Imagine you start up your computer one day and, instead of seeing the Windows startup screen, you see this.
Yeah, you pretty much know you’re in trouble. If you obey the command to “Press Any Key”, you will find the details about what happened to your computer.
Notice the English needs work, so this ransomware was likely developed outside of the U.S. but made for international use.
If you follow the instructions, you will end up paying $430 in bitcoins to get your computer back. If you don’t pay within the allotted time, the price will be doubled. Let’s face it. If you need the information on your computer to do your job, then you will probably do as told and pay the money. Even the U.S. government suggests this may be the best way out. But don’t panic yet. There may be a way around this. But before I give a possible solution, you have to answer one key question. How did you get into this mess? For those of you who may not have already been attacked, you need to know how to avoid becoming a victim.
The Petya Ransomware Attack Vector
As mentioned in the title, this malware targets human resource departments. The attack begins with a brief job application email containing a link to a job application stored on Dropbox. One such link was named Bewerbungsmappe-gepackt.exe and was accompanied by a photo of the applicant. It targeted a German firm.
The malicious emails associated with many ransomware attacks are often mass mailed spam that hopes to get through the filters and into the victim’s inbox. The subject line is something like, “My Resume” or “Joe Smith – My Resume”. The first ransomware attacks relied on the victim opening an attached zip file. The message is usually quite general as in the following two examples.
However, the newer Petya Ransomware is more devious and the message appears to be approaching spear phishing levels as seen in the following example.
This development is particularly worrying. It is quite possible that company job announcements could be used as a way to spear phish a company’s human resource department. It would not be difficult for an attacker to get a) an email address to respond to, b) the name of a contact, and c) information on the position and position requirements. A phishing email could then be constructed using a job application letter template (especially useful if the attacker was not a native English speaker) that contained the data publically available. It would, thus, be impossible to tell this malicious email from one that is normally sent by applicants. The only difference would be the redirection to Dropbox to retrieve the applicant’s resume. Dropbox has been used by hackers in the past to hide the true nature of their game as it is a legitimate site. Even though Dropbox knows this is happening, they can really only respond on a case by case basis.
But lest you think avoiding external links will solve your problems, think again. As most people in HR know, applicants will normally send their resumes via a Word attachment. Unfortunately, Word has also been used by ransomware designers. You may open an attached resume in Word and be told to enable macros to read the document. You may see something like this.
Oddly, you may even get a resume, but in, the process, you have just installed the malware that will be used to encrypt your computer. Make sure your Word program isn’t already allowing a low level of macro protection, To check your Word macro security level, go to ‘Tools’, click ‘Macro’, and click ‘Security’. Your levels should be ‘High’ or ‘Very High’. The attackers are probably aware of the fact that HR departments get plenty of Word attachments and that they may not be as suspicious of them as other users.
After the malware encrypts your computer, you will get the usual ransomware information which involves using the Tor browser to go to a site where you can pay in Bitcoins. The ‘Locky” ransomware uses the Word macro vector. It can be removed by starting your computer in safe mode. (Go here for some ideas on removing Locky and AutoLocky ransomware.)
For those infected with the latest and most deadly ransomware, known as Petya, starting your computer in safe mode is not an option. This is because the Petya ransomware encrypts the computer’s master boot record (MBR). As it begins its installation via the Dropbox link, it causes the victim’s computer to crash to a blue screen. Upon rebooting, the malware installs itself by posing as a CHKDSK process.
While installing, the malware encrypts both the MBR and the master file table (MFT) so that the files are not accessible even if the MBR is repaired. After installing, the malware displays the red screens seen at the beginning of this post.
To get your computer to operate, you will need to go to the Tor site and follow all of their instructions. In short, you will be given a complete course on how to purchase and use Bitcoins. If you pay the $430 ransom, you can always think of it as paying for a course in the use of Bitcoins. Normally, ransomware exploits do deliver the decryption key when the money is paid, but there’s never any guarantee.
A recent fix for a Petya ransomware infection has appeared, but it requires the use of two computers. However, you can bet that the creators of this malware are aware of the fix and are working on ways to circumvent it even as you read this.
The Future of Ransomware
Ransomware will not go away. It will only become more complex. Last year, Russian gangs made over $135 million using it. Cryptowall 3.0 alone caused $325 million in damages around the world. There is no way that cyber gangs and individuals will give up using it to fill their pockets. Besides, they feel pretty safe that they will never be caught. Their biggest concern is that security firms will find a way to prevent these attacks before they make their fortunes. (For a complete account of the technical details behind some of these attacks, see the report from The Cyber Threat Alliance.)
Companies are easy targets. As long as the ransom price is kept reasonably low, it’s easier for them to pay the ransom and get on with business. My guess is that ransomware developers will continue to test the limits on how much companies are willing to pay. How much would your company pay to keep its business operating? Keep in mind that any down time is going to cost the company far more money than that asked for in ransom. According to one report, “nearly a quarter said they would be willing to pay a ransom to prevent a cyberattack, and 14 percent said they would pay a ransom of more than $1 million to stop hackers from releasing sensitive information”.
At one time ransomware only targeted the Windows operating system. Now, it has been found attacking all operating systems, including Android and iOS devices. This could pose an even bigger problem for companies as a compromised endpoint could be used to launch an even more devastating ransomware attack. This happened to Hollywood Presbyterian Medical Center earlier this year when it was locked out of its electronic record base by a ransomware attack. Initially, the attackers demanded over $3 million but ended settling for $17,000. It was the fourth hospital to be hit by such an attack this year.
We can expect ransomware to attack different departments in a company. For now, HR departments are simply the easiest. Financial departments have been targeted in the past with fake invoices. We can also expect that more attackers will use spear phishing rather than mass mailing attacks and attempt to use legitimate-looking links or attachments. Other attacks may use watering hole techniques that can infect a browser that has built in vulnerabilities.
So what can you do? First of all, don’t click on any link without a confirmation from the person who sent it (preferably, confirm this through a phone call or a face-to-face meeting). Do the same before opening any attachment. Keep your browser, system, and applications updated. And, above all secure your network and endpoints with state of the art protection.