125

I've noticed increased frequency of ransomware questions around Stack Exchange. Some of the people I remotely know had their devices recently infected as well.

I'm starting to be concerned. When people ask me how to avoid viruses, I typically tell them things like not to download files from suspicious websites and attachments other than documents. But is it really correct of me to assume that people who become infected executed suspicious files on their computer?

This concern raises especially now when I see questions from people who became infected here on Stack Exchange - meaning technically aware people are obviously just as vulnerable.

How does the ransomware possibly get on their computers? What's a good way to prevent this from happening?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Tomáš Zato
  • 1,236
  • 3
  • 11
  • 16
  • 129
    `List of people to be fired.xls.exe` – André Borie Apr 13 '16 at 10:51
  • 90
    @AndréBorie - Which is exactly why I remain shocked that the default setting in Windows is "Hide Extensions for Known File Types". That is such a seriously bad idea, I'm surprised somebody *hasn't* been fired over it. First thing I change on any new installation. – Darrel Hoffman Apr 13 '16 at 16:37
  • 2
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/38366/discussion-on-question-by-tomas-zato-how-does-ransomware-get-on-peoples-compute). – Rory Alsop Apr 14 '16 at 07:11
  • @AndréBorie I felt the same way about how .exe files can set their icons to resemble documents and autorun being enabled for USB drives. Bad choices persist over the years. – Jesvin Jose Dec 09 '16 at 16:59

4 Answers4

74

According to the IBM X-Force Threat Intelligence Quarterly Report, fourth quarter 2015, the primary sources of ransomware attack are unpatched vulnerabilities, drive-by infections, and spear-phishing emails:

Primary vectors are the source of ransomware infections.

Source: IBM X-Force

How to prevent ransomware attacks

User education

Educate your users not to download files from unknown contacts. Usually ransomware is sent in emails claiming pending invoices with Word documents. When you open the document, ransomware will get installed and start doing its job.

Scanning and filtering mail servers

Scan your mail servers to stop phishing attempts reaching intended recipients.

Backup data regularly

Make sure to back up your critical data regularly and secure them. This will help you avoid paying the ransom, and reduce recovery time.

Vulnerability? Patch critical software and OS right away

Patch your critical software like your browser, browser plugins, email clients and operating systems right after you get a notification. Did you know that the Panama Papers leak (2.6 TB of data) happened because of vulnerable web servers and mail servers?

Look at the ransomware growth in the last three years:

Number of samples of ransomware

Source: McAfee Labs, 2015.

brcsp
  • 818
  • 6
  • 13
  • 1
    @immibis, no, that was not directed at you -- that was directed at every comment on the thread *except* yours. I agree with your comment. You might consider suggesting an edit to the answer that would include that information, if you think adding it to the answer would be helpful. – D.W. Apr 15 '16 at 08:18
  • Be aware that some malware [disguise themselves as software updates](http://www.zonealarm.com/blog/2015/03/software-update-malware/). So don't click right away before you know what you are clicking on. – lepe Apr 25 '16 at 07:28
  • Ransomware may also attack your backups, so choose backup solutions that does not allow backed up files to be overwritten. http://www.theregister.co.uk/2016/03/22/pc_world_knowhow_shortcomings/ and http://security.stackexchange.com/questions/131708/is-windows-10-backup-safe-from-ransomware – Jesvin Jose Dec 09 '16 at 17:14
45

While the measures you describe in your question are not wrong, they are not correct either:

  • Documents are not safe to open either.

    • Often times, exploits come in the form of interestingFile.txt.exe.

      Windows hiding the .exe by default leads users to think that's just a text file when indeed they execute code.

      There are other ways to keep executable code from being recognized as such by the user as well. For example using Unicode and the Right-To-Left mark as well, as PlasmaHH suggested in the comments.

    • There is a variety of macro malware for Office products.

  • Drive-by exploits

    Those are an actual threat to everyone not just using 2-3 websites and everyone blindly following links.

    This is especially true as there are (many?) zero day exploits that are unknown to the public and hence not yet fixed. There are even events like pwn2own, showing such exploitations live - going to a prepared website, that can be it.

In fact, as Philipp points out correctly in the comments, infections can happen on any website basically, that included content from somewhere else - for example ads.

The other part of your question tends to be

Why is there so much ransomware now and there weren't so many infections before?

Well, because ransomware tends to be more profitable than using infections to establish a bot net - which usually went unnoticed to most users (as that was the point).

So there has been no real increase in infections - just an increase in visibility of the infections.


To address the operating system question from the comments

Windows is usually - as it has the biggest market share - targeted the most often (by all malware), but ransomware does also exist for *NIX flavours. This includes Mac OS X and Linux.

Mac OS X being drive-by exploited has been shown in this years Pwn2Own if I'm not mistaken.

Tobi Nary
  • 14,352
  • 8
  • 44
  • 58
  • 6
    There were already cases of drive-by malware infections from very well-reputed websites. They usually come through third party advertisements. – Philipp Apr 13 '16 at 08:58
  • 4
    @Philipp [like the adds Forbes had](http://www.extremetech.com/internet/220696-forbes-forces-readers-to-turn-off-ad-blockers-promptly-serves-malware) – Memor-X Apr 13 '16 at 10:36
  • 3
    That is not the only reason windows is attacked - the hidden extension thing and the ease of file execution are both issues AFAIK – Tim Apr 13 '16 at 13:34
  • 2
    @tim The installation process does not matter, single executable files can be executed anywhere. What does make a slight difference is that *nix systems use executable file permissions, rather than just an extension, however putting it in a zip/tar/dmg/etc. can preserve these permissions. OS X also has a built-in feature to warn if you try to run a downloaded file, even from a zip/DMG/etc. – Alexander O'Mara Apr 13 '16 at 14:30
  • 1
    @AlexanderO'Mara Funnily enough, Windows also warns if you run a downloaded exe, including extracted with the built-in zip tool, as long as the browser sets the 'unsafe source' ADS. I know IE and Firefox do it, not sure about Chrome. Of course, by now users are basically trained to ignore those warnings. – Bob Apr 14 '16 at 15:49
11

Are you safe from ransomware just by not downloading suspicious files?

Unfortunately, it is a mistake to assume that you are safe from ransomware just by not downloading files from suspicious websites.

As an example, just last month, the OS X version of the popular BitTorrent client Transmission (v2.90) was infected with ransomware. This infected version of Transmission was distributed through Transmission’s official website (their main server was compromised) for a day or two, so anyone who downloaded it then would have been infected. Surprisingly enough, attepting to update within the app (Transmission uses the Sparkle framework) would have been safe, since the attackers apparently didn’t update the checksum for Sparkle in the compromised version, causing the (potentially automatic) in-app update to fail with a signature mismatch.

Unfortunately, I was almost caught by this ransomware. Due to a vulnerability in the Sparkle framework that was recently disclosed at the time, I was manually updating all my applications that used the Sparkle framework instead of updating them in-app, and that included updating to Transmission v2.90 by manually downloading it from the official website. I only managed to get away unscathed thanks to downloading it a few days before the server compromise happened. Honestly, I was pretty scared once I found out about the compromise a few days later. I’d say I learned a valuable lesson here, which was that you can never blindly trust an application you’ve downloaded from the Internet, even from developers you trust (unless you vet the source code yourself).

Mitigating the Damage of Ransomware

The issue with ransomware is that it encrypts all of your files. If you have a way to prevent applications from being able to read or write to any arbritrary file on your system (by running all downloaded applications in a sandbox, for example), that should essentially make the ransomware benign. On Windows, you can sandbox applications with Sandboxie. On OS X, you can intercept all read and writes from applications running on your system with Hands Off! (demonstrated here).

Another solution is to use Qubes OS, which is an operating system that essentially lets you sandbox different activities/applications inside different virtual machines in a very elegant way. It also supports using Windows 7 inside one of those virtual machines as well.

アリスター
  • 211
  • 1
  • 5
  • 2
    Last I looked at Hands Off it had problems where it would cause kernel deadlocks a lot, especially under heavy use like compiling python from source (they do claim to have made performance fixes, but I haven't tested it again). A root shell (common with pkg installers) could also unload it no problem without even a warning. I tried contacting them about the first issue, but got no reply, so I gave up on them. – Alexander O'Mara Apr 14 '16 at 07:52
  • 2
    Vetting the source code isn't sufficient, you also need to verify that the binary you're using was actually built from that source code. In the case of the download server being compromised, the replaced binary will probably not match the accompanying source code (if there is any source code). Easiest way to vet is to compile the source code yourself, using a trusted compiler, and then use that binary rather than the prebuilt one. If no source code is available, then decompilation (might not be permitted, depending on the license), or signed binaries might work as well. – 8bittree Apr 14 '16 at 14:40
  • 1
    @8bittree reminds me of portage (I think that's the name of the tool, in a source code loving linux) – Xen2050 Apr 14 '16 at 18:51
10

The how it gets there part of your question has been well answered already, so I'll go for some ways to protect yourself, though the only way of truly being safe is not to use a computer connected to the internet, as even the below aren't 100% safe.

  • Don't open any document from anywhere unless you've been expecting to receive it, and from that specific person/company.
  • If you don't want to be that paranoid, only open documents from trusted sources i.e. people you know and communicate with frequently*, or from a website you trust and have explicitly requested a document to download from (or have one sent to you).
  • When browsing the internet, do so on a virtual machine^. Have a standard image which you clone before doing any browsing, regardless of if it's websites you always trust. Once finished, delete the clone so any infection you may have picked up has gone, and you still have the standard install.
  • Keep a backup of anything and everything you hold dear to you. Don't always rely on external cloud providers as they might not keep documents for as long as they state, or even have versioning in place to roll back to a point in time where you weren't infected.
  • Keep your computer up-to-date. A lot of attacks will rely on vulnerabilities in certain applications. If these get patched then they can't work via that vector. If you don't update your software, you leave those holes open.

There's probably loads more, but these are the ones which come to mind immediately.

*I mention the frequent communication part for people you know, as if they get infected they may end up sending e-mails with infected attachments without their knowledge. If you don't normally get an e-mail or attachment from them, don't trust it.

^ This is quite an extreme length to go, and not an option for a lot of people, or not desirable by most

gabe3886
  • 384
  • 2
  • 9
  • I'd be interested to know why whoever downvoted me did so. If there's information on this answer which is wrong or misleading, it would be useful for myself, and others, to know. I'm not bothered about the reputation, but I am interested in being educated – gabe3886 Apr 13 '16 at 13:58
  • 1
    No downvote here, but virtual machine's aren't always as safe as they sound, [Virtual machine escape](https://en.wikipedia.org/wiki/Virtual_machine_escape) exists. I don't think it's a secret that an OS is running in a virtual machine, usually there are "addons" that make things like sharing files or the clipboard easy. – Xen2050 Apr 13 '16 at 16:57
  • @Xen2050 that's one of the reasons for stating early on that the methods listed aren't 100% safe. I'm fairly certain a book could be written about ways to protect yourself from ransomware, and the pitfalls of each individual defence. – gabe3886 Apr 13 '16 at 21:22
  • 3
    Even air-gapped machines are not entirely safe from malware, just ask the Iranian nuclear program (Stuxnet). – Alexander O'Mara Apr 13 '16 at 21:28
  • 3
    @Xen2050 this *might* actually *help* -- anecdotally I see lots of reports of malware that intentionally avoids attacking when it detects it's in a VM, apparently because this delays and hinders detection by IDS/IPS, AV-suppliers, and other defenders. – dave_thompson_085 Apr 14 '16 at 03:19
  • @dave_thompson_085 that does sound promising, even as a "trick" to make your regular non-VM OS tell questionable programs that it's a VM may confuse the programs to stop them from infecting you... – Xen2050 Apr 14 '16 at 18:48
  • How many ransomwares actually try to escape from VMs? I'd think, while theoretically possible, it would not be worth the effort to do so, as the target group browsing in VMs is rather small. – Christian Dec 06 '16 at 15:41
  • @Christian I would guess very few, however there is a risk of the VM having access to a shared drive which could cause issues, and it could spread out from there. It probably wouldn't be worth the effort to escape from VMs as such, but copying the ransomware to anything which looks like a shared folder as an escape route (or route to more damage) would probably be worth the effort. – gabe3886 Dec 06 '16 at 15:58