No access to your data unless...

Introduction

The malware sub-class ransomware was briefly described in one of our security articles five years ago.

Earlier this week, our colleagues in F-Secure wrote an excellent blog item about a "Windows Activation ransom trojan". This is a piece of malicious software in the category ransomware - malware that restricts access to data unless a ransom is paid.

The particular malware mentioned by F-Secure, restricts access to Windows itself as it claims that the Windows license is locked, and must be unlocked by an activation key. One gets access to this key by calling one of six different telephone numbers. While the message states that one can call free of charge, the opposite is true, and the malware author earns money by each call.

According to F-Secure, the activation code is the same always: 1351236.

Norman's antimalware software detects this particular piece of malware as Suspicious_Gen2.JFLSZ (added to malware signature files 16 March this year).

We shall use this "Windows activation malware" as the basis for the discussion in this security article.

The infected is the victim

The most obvious ransomware characteristic is that this type of malware directly affects the user of the infected computer. It typically blocks access to the user's information. Other types of "popular" malware may only indirectly affect the infected computer. A computer that is unwillingly participating in a spam botnet may for example be running marginally slower, but otherwise no interference will be noticed on that end.

Ransomware is more like some of the computer virus that were heavily spread at the end of the previous millennium. Some of these had malicious payloads that were extremely destructive, like file deletion, and in the case of Win95.CIH (aka Chernobyl) even attempted to overwrite Flash-BIOS.

Contrary to the destructive viruses, these days the most popular malware is directed at economic exploitation and/or theft of information. Both may of course be disastrous for the target. However, the problem is usually not instantaneous, and usually not disastrous.

Blocked access to important information - particularly if adequate backup routines are not in place - may be disastrous for the person who becomes the victim of ransomware.

Infection methods and precautions

The infection techniques used by ransomware are similar to other types of malware, e.g. malicious web pages and email attachments. Social engineering is as usual a popular method to trick the user to perform actions that result in the infection.

Ransomware normally encrypts part of your information, and it is widely regarded that the only way to get it back (unless you have backups) is to comply with the extortionist's demands. It is true that the authors of ransomware have become quite sophisticated in their use of encryption techniques, and for most practical purposes it may be difficult to break the encryption by using brute force. However, there are methods that can be used to "recover" some "victimized" files depending on the encryption techniques used.

Unfortunately, this is more the exception that the rule, and one cannot depend on antimalware software to perfom the decryption. It is therefore important to avoid infection in the first place.

If you are infected - and do not have sufficient backup - your viable choices are

1. accept the extortionist's demands (usually: pay)
2. accept that your information is lost (and attempt to recreate)
3. (contact the antimalware vendor for information about decryption options for the files encrypted by the ransomware)

In order to avoid being the victim of ransomware, you should follow the usual precautions against malware infections:

• Update your operating system and applications with the latest security patches from the vendors
• Use antimalware products and ensure that these are continuously updated with the latest signature files
• Be vigilant - do not open links and attachment unconditionally

Follow the money

As the name implies, the ransomware's author want to extort money from the victim by denying access to (some) information.

The most efficient way to get to the cybercriminals behind the extortion is therefore to follow the money trail. Whether the price is paid by credit card, PayPal account, expensive telephone calls, or any other means, there will be a - potentially complicated - trail that eventually leads to the ransomware's principal.

One problem may be that the money involved is not enough for the victims to report the crime. Each individual crime may likewise not be enough for police forces to allocate sufficient resources; particularly since several countries' police forces will need to be involved.

The sneaky "Windows Activation ransom trojan"

Contrary to most ransom trojans, the Windows Activation ransom trojan disguises itself as a non-malicious warning.

It does not perform any threats, just points out that there is a problem with activating Windows and in polite manner advices how to overcome this issue.

After making the phone call and entering the key, everything operates normally and many users will probably be perfectly satisfied. Which is an example of a perfect scam: The defrauded person does not even know that he is tricked.

This feeling of well-being will last at least until the phone bill arrives. And even then many may think that the price of the phone call was after all worth it for being able to re-access the computer normally.

As mentioned above each single amount paid to the extortionist is minor, and the relief is relatively substantial. Many will not bother to engage in the incident any further.