Ransomware Vaccine – Can It Be Done?

There seem to be 2 classes of Ransomware that infect computers. (I say that in anticipation another class will come soon enough)…   (3/30/2016) — Update with 3rd class of ransomware(5)  ZDnet has the story

First, one that encrypts your files and requires you to pay for you to get your files back (no guarantee that it will happen).  These have many names including Cryptolocker¹  (we bumped into 2.0 in years past) Sophos calls it “Ransom-ACP”. There are many names and variants of some of the original Cryptolocker and Cryptowall  programs.

cryptolocker-ransomwaremessage

 

Second is one that locks your screen but does not encrypt files, requires payment for you to get your screen back.  Also called “WinLocker” (Sophos)

There may be a way for you to inoculate computers for a single version of ransomware. The version that is called “Locky” according to Sylvain Sarméjeanne at lexsi.com².

Apparently if there is a Registry key named HKCU\Software\Locky then the Ransomware will not start up.

Also set up the registry identifier(id) of the machine and the completed

value. If there is a value of 1 then the program “completed” so it does not encrypt your files.

lockyregistryvalues

Will this method actually work? Probably only for a short time. Since the hacker programmers will just rewrite their programs and just create a different registry key.  (Best way to ‘defeat ransomware’ is to never get malware and if you do to have a valid backup and recovery plan).

THIS JUST IN(3/30) 3rd Ransomware version:  Now there is Petya Ransomware which will rewrite the Master Boot Record(MBR) and encrypt the hard drive itself -with portions of Operating System (windows) and thus  causes the computer to be inaccessible.  You can repair the MBR on the hard drive and reuse the hard drive, but then you will have to reinstall Windows.

Apparently the ransomware is using dropbox to modify the Master File Tables in the Hard drive and below is an image of the result.

petyaransomware

(idigitaltimes.com image)

 

This post is also designed to make you think about what you are actually clicking on…  (also updated for tripwire method on 3/28/16  below)

Should you click on an attachment from an unusually  worded email?

Something like this:

spam-phishingemail

I hesitate to even open an email worded with “contact us” but I wanted to show the funny wording on the attachment.  Also don’t know Mr Clive Moses :).

I have not checked, but most likely this email has malware or some other fun stuff inside the attachment (if I open and click on macros to run I am sure I will get lots of ‘fun’ )

I do not recommend to click on a Euro UK Award payment document, as I am sure there is no free lunch so I will have to work for my money anyway.

 

Testing your employees with well crafted test messages can help your employees to differentiate between real messages and fake ones.

What we have found is that the time when people are most vulnerable is under time pressure or other stressful situations. And for some reason a phishing email at that time seems to work.  So like an athlete you have to practice practice practice. Differentiating spam-phishing emails from legitimate emails takes practice so that is why I recommend sending emails to your employees periodically.

So another way to inoculate from Ransomware is to be aware of the phishing scams that are coming into your inbox.  Remember that an email “From” can be created by anybody so they can disguise themselves as your coworker and claim to have finished that project that you proudly listed on LinkedIn. As some of the hackers are getting craftier all the time.

A true ransomware vaccine is the people in your organization know to use good judgement to reduce chances of phishing attacks.

 

(Updated 3/28/16) – Tripwire or Canary method against Ransomware:

A post by Free Forensics³ also has a good idea – not an inoculation or prevention, but a tripwire and reaction approach. “Proactively Reacting to Ransomware”.

It is a good idea to create a file in a couple of places on a computer system(or all of them in an environment) that then will email you if it is modified. He goes in some detail how one can do that ( I don’t want to rehash the same items – if interested in details please read his post). He also calls this method a “File Canary”(actually the blog just started and is written by 2: Jonathan Glass and Nick Baronian).

One aspect that should require more thought and execution is to unmap the file share drives as they get encrypted during a successful Ransomware attack.  (in fact one attack documented recently in Hospitals on KrebsonSecurity(4) notes how a Kentucky hospital declares “Internal State of Emergency” and got attacked by the Locky variant of Ransomware.  So this attacker already is in the news, which means lots of other computers are being infected as well.  (story also hit Ars Technica).

Mapped drives scripts require some testing since your drives may not be always mapped properly. and always test your scripts before finalizing into production.

kentuckyhospitalhitbyransomware

beside prevention you also must have a backup – test restore strategy. Do not forget about testing your backup and make a restore attempt.

 

 

Contact Me to craft an email specifically for you within a controlled method so that no one gets hurt.  Or to help you with scripting the reaction Powershell scripts to prevent further damage in a Ransomware attack.

 

If you want to do it yourself (or at least attempt) Try it with Bitdefender(6) the Chief Security Strategist Catalin Cosoi has been trying to develop a vaccine tool and it seems they finally got somehting – it seems to work against 3 of the variants: CTB-Locker, Locky and TeslaCrypt. (updated 3/31/2016)

 

 

 

 

 

 

  1. http://oversitesentry.com/a-single-link-can-destroy-your-data/
  2. https://www.lexsi.com/securityhub/abusing-bugs-in-the-locky-ransomware-to-create-a-vaccine/?lang=en
  3. http://www.freeforensics.org/2016/03/proactively-reacting-to-ransomware.html
  4. http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/
  5. http://www.zdnet.com/article/new-ransomware-skips-files-encrypts-your-whole-hard-drive/
  6. https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/
Advertisements