Ransomware Lessons

USB Hacks - @SeniorDBA

Ransomware is malicious software that attacks a computer or your entire network to force you to pay a fee (ransom) to regain access to your systems. If the fee is not paid within a set timeframe, the criminals who now has access to your systems will wipe the data. Since those systems are unavailable to your organization most businesses are faced with a decision to pay the ransom and get back to business or refuse to pay the ransom and risk forever losing customer data.

Like any other virus or malware the ransomware is usually downloaded from the internet, most often by clicking a suspicious link in an email or on a website.

Continue reading “Ransomware Lessons”


Ransomware: WannaCry Malware Review

WannaCry Malware

The WannaCry ransomware was first noticed on May 12, 2017 and it spread very quickly through many large organizations, infecting systems worldwide. Unlike other ransomware, this sample used the SMBv1 “ETERNALBLUE” exploit to spread. “ETERNALBLUE” became public about a month prior when it was published as part of the Shadowbroker archive of NSA hacking tools.

Prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March 2017 Patch Tuesday release. The patch was released for only supported versions of Windows. In response to the rapid spread of WannaCry, Microsoft eventually released a patch for later versions of Windows as part of MS17-010, going back to include the still popular Windows XP and Windows Server 2003.

One way to detect the spread of the malware was the significant increase in activity on port 445. The increase was caused by infected systems scanning for more victims. It is still not clear how the infection started. There are some reports of e-mails that included the malware as an attachment, but at this point no actual samples have been made public. It is also possible that the worm entered a corporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself doesn’t have an e-mail component.

At startup, the malware was first checking if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, but it can no longer be assumed that newer versions will still demonstrate this behavior. This was a simple “kill-switch”, since if it found the site it would stop operations.

Eventually, the malware would create an encryption key and encrypt all the user files on the infected PC to prevent normal user access to those files. The idea is to force the user to pay a fee to recover the files they no longer could access.

Encrypted files use the extension: wncry. To decrypt the files, the user is asked to pay $300, which increased to $600 after a few days. The ransomware threatened to delete all user files after a week waiting period.

In addition to encrypting files, the malware also installed a “DOUBLEPULSAR” back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have already been reported with slight changes to the kill switch domain and other settings. There is also a decryption key that can be used on many systems, but prevention is always better than sarching for recovery options.

If your version of Windows was supported and you installed all available patches from Microsoft, your system would not have been infected. Microsoft also announced that the new “Windows 10 S” would help prevent ransomware infection as it will only run software purchased from the Microsoft Store.

What Security Threat Are You Overlooking?


A recent european IDC survey of more than 400 organizations discovered that many companies fail to address one of the main causes of data exposure, which is an insider threats. The report shows that most security attacks are caused by users unintentionally using outdated credentials to access secure systems. The problem is only 12 percent of companies surveyed considered insider threats as “highly concerning”, with common threats like viruses, phishing, ransomware, etc. listed as bigger threats requiring more attention.

This gap in security thinking can lead organizations to misunderstand users and miss opportunities to detect intentional user breaches.

Businesses need to shift their security focus away from the actions that must happen after a breach, like dealing with the aftermath of ransomware or removing a new virus, and focus on the true source of the problem which is mostly user behavior. Education can go a long way to reduce activity that leads to dangerous behavior, as well as reducing the events that lead to unintentional misuse of user credentials. This should reduce the threats from multiple sources and allow your security team to focus on those users that need additional attention, as well as those users that have attempted the intentional misuse of user credentials.

It is really an effort to stop reacting to attacks caused by uneducated users doing silly things and be proactive on those threats that you can control.


Microsoft Tackles TeslaCrypt Ransomware

Ransomware is a new threat that is proving an effective attack vector for malware. Microsoft has released a rescue tool for thousands of Windows machines that were infected starting in August by file-encrypting ransomware TeslaCrypt. Along with October’s updates, Microsoft upgraded its malicious software removal tool to tackle TeslaCrypt. Microsoft refers to the treat as Tescrypt, but their telemetry data picked up a large spike in detections for TeslaCrypt in late August, jumping from below 1,000 detections per day to over 3,500 detections on August 24.

The malware is typically delivered in the payload of several exploit kits, including Angler. Exploit kits are part of the estimated $60m per year automated hacking market, which companies like Cisco have tried to disrupt several times. You can download the Microsoft rescue tool here.

You can read more about what Microsoft is able to detect, and their efforts to protect Windows users, here.

Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does:

  1. Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions it targets)
  2. Encrypts the files with AES 256 hash encryption
  3. Demands payment from the PC’s user in exchange for a key or code that will decrypt the files

It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.

Recent variants, however, store the key in the registry as binary data.

The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:

  • .arch00 
  • .d3dbsp 
  • .dayzprofile
  • .ibank 
  • .mcgame​
  • .qdf –
  • .rofl 
  • .sav
  • .t12/ .t13
  • .tax 
  • .vfs0 
  • .vpp_pc 
  • .w3x


We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.

Graph showing number of Tescrypt infections during August and September 2015 

Figure 1: Tescrypt encounters since August 2015

Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.

Free Tool For Removing Ransomware

The recent introduction of ransomware might be the most sinister type of malware introduced into the world of software. As you may have heard, this type of malicious software installs onto your computer and encrypts all your files until you pay to have your files returned. If you don’t pay, then you don’t get your files (document, images, music, etc.) returned and they are lost forever.

There is now a new free tool to combat some of the most popular ransomware being used right now by hackers. The tool is from Kaspersky Lab, which is a well known name in the anti-virus world. They have a free utility that is at least partly effective against some variants of this malware, but it is better than nothing and points to another step towards neutralizing malicious software.

You can also read about other efforts here.