We’ve been quiet on the blog for a little while to focus on some big things. We’re still quite active on Twitter (@cryptodropit), but we’ll be announcing a major new offering from CryptoDrop in the coming weeks.
We’ve been quiet on the blog for a little while to focus on some big things. We’re still quite active on Twitter (@cryptodropit), but we’ll be announcing a major new offering from CryptoDrop in the coming weeks.
You’ve probably seen the Twitter posts over the past few days – while the attackers demanded approximately $55,000 in ransom, the city of Atlanta has spent nearly $2.7 million dollars in an effort to recover from the recent attack by the SamSam ransomware.
New: After a ransomware attack, Atlanta spent about fifty-times the ransom demand on recovering its affected network. Here's our story. https://t.co/jSztPYuJ3Z
— Zack Whittaker (@zackwhittaker) April 23, 2018
Worse still, some systems remain offline and lots of data has been lost forever. So what’s the lesson here?
We’ve seen a range of answers online, the most common of which has been, “Atlanta should have simply paid the ransom – look at how much money they could have saved!” This answer is, without question, wrong.
Imagine that you were in your home and intruder walks in and demands money. Times are tough so, you’ve decided to sell your doors. Paying the intruder may or may not make them go away, but the larger problem still remains – if anyone can simply walk into your home at any time, what’s to stop the event from happening again in the future? An immediate payment may address the immediate issue, it doesn’t solve the problem. Time to get some doors and locks.
Regardless of whether or not payment was made to the attackers, the vulnerable state of the City of Atlanta’s network meant that significant funds needed to be spent not simply to recover from this attack, but make future attacks more difficult. Said differently, Atlanta didn’t have a choice between paying the ransom OR paying these fees, administrators had to decide to pay at LEAST the cost of strengthening their systems and got to decide if they wanted to pay $55,000 on top of that in ransomware payments.
Don’t be convinced otherwise – and ask the people giving you that advise if they’d be comfortable without locks and doors on their homes and businesses.
The cost to make systems more robust would have been far lower had protections been put in place proactively. No need to pay for emergency public relations experts, surge IT professions or many other similar expenses. This is what you should take away from the Atlanta attack.
So what can you do to avoid such a huge expense? How do other cities, enterprises and small businesses avoid these massive expenses? How do you deal with this as traditional AV products increasingly fail in the face of ransomware?
Give us a shot. CryptoDrop works on endpoints to stop ransomware fast. Even if you have backups, remember that the time it takes to completely restore multiple machines can take days (and that’s if your backups are comprehensive). Stopping ransomware at the endpoint helps to prevent widespread damage, which could require days, weeks and potentially millions of dollars of damage. Don’t believe me? Ask Atlanta.
Give CryptoDrop a shot. We Stop Ransomware.
We at CryptoDrop have talked about a lot of issues relating to ransomware. Sometimes ransomware can be comically bad, as we saw in our analysis of the Halloware ransomware. Now is not the time for comedy, though. We need to deliver a hard truth to local and state governments: The time for complacency about ransomware is over, and antivirus software is not protecting your critical data from the ransomware threat.
We’ve seen attacks against city governments in the past, such as the Mecklenberg County attack by the LockCrypt ransomware, while Colorado’s Department of Transportation has been repeatedly attacked. What we’ve seen happen in Atlanta over the past few days, though, is an unprecedented attack against municipal infrastructure. As has been widely reported, the City of Atlanta’s 8,000 employees were locked out of their computers for five days because of infection by the SamSam ransomware. Normal activity ground to a halt, with Atlanta residents not being able to use online services and courts not being able to validate warrants. Even the WiFi at Hartsfield-Jackson International Airport, the world’s busiest airport, was completely shut down because of the attack. The mayor of Atlanta, Keisha Lance Bottoms, said in a statment that “We are dealing with a hostage situation.”
These attacks should be sobering but not unexpected. A 2016 survey of municipalities showed that ransomware attacks represented the greatest percentage of attributable attacks faced by local governments. Yet traditional antivirus have proven themselves incapable of defending against the threat. We have seen many, many examples of ransomware defeating running AV software or circumventing detection strategies. There can no longer be any doubt that traditional AV cannot handle the ransomware challenge.
Attacks against our government systems cross an important boundary. As Mayor Bottoms said of the ransomware attack, “This is really an attack on our government, which means it’s an attack on all of us”. If you are part of a local or state government, you should take this as a challenge to protect your constituents.
We are here to help.
SamSam is among the over 1,000 ransomware strains that we have tested and beaten without any issue. Moreover, with our Fast Recovery Edition, we can roll back any changes that ransomware might have made to your system in seconds. We have been independently tested and verified and the work comes out of peer-reviewed academic research, so you can trust your files to be safe with us.
If the Atlanta attack has been a wake-up call about the dangers of ransomware and you are trying to figure out the next steps forward, we are here to help. Drop us a line and we will be happy to help you plan a strategy to combat this growing threat. It’s what we as a company are committed to doing. At CryptoDrop, We Stop Ransomware.
We’ve been a bit quiet for the last few weeks, and it’s because we have been working hard on today’s major release. We’re happy to announce that CryptoDrop v1.5 is now officially live!
What were we working on? We’ve made lots of improvements, including upgrades to our drivers (which improves stability) and changes to our detection engine (which makes things faster for you).
The biggest public-facing change is my.cryptodrop.org. Multiple customers told us that they wanted a convenient way to see where their licenses were being used, and a better means to control their installations. Our goal was to create a simple to use, centralized portal for each of our customers.
We’ve also made a shift in how you can purchase CryptoDrop. We had multiple inquiries for more flexible licenses to better meet the needs of our customers. We now offer recurring subscriptions, which will automatically cover you for new premium features, bug fixes, and updates.
Our new options include monthly licenses, our traditional 1 year license, and our new Family Pack which makes it easier to protect multiple computers at home or the office. To encourage you to give them a try, we’re offering a 10% off coupon on all of our products that’s good until March 28th, 2018.
(Use “CD-BLOG10” at Checkout to claim it)
Paddle also allows you to pay in most local currencies, which means that you don’t have to worry about paying foreign transaction fees.
The core of CryptoDrop is the same – we continue to provide industry-leading defense against ransomware. Our patent-pending defense has been tested against over 1,000 samples and variants, and we have been verified by independent labs.
Being hit by ransomware is far more expensive than the money the attacker demands. It’s the cost of your time, the loss of your photos and money spent on expensive professional services to restore your machine to working order.
Or you could simply stop ransomware in its tracks with CryptoDrop v1.5. Give us a try – We Stop Ransomware.
We often dig deeply into the details of specific strains of ransomware. However, sometimes we like to try and engage a wider audience by hitting the basics. Today, we’re going to get back to basics and talk about ransomware-as-a-service.
You’ve probably heard about something “As-A-Service” before. The term most often comes up in relation to Cloud services, and examples include Software-As-A-Service (SaaS – e.g., Microsoft Office 365, Google Apps, etc) and Infrastructure-As-A-Service (IaaS – e.g., Amazon Web Services (AWS), Rackspace Managed Cloud). In short, the “something” is owned by someone else and provided to you when and where you need it.
By simply using the service, someone else can be responsible for its maintenance, security and correct operation.
All of the above “As-A-Services” seem useful, so why Ransomware-As-A-Service? A quick read of our article on Halloware gives a hint. Writing ransomware is not hard, but ensuring that this malicious software runs stably across every possible distribution of Windows takes significant skill.
Ransomware-As-A-Service is for attackers who don’t want (or lack the technical expertise) to deal with software maintenance and interoperability issues. By outsourcing the technical challenges of writing ransomware, attackers can focus on other issues including distribution and collecting their ill-gotten gains.
What’s the catch? Like most other “As-A-Services”, there’s a cost. Attackers typically have to either pay up-front for their own variant (most common) or pay a portion of each ransom to the original authors.
Ransomware-As-A-Service is increasingly common. Well-known families include Satan, Halloware, Saturn, and Data Keeper. Unsurprisingly, CryptoDrop was able to stop each and every one of these strains on the first time that we encountered them. Even when such ransomware employs sophisticated mechanisms and defenses, CryptoDrop stops it.
The ransomware space moves quickly. Professional software developers build, maintain and update custom families that regularly evade traditional anti-virus detection systems. That means you need protection beyond what you probably have in place.
Join us – We Stop Ransomware.
A few months ago we did a deep dive on Halloware ransomware. Halloware was notable for both being ransomware-as-a-service and for its low, low price to wanna-be attackers ($40). While most other folks have moved on, we continued our monitoring of this ransomware for the last few months. Today, this campaign appears to be dead.
Ransomware is a fast-moving space, with new samples and variants popping up almost daily. Accordingly, in order to fully understand the threat landscape, we need to understand what worked for attackers, and what didn’t. Halloware is a case of the latter.
We feel comfortable calling Halloware dead for a few reasons. First, we have been using multiple email accounts to talk to the author of Halloware since we first reported on it in December. All communications have broken off, and the author has not responded to any new requests in over a month. Second, our sensors have not detected any new infections since our original article, meaning that the author does not seem to be actively pushing this variant. Finally, it doesn’t seem like the author of this piece of ransomware was making any money (more on this later).
A number of outlets reported that the likely author of Halloware was a teenager going by the name Lucifer. Researchers quickly determined that the author was likely a student living in Northern India. By playing the part of ransomware victims, we were able to learn a lot more from Lucifer. We were able to confirm much of this simply by talking to him.
Problems with OPSEC continued during our interactions with Lucifer. For instance, we received the same Bitcoin wallet address in response to every unique personality we used to contact him. That allowed us to monitor Lucifer’s campaign from inception to death. To the best of our knowledge, Lucifer didn’t receive any payments (see the picture above).
We believe that this was in large part due to the unstable nature of Halloware. As mentioned in our previous article, this particular strain of ransomware crashed on most of our test machines. That means that very few machines even had an opportunity to be impacted. For the few configurations that did allow Halloware to run, CryptoDrop stopped it in every case.
In our communications with Lucifer, it was pretty clear that things were not going well. While we encouraged him to release a decryptor, he insisted that he needed to make a small amount of money first for school expenses.
Shortly after that, all communication with Lucifer ended across all accounts. Additionally, nobody (including us) has seen any updates to this variant.
Building ransomware is easy – all you have to do is create an executable that traverses the file system and encrypts every file it sees. This isn’t outside of the skillset of a first year computer science student. Getting that code to work in a stable fashion across many different Windows systems without the necessary dependencies is harder and takes some practice.
The point is that you should expect to continue seeing ransomware. Even though Halloware was poorly written, it accomplished its mission if you happened to be unlucky enough to have a system with the right configuration. With slightly more experience, Halloware could have been a much bigger deal. Assuming that Lucifer keeps up his studies, he might very well be back in the near future.
Don’t have the money to pay ransom? Don’t have the time to deal with your files being stolen from you? Give us a shot. CryptoDrop has stopped every single piece of ransomware that we have seen, and on the first time we tested them. You can try us for free today. When your antivirus fails, We Stop Ransomware.
We’ve all heard about ransomware – the bad guys lock up your files using strong encryption and then force you to pay thousands of dollars to get them back. That sounds scary in theory. But what does a real ransomware attack look like?
Our CEO sat down with an old childhood friend whose business was recently hit by ransomware. We’ll protect his and his company’s name, but let’s call this friend Robert. Everything else about this interview is true.
Robert works for a software company that employs approximately 100 people, and serves as a manager for the software team. He doesn’t explicitly work in security, but regularly interacts with his company’s security team. Robert’s story should be best-case – a knowledgable staff with the resources to prevent such attacks.
Unfortunately, as you’ll see, ransomware causes unbelievable damage to even the best-prepared companies.
Yes, we run [a major AV program] on all of the workstations. We are also running the same company’s products on our servers. We keep that software up to date, but it was unable to prevent our systems from being infected with ransomware.
We are supposed to have warm and cold backups of all of our critical infrastructure. In the case of our database server, the warm backup was also corrupted and the cold backups were not there. To this day, we don’t know for sure whether they were deleted as a part of the attack or if they weren’t being created and simply no one noticed.
People think that backups are a simple solution. They aren’t. Actually making sure that all important data gets backed up is hard. I’m still surprised how much data in devices like laptops just doesn’t make it into the backup schedule. Even when they do, restoring full systems can take days.
We were offline for 3 days, which means customers had no access to the site. It crippled not only our production infrastructure but also our development servers and even our individual workstations, all of which had to be rebuilt. It probably set development back on major projects at least 8 weeks.
We still aren’t 100% back (three months later), although part of that is due to the (necessary) stricter network security that was put in place after this that development now has to work around.
Well, as previously mentioned we are still dealing with the aftermath, although at this point it is mostly minor things. It took us about 60 hours to bring the production site backup. That involved our IT staff (4 people) working pretty much around the clock. After that, I’d say it was a good 3-4 weeks of rebuilding critical infrastructure to get us at least 90% of the way back. We’re still working on the last 10%.
Between lost sales, the new infrastructure we needed to buy, and person time, I’d say this easily cost us in the $500k range. If you add in the lost development time and the delay in delivering major projects, you could probably argue it’s closer to $750k or more.
Yes, the network and all production infrastructure was rebuilt from scratch. The production network is now much more isolated than it was before. We changed our patching policies so that critical patches get applied pretty much immediately. We are also engaging with a firm to do a full security audit of our IT infrastructure and will make additional changes based on the outcome of that.
I think the thing that we realized very quickly after the initial attack ended was that we were in a true disaster recovery (DR) situation. We thought we had a good DR plan in place but when faced with executing it, it was clear we were completely unprepared. We had antivirus software from a top firm and we were infected anyway. Our backups failed to protect all of our data. Even without paying the ransom, the real costs and lost revenue of this attack were huge.
My advice for another firm is to take DR seriously, to make it a priority, and to actually practice executing your DR plan on a regular basis to make sure that it will actually work.
We hope that you took some downtime over the last few weeks. Unfortunately, ransomware campaigns did no such thing. Let’s take a look at one of the nastier variants we have seen lately: TastyLock.
TastyLock is not an entirely new breed of ransomware. Instead, it appears to be part of the CryptoMix/CryptoWall family tree. Like CryptoMix/CryptoWall, TastyLock encrypts files on victim machines using AES in CBC mode with a random 256-bit key. The ransomware then changes the filetype/extension to “.tastylock”, before displaying the victim a text file ransom note called “_HELP_INSTRUCTION.txt”.
When all of these factors are taken together, you shouldn’t expect to see a decryptor available for this particular variant.
Like many other pieces of ransomware, TastyLock tells victims to email them a specific code (shown above). We’ve heard that the malware authors were originally requesting one Bitcoin (roughly $16,000 on Jan 1, 2018) for the decryption keys.
Even if you decide to pay the ransom to get your files back (and we hope you don’t need to consider that because you’re running CryptoDrop – see our results below), you’re unlikely to be able to actually do so. While the aol.com email address used by the attackers still seems to be receiving email, none of our requests were responded to by the authors. That means that while the ransomware is still lurking out there (we’re seeing it in a small number of our sensors), no payment will get your files back.
As always, we ran this sample of ransomware against CryptoDrop. TastyLock wasted no time trying to encrypt our files, but it was no match for our software. We had no difficulty detecting the attempts to encrypt files, and put the system into lockdown mode.
TastyLock aggressively attempts to kill Windows Defender, making any new versions of this ransomware particularly dangerous. Better to protect yourself against this variant than to just hope it simply goes away.
CryptoMix/CryptoWall has been around for quite some time, and is one of the more successful campaigns. While we do not expect many people to be hit by this particular variant, it is safe to bet that new variants will be seen in the near future. Not to worry though – CryptoDrop will protect you against those, too.
Still not running CryptoDrop? Give us a shot – we’ve stopped every piece of ransomware that we and independent lab AV-Test has thrown at us. When traditional anti-virus products fail (or are attacked, like we saw here), CryptoDrop gives you an extra layer of protection. Try out our Free version today, and use our Fast Recovery version to restore any lost files and get back in business in seconds.
We Stop Ransomware!
Napoleon Bonaparte is well known for conquering large parts of Europe in the early 19th century. Napoleon ransomware looks like it is trying to do the same in the 21st.
CryptoDrop spent part of our winter vacation studying this piece of ransomware. Let’s take a look under the hood together.
Napoleon is believed to be a variant of the Blind family of ransomware. Files on infected machines are encrypted and have their type/extension changed to “.napoleon”. This strain uses AES to encrypt files on the infected machine, and previous weaknesses in the Blind family that allowed for victims to decrypt without paying seem to have been addressed.
Our tests of Napoleon also exhibited no outbound DNS resolutions, meaning that network-based defenses are unlikely to help.
Bottom line: Prevention is the only defense against Napoleon.
Unlike many other recent samples of ransomware, Napoleon does not rely on the use of Tor hidden services (a.k.a. “The Dark Web”) to hide the activities of its administrators. Instead, this ransomware makes use of two different anonymous email services: airmail.cc and cock.li.
Airmail.cc is a free, read-only email service that bills itself as a free and easy means of performing account sign-up without giving up your real email address. As such, it is not possible to send emails using this service. Airmail.cc randomly generates addresses and has no passwords. Instead, users simply go to the page and bookmark their account, which attempts to refresh every few seconds. If a user navigates away from the site for more than 24 hours, the service deletes all.
That’s a fairly precarious way to set up a payment network – failure to refresh or a lack of login means that payment requests may be lost. Still, the authors of this ransomware appear to be having no problem finding vulnerable machines.
The administrators of Napoleon also offer a back-up email address at the domain cock.li, “[o]nly in case you do not receive a response from the first email address witit [sic] 48 hours”. Cock.li has been used for anonymous communications in the past, including fake bomb threats against Los Angeles County and New York Public schools. That doesn’t mean that this website doesn’t have legitimate uses; rather, that it has regularly been the subject of subpoena and is still being used by adversaries for bad behavior.
Either way, you’re unlikely to be able to track down who is responsible for Napoleon any time soon.
As always, we ran this piece of ransomware against CrytoDrop. And again, as always, CryptoDrop detected Napoleon and stopped it before it could do much damage. Specifically, our Free version detected Napoleon after it encrypted 15 files. Our Fast Recovery Edition restored all of those files in about one second.
Napoleon Bonaparte was ultimately stopped by a coordinated defense (with the help of a cold, Russian winter). Protect yourself against ransomware with the same thing (but please, skip the frostbite). Grab a copy of CryptoDrop today! We Stop Ransomware!
In this post, we’re looking at why ransomware is being written and who is doing it. We think you’ll agree after reading this, you’ll see why it’s necessary to have CryptoDrop running on your computer as well.
Perhaps the most newsworthy event regarding ransomware over the past few days was when President Trump’s administration declared that North Korea was behind the WannaCry ransomware attack. You might have been surprised to hear this, and you may be even more surprised to know that this was something that many in the security community had assumed to be the case for the past few months. In fact, an article in the New York Times looked at how North Korea has been using the Internet for criminal enterprises including writing ransomware. It is estimated that the amount of money per year made for the North Korean government ranges from hundreds of millions up to a billion dollars per year. This represents one-third of the value of all of North Korea’s exports. It’s clear that ransomware not only brings in money but funds the country’s military ambitions.
It also appears that North Korean hackers can be found in countries around the world. While physically stationed in India, Malaysia, and other location, these hackers use proxies around the world to obscure from where their traffic truly originates. What is particularly damaging about these reports is that the ransomware exploits being written have been in some cases built on top of cyber-weapons stolen from the National Security Agency.
Ransomware isn’t just coming from national governments. International gangs of cyber criminals have partnered with botnet owners to launch ransomware attacks. Botnets, or a network of compromised machines controlled by an attacker, make many things difficult for defenders. For instance, the identity of the real attacker not immediately obvious because the source of attack traffic is likely a compromised desktop machine owned by someone else. Additionally, because some botnets contain millions of compromised hosts, shutting down one source does little to stop the overall campaign.
One particularly successful example is the Necurs botnet. While Necurs is years old at this point, it is regularly being used to distribute new ransomware variants, such as the GlobeImposter ransomware that we discussed a week ago.
Not every piece of ransomware that we’ve examined comes from a sophisticated attacker – some come from novice programmers.
As we showed in our analysis of Halloware, some pieces of ransomware are so badly written that a victim couldn’t pay a ransom if they decided to do so. In Halloware, the payment link to buy the decryption key was broken and a “Failed to execute script virus” message appeared on victim machines! It seems likely that the author, in identifying himself as a 17-year old college student, wasn’t lying. We’ll provide more information on this case soon.
However, Halloware proves the exception, rather than the rule. The days of malicious attacks being made solely by a teenage kid in their parent’s basement are over. Nowadays, ransomware is being written by well funded attackers. From criminal gangs running sophisticated international operations, to attacks such as WannaCry that have the power of a nation-state behind them, ransomware is a global threat.
What can you do against such sophisticated attackers?
CryptoDrop stops not only WannaCry, but every other ransomware exploit we’ve tested against. But we can only help keep your machine safe if we are running before the attackers arrive. Save yourself the headache and cost of trying to get your data back – download our Free or Fast Recovery versions today!
Ransomware is a real and serious threat, but with CryptoDrop, you can rest easy. At CryptoDrop, We Stop Ransomware.