use asymmetric encryption, which uses a public/private keypair. These are a helluva lot more difficult to break - actually impossible using the technology that most of us can get our hands on


----------



## dpeters11 (May 30, 2007)

Looks like today's "Security Now" podcast with Leo Laporte and Steve Gibson is one where they talk to Brian Krebs, and partially deals with ransom ware. Krebs has been able to infiltrate this underground.


----------



## wilbur_the_goose (Aug 16, 2006)

Krebs is a giant in the ITSec world. Good article on ransomware: http://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/


----------



## dpeters11 (May 30, 2007)

Listening to the podcast now, very interesting on how the business of this stuff actually works. I didn't really realize when you buy an exploit kit, it could com with a license agreement that it could only be used against a particular domain, with add on packs and tech support.


----------



## satcrazy (Mar 16, 2011)

So,
The only thing to do is back up all files, and f/disk?

Would also like to know what program you and wilbur use for general security.

I'm currently using Bit Defender, but when it expires, I'm thinking Kaspersky.


----------



## dpeters11 (May 30, 2007)

For AV, I like Kaspersky. I generally don't like the suites (from anyone). But just as important (maybe even more so), is keeping everything updated. I like a free program called PSI from Secunia. It keeps track of all your software and tells you when a security update comes out, when it is end of life etc.

AV is a part of online security, but cannot be the only aspect. If malware can use a vulnerability to get in, AV can be powerless to stop it. It's not enough to just say, don't go to sketchy sites. While those of course can make you a target, malware can wind up on legit sites, either due to the site itself being compromised, or through an ad. A subsite of the LA Times had malware for 6 weeks recently.

http://secunia.com/vulnerability_scanning/personal/

A lot of it is just common sense. If a site tells you that a particular thing needs installed or updated (like new version of Flash), go to the publisher's site and get it from there.

Krebs Three rules apply here:
1) If you didn't go looking for it, don't install it; 2) If you installed, update it. 3) If you no longer need it, get rid of it! (#3 especially applies to Java lately)

I also don't reuse passwords, every site has it's own, my primary email I have set to require two factor authentication when it's a system that I haven't told it to trust.

One thing I should point out, I'm not an expert like Wilbur, I have an interest in the topic but he has the background.


----------



## wilbur_the_goose (Aug 16, 2006)

dpeters - you're right on the money recommending PSI. Great product, highly recommended.

satcrazy - that may or may not work. If the last backup had the malware present, but not active, you'd end up restoring the malware too. These aren't lonely high school kids trying to crash your PC - they're organized criminals that hire professionals to commit crime. Kaspersky is good, and I've used Eset too. The ones I really don't like are McAffee and Norton - they come with a lot of bloat and have a big memory footprint.

It's also a good idea to run something like Malwarebytes once in a while. And, if you're on Windows, be sure to run the "Malicious Software Removal" tool that comes down as part of Windows Update monthly.

If you're interested in cybercrime, check out my favorite report: The 2012 Verizon Data Breach Report: http://www.verizonenterprise.com/re...each-investigations-report-2012-ebk_en_xg.pdf

(This isn't the VZ you probably know - they run a really great IT security practice)


----------



## dpeters11 (May 30, 2007)

Yippee, Krebs just tweeted that NBC.com has malware. Not going there for obvious reasons, but sounds like it could be an iframe with Citadel.


----------



## satcrazy (Mar 16, 2011)

dpeters,

Thanks, will get psi.

Will also remember the 3 rule theory.

I have my pc set up with Admin and [limited] User Accounts, with passwords for all.

So if youtube wants you to update flash, go to adobe web site. Got it.

Wilbur-

So if back up is iffy, what's the best choice here?

I'm embarassed to admit this, I thought the malicious software removal tool was autorun. Could I get instruction on how to run this, and where it is located?

I've not heard of Eset, will look at that as well.

Now, on to read those articles and do my updates.

Thanks again to both of you.


----------



## dpeters11 (May 30, 2007)

Right, and never use the admin account for anything other than what you really need it for. Always do day to day things limited.

Eset is also good, their product is NOD32. I would probably just use the AV product, not the suite. If you have more than two systems, the Family Security Pack is a steal. Keep in mind, AV is one small part of this. Running NBC.Com through a site called Virustotal today, it used 46 virus scanners to scan. 3 caught the malware. You can't say that one of those 3 are the good ones, they will not pick up something else. It's not really a negative against the AV companies, it just shows the size of the problem. Things were simpler when a virus was spread by floppy and just made the characters fall to the bottom of the screen. The motive was much different.

You still want a backup, as a general rule. Having a local backup, like to DVD is good, but disks go bad. You also want offsite backup. I use Carbonite for this. It starts at $60 a year, but it's unlimited. By default, it encrypts your data with their key, but you can make your own. Of course if you lose your own key, they can't help you.

Carbonite may help if you get this kind of malware, but I can't say for sure. It's not a network drive, and you can restore previous versions of files.


----------



## wilbur_the_goose (Aug 16, 2006)

satcrazy - dpeters11 has all the right answers 
Want a job?


----------



## acostapimps (Nov 6, 2011)

that's why I do windows and security updates every chance I get it. so to not run into problems like this or any virus or malware.


----------



## dpeters11 (May 30, 2007)

Just keep in mind, it can still happen fully patched, so stay vigilant. Actually, I believe the latest Flash patch (third this month) is for a 0-day vulnerability.

But there is a point where you've done everything you can and at least minimized the risk.


----------



## wilbur_the_goose (Aug 16, 2006)

Good paper on the subject: http://www.sophos.com/en-us/mediali...ers/SophosRansomwareFakeAntivirus.pdf?dl=true

It'll download the report in PDF format to your PC.

(PS - The landing page is http://www.sophos.com/en-us/why-sop...ansomware-next-generation-fake-antivirus.aspx . I wanted to add it here in case you wanted to avoid a blind download)


----------

