Ransomware On The Rise In 2011

[ritchie58]

According to a Emsisoft Security blog, ransomware is on the rise this year. This type of malware is not new. It's been around for a while but more instances of it have been surfacing recently. What is ransomware? Ransomware is a type of malware that once it infects your operating system it will use a complex and virtually unbreakable 1024 bit encryption algorithm to make your personal data or even your entire hard drive inaccessible. That is unless you want to pay a fee to the criminals for a decryption key to unlock your own computer, so the term ransom is appropriate! The only other option is to re-format the infected hard drive and thus loose all your data and/or clean re-install your operating system depending on which drive(s) are infected. Payments are usually made via PayPal or a similar internet money transfer system which makes the criminals hard to track down. Extortion, plain and simple. The most common method used to infect a computer is clicking on a link and being re-directed to a malicious web site where the malware is loaded into your system.

[dallas7]

Recently while searching for a video related to a significant breaking news event, opening a page in a small city news affiliate presented me with some unusual requests from my browser. I had hit upon a ransomware attack.

 

Using my test system I have observed in three separate tests last month that those ransomware attacks begin with the browser requesting a TCP port 53 connection to a rogue DNS server followed by a request to open csrss.exe with a connection to 127.0.0.1. Blocking either of these stops the attack. Unless you have a firewall that can lock down DNS connections to UDP and the DNS servers configured in your TCP/IP properties and "ask" for any others as well as "ask" for the loop back you'd never know those were happening. (I use Malware Defender to evoke those rules.)

 

However, this is beyond the expertise of even most network savvy users. The latest crop of suites don't even contain the feature set to build such rules which would mimic a real world example of stopping a criminal "at the gate."

 

The best alternative protection is BitDefender's superb new free Traffic Light extension and to use the DNS services of DynDNS Internet Guide or Norton DNS. (I'd also suggest OpenDNS but if you haven't turned off Firefox's or Chrome's filtering you're already taking advantage of that.) As of Tuesday, either one of those has warned of danger when opening a ransomware link as posted up in malc0de and the Malware Domain List. I know that's not definitive but no one can deny it's Better Than Nothing.

 

Failing those, where the criminal makes it past the gate and gets into your home, up-to-the-minute signature data and/or a powerful HIPS is the only protection. And we know the downside in those... the user will usually select OK or Allow. I am not convinced anyone makes a "behavior blocker" that would be any good because there is nothing unusual about the behavior with respect to the network or user activity.

 

And therein lies The Rub. These attacks are socially engineered to prey on the unsuspecting. As ritchie58 said, "Extortion, plain and simple."

 

So sad.

[ritchie58]

Very interesting Dallas7. The Emsisoft blog didn't go into any great detail as to how the malware propagates except to say it's usually a malicious re-direct. I see from your experiences with this malware that using a good, trusted DNS service would be a first line of defense. If you're technically savvy enough one could create a custom firewall rule to deny any TCP or UDP connection to port 53. Stopping them at the gate as you put it. That would shut the bad guys down don't you think? Comodo Firewall does have an option where you can create custom port rules. The only problem is I'm not sure if other legitimate services require access to that port.