Ransomware is rampant, don't be caught out

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million dollar business.
I recently listened to a webinar by Kaspersky labs called, "Unlock the key to Repel Ransomware." the webinar was interesting in that it addressed some particular points we have discussed here on Experts Exchange.  Especially points that colleagues and I discussed when I was writing my previous article on Ransomware. The webinar got me thinking that the previous article didn't cover nearly enough.  Yes, it was heavy on prevention, but may not have had enough explanations in it.  Also, the ransomware variants have changed significantly, to where the latest ones are mutating as they attack a system, and have “become APT-grade in their sophistication.”63  I felt it was important to relate whatever I knew, or could find out, to the rest of the Experts Exchange community (and as a bonus, I can refer back to this article in answers).  I have tried to lay out the article in a way that makes the most sense to me.  It is somewhat Socratic, in that I want people to ask these questions, because the answers are important, but mostly because asking the right questions is the most important part of the process.

"einsteinquote.PNG" tI will do my best to define what ransomware is, delineate which operating systems can be potentially affected, describe how one might get ransomware, what one might do to safeguard against such an event, and finally, what to do if the attack has already happened and your files are indeed encrypted.

My first question is always to ask for a definition, otherwise I have found that sometimes I am using different terms than the person talking to me and neither of us knows what the other is saying.  So What is Ransomware? I did a quick google search and found too many sources (1,340,000 hits), I have chosen several, but the FBI had the most succinct definition: "scams, which involve a type of malware that infects computers [or any computing device] and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands of dollars—is paid."  Some others are listed below:
The Microsoft entry above is excellent and not only has a good definition of ransomware, but also a distribution analysis and how to prevent/remediate the trojan, although the initial cryptographic API used to create Cryptolocker was Microsoft's own CryptoAPI.  According to the Dell SecureWorks report, it was only because Cryptolocker used "'Microsoft Enhanced RSA and AES Cryptographic Provider' to create keys and encrypt data" that the malware was so "successful."

So the next question that pops into my mind is, what is this to me, or why should I care?  The most direct answer, in this case, is that everyone needs to care.  More specifically, you should care because nearly everyone is affected in some way.  Operating systems that are normally not targeted in malware attacks are targeted by botnets serving out ransomware.  This is mainly due to how lucrative the ransomware business is. That is a long winded way of saying everyone and everything is affected.  The operating systems that are not normally as vulnerable to malware, are vulnerable to ransomware, and that presents a problem, largely because many who would not ordinarily be vigilant, need to be.

Which Operating systems are affected? Virtually ALL operating systems are affected in some way.  The more popular the OS, the more lucrative it is for malware writers to target it.  For this reason Windows 7 is the most targeted desktop operating system, but all windows operating systems are affected.  MACOS and LINUX, which is the underlying OS for today's MAC operating systems, are both at risk, even more so because users of machines running these OSes are more likely to think they are free from risk.  Mobile systems, including iOS and Android, are now being increasingly targeted. 
Mobile operating systems are not only affected, but have become more of a target.  Since the Android OS is both the most widespread and is open source, it is also the most targeted mobile platform. In summary, the following desktop and mobile operating systems are the most affected: 
  • Windows (all versions)
  • LINUX 
  • iOS
  • Android 
Windows_logo_-_2012_derivative.svg.pngThe threat is more widespread than most people believed possible, especially here in the United States.  Whether it is because there is more money to be had, or we are just more gullible is unclear.  What is clear is the raw numbers of people whose systems are not only attacked by a ransomware trojan, but are willing to pay the ransom.  Numbers you say. Okay. The Dell report stated that during a 10 day reporting period from 10/22/13 to 11/1/13, over 70% of the systems affected by the cryptolocker trojan were in the United States.  That amounted to over 22 thousand systems, or over 800 thousand systems in a one year period (extrapolated from the initial number).  And that is only the USA.  It is estimated according to this study that approximately 41% of those infected will pay the ransom.  This is an astounding number.  On the other hand, Symantec estimates that roughly 3% will pay the ransom.  Either way, Symantec’s conservative estimate, counting one incident with one piece of malware compromising ~68,000 computers/month, would mean $2.45 million USD/year (Symantec captured 1 server and derived this information from transactions for 2 bitcoin addresses).  If the crypto malware business infected between 200k and 250k systems in the first 100 days of the threat (or approximately 821k systems in a 365 day period, according to the Dell study, that would mean that, at $300 per system to decrypt (a conservative estimate of the cost since the malware has asked up to 10 bitcoins55 56 57 58 59 60 (it should be noted that bitcoins’ value have ranged from $0.008 on 1/5/2010 to $1216.73 on 11/17/201360, and as of this writing at $240.10 – according to preev.com) for the decryption key - see the Dell report for further explanation), it comes to over $246 million/year  if only 41% of the owners pay the ransom, $7.4 million USD/yr if 3% pay the ransom (that only takes a little bit of the ransomware industry into account).  Or, if you believe the figure produced by ZDNET, just less than $290 million per year.  That is easy money for the malware writers.  Why would they stop? 
This is a lot of money, so you may be asking the obvious question, why not just brute force decrypt this yourself and save money and time?  Well, you will most probably not save either.  You say, “If someone can encrypt these files, surely I can decrypt them.”  There is a small problem.  Even if you had machines that could decode at gigaflop (a billion Floating point Operations Per Second – FLOPS) rates, and were able to hook a billion of these computers together, since AES 256 bit encryption has 2256 different possible combinations.  It would take ~6.7 x 1040 times longer than the age of the universe to exhaust half of the keyspace of one AES-256 bit key. (credit to this page - theydidthemath - a great explanation of AES 256bit encryption) 

How did I get it in the first place?!
There are several ways in which you might get this trojan on your device.  The list here is not all inclusive, so you need to beware of ANYTHING that looks out of the ordinary.  Some things are much harder to mitigate against.  You not only need good, up to date antivirus/antimalware (endpoint protection suites are best), you also need layers of security that monitor web activity and changes on your system.  And that is just the start.  I highly recommend reading my article on multilayered security as a starting point.  So here are a few of the ways you may get a malware trojan on your system:
  • Malvertising - Malware advertising - can be present on ANY site and serves out malware that looks like legitimate advertising.  The sites themselves may not know what is happening for several days.
  • USB autorun / autoplay is on.  If this is on and a USB device that is infected is inserted into your computer, then the computer will become infected as well.  This is easy to take care of, just make sure to turn both off, completely.  This is a small inconvenience, but well worth it. Check out these programs which make it easy to disable and/or lock autorun and executable files on USB sticks
  • Infected network computer.  If there is an infected network computer on the same network as your computer/device, there is a good chance your computer/device will become infected.
  • Phishing emails containing attachments - I will reiterate this, as I do several times a month to my own users, NEVER open an attachment in an email unless you ABSOLUTELY trust it and expect it.  This includes everything.  If you must open an attachment that does not meet these requirements either send it to someone like me to open (my colleagues and I generally open these attachments in a virtual machine.  In that way any infection merely infects the virtual machine which is then deleted.), or open it yourself in a virtual machine.  Remember that files can be disguised.  Check out this article and this blog69 (thanks to Eirman on Experts Exchange for the blog link) on how that might be done. Even emails from seemingly reputable sources, which you are expecting, may not be real.  If at all possible DO NOT click a link, instead go directly to the source website or call them. The malware writers are hoping they will get someone who IS expecting an email from one of the places they have used, and will click on the link52 66 67 68.  If you have already opened an attachment from email and it was blank, close it immediately!  You must assume it contains malware, until you KNOW it does not. Do the following:
    • Perform scans on your computer with your installed endpoint solution
    • download chameleon from the Malwarebytes.org website on a clean computer and run it on the infected computer as follows
      • from the chameleon directory run the svchosts file
      • the svchosts file will
        • kill known rogue processes
        • update malwarebytes
        • run a malwarebytes scan
    • Open malwarebytes
      • click on settings
      • in Detection and Protection
        • all check boxes should be checked
        • under non-malware protection set both options to "Treat detections as malware"
        • Malware protection should be enabled
        • Malicious website protection should be enabled
      • in Advanced Settings everything but the delay checkbox should be checked
      • Click on Scan
        • Make sure Threat Scan is selected and click Start Scan
    • Download the demo of HitmanPro.alert (by SurfRight) and perform a scan
    • When your system is clean, NOT BEFORE, install cryptoprevent
      • say no to the two questions during the install
      • let CP apply the basic policy
      • whitelist your current applications
  • Links - This is true of almost any link where it is not displayed explicitly.  For instance a link that says "Click here" is an obfuscated link.  When you put your mouse over the link you can see where it will take you when you click, displayed at the bottom left of the browser (if it is a link in a browser).  If it is in an email, the actual destination is most often displayed wherever the mouse is hovering (depending on the email application).  It is usually displayed somewhere though.  If you are unsure ask an IT person to check it for you.  It is far easier to check a link than it is to clean a computer.  Shortened links are another problem.  You see these all over twitter.  A tweet with only a link screams DO NOT CLICK ME!  Shortened links are extremely helpful and can be customized (I have one that is http://j.mp/math_is_fun for a math class.  It points to a page of math resources for Common core preparation for 7th and 8th graders - originally for the 2015 common core exam), but anyone can do this.  So be wary of any shortened links.
  • vulnerable (not updated) software
    • Suffice it to say that ANY software that is not kept up to date / patched is more likely to be used in a malware attack.  This is especially true of more popular software, like (but not limited to):
      • Adobe Reader
      • Java Runtime Environment
      • Java
      • Microsoft Office
      • Browsers
      • Communication programs such as Skype
    • Most of these can be taken care of by auto updaters, including Windows update
  • Operating systems that are not up to date (security updates are always included in OS updates)
  • Installing apps from outside the playstore, appstore, windows store, etc
  • Drive by infections.  Although I mention this last, it is by NO MEANS the least or your concerns.  A drive by infection can infect your computer without any interaction with you.  A good explanation of how drive by infections work can be found here.  There is another good piece to read here both defining drive by infections and how to defend against them.
How do I prevent my device from becoming infected in the first place
I should point out that the article I referenced at the very beginning of this article deals exclusively with prevention.  But since this is a natural progression, I will address this next.  Also, Knowbe4.com has an excellent ransomware prevention checklist in the PDF downloaded from here.
  1. Always use the Principle of Least Privilege (POLP)70 71 72 when setting up new systems, on your own system or when granting privileges to applications
    1. POLP is defined as “Every program and every user of the system should operate using the least set of privileges necessary to complete the job,” according to US-CERT.
    2. In everyday usage this means that the average user should only let applications run with administrative privileges if they cannot function otherwise, and Users need never log in as the administrative user unless they absolutely must. See references SANS73 and Wiley74 documents for further information on how to apply POLP.
  2. Install up to date AV/AM solution.  This is true on any system, including mobile ones.  The first thing that goes on my phones is an A/M suite and a few monitoring apps.  It slows the phone down a little, but it is well worth it.  I also install a few apps on each computer I come across.  Second, use tools like CryptoPrevent and/or CryptoGuard to prevent the kind of access these crypto programs need.  One of the most important things you should do is set up your backup.  Backup as often as possible and check that you can restore from backup, otherwise the backup is useless.  Last, but not least, subscribe to a versioning backup solution in the cloud.  More on these later, or you can read my article on why I changed cloud backup providers.
  3. But you are a sophisticated user and take all kinds of precautions.  You even encrypt your harddrive (full disk encryption), your phone and your SD card in your phone.  So you don't have to worry, do you? YES! You do have to worry.  If you are infected with a ransomware trojan, it will encrypt your encrypted files (mobile device Trojans work slightly differently, they tend to lock your entire phone instead of encrypting each file, so the ways to combat this are different).  To decrypt them you will need first the ransomware decryption key and then your own decryption key.  So, in this case, encryption, although normally a good precaution, will do you no good.
  4. Make sure your backups are stored away from your computer and not attached to the internet.  I may be a little paranoid, but is it paranoia if it is true?  I was suggesting this very course of action to my father, who uses a MAC, but he had several problems with it.  He was worried because Time machine on the MAC backs up all the time the Time Machine drive is plugged into the machine.  So if he unplugs it, it won't back up.  I assured him, I believe correctly, that TM will back up again once it is reattached.  He was also worried about having his machine on and would turning it off mitigate the chance of infection.  Turning a machine off is a good way to assure there will be no infection.  But if there is already a trojan on the machine it will only temporarily stop whatever it is doing.  One can remove the drive after turning off the machine, but with MAC laptops and many PC laptops that is not possible for the average user since the drives are not user removable.  The best scenario, in this instance, is to have at least 2 Time Machine drives.  One would update the first and keep the other detached from the computer.  Then, once the backup is finished, switch the drives.  In this way there will always be at least one drive that is not attached to the computer, but is relatively up to date.
I have said this before, but it cannot be repeated enough, backup is not only essential but in this case will save your files and save you a lot of heartache.  It is necessary that you implement versioning backup.   On the most basic level, versioning backup is a backup that includes a version of the old file when changes are made.  There are many choices out there now and some are free and others are paid.   I reviewed different backup solutions in this article.  In the end I am partial to backup solutions that are understandable, efficient, and include versioning.  But keep in mind that no matter what you do, if your backup drive is connected, either through a network, or physically, to your computer when a ransomware trojan is activated, the backup will be encrypted as well.  At this point someone invariably asks me about dropbox.com.  Something to the effect of, "Doesn't dropbox do versioning, can I use it as a backup?"  The answer to this is simple - dropbox is not a backup.  That said, I should explain that although Dropbox does do versioning, if your dropbox gets encrypted due to ransomware you will need to put a ticket in with the dropbox helpdesk and they will get you a previous version of the your dropbox, unencrypted, but it generally takes upwards of 2 working days.  If you use a true backup solution like inSync (Druva), CrashPlan (Code42), or SpiderOak, you can do it yourself and will be back up and running in a matter of a few hours.  We had this happen at work and were able to recover everything that had been designated to be backed up (which included the person's dropbox) in a few hours.  There is no doubt in my mind that versioning backup is worth the investment.  Not only do you get piece of mind, but you will pay less for this backup than you will in ransom for a key that may or may not work (and which may or may not carry a new payload of malware).
We use inSync at work, but it is available for businesses only, I use CrashPlan at home (unlimited storage family plan - up to 10 devices for consumer price of $145/year).  The great thing about CrashPlan is that you can mirror the backup to local devices as well, for free.  Yes the free version remains free to backup to another computer or an external harddrive.  And it is still versioning (so you do need more space for backup than the disk you are backing up). Also with any of the cloud plans, instead of taking the time to backup all your important data, you can just send them a drive with everything on it and they will add it to your account.  This is a real boon if you have a lot of data.  Check out my article on why I changed from CrashPlan to inSync at work, but still use CrashPlan at home.
       Other Desktop / Laptop Security
  1. Use a multi-layered security approach to securing all internet capable devices (today that means virtually everything).
  1. To protect yourself from the most of the latest mutating ransomware, of the Kofer variety, you need merely create a simple file.  To create a simple application from notepad on your root partition
    1. Most of the newest ransomware in the Kofer family check for a file called, "c:\myapp.exe" and if it is discovered will NOT run.  To create this file (it need not even be a real executable), do the following:
      1. open notepad
      2. Click the menu and select "Save as"
      3. In the "Save as type:" dropdown, select "All files (*.*)"
      4. In the "File name:" field type, "myapp.exe"
      5. Save the file to the root of the c: drive, or if you get an error (which you should if your system is set up correctly), save it to your my documents or download folder and then move it to the root of c:\ using Windows explorer or File Explorer.
  2. Use some sort of web browsing protection.  Many of the Endpoint protection suites come with a web browsing protection component, either on by default or it can be turned on.  If you have such a suite, check the settings and make sure this is turned on.  If you don’t have a setting like that, you can either use some of the free webprotect plugins/addons for your browser or you can purchase one.  Some of the better known ones are:
    1. Web of Trust (WOT)
    2. Cocoon (paid)
    3. Ad Blocker Plus
    4. Trusteer Rapport (from IBM) (paid and most often distributed through banking institutions)
      1. screen capture disabled (Block Screen Capturing set to "on partner and sensitive sites")
      2. Block Access to information inside the browser (set to "on partner and sensitive sites")
      3. virtually everything else should be set to  "on partner and sensitive sites" or always.
note that this will severely change the way in which you access websites and use the web, but it will also prevent some malware from even working.  It also will protect you while on most financial institution sites.

             These are just a few of the browser plugins that will protect you while you browse the internet.
  1. Install some anti-crypto applications.  This is both easy to do and relatively painless afterwards. The CryptoPrevent application (from FoolishIT) is free and as long as you answer no to the questions about if you have or want a license, it is easy to install.  The CryptoGuard (from SurfRight - makers of HitmanPro) is another excellent app, but is paid.  HitmaPro.Alert comes in paid and free versions.  I highly recommend the paid version.
Mobile security – this is just a starting point
  1. Unlocking the phone
    • Do more than just a design or pin to unlock your phone.  Most of the latest phones can use a fingerprint scanner, use that or a complex password, or both
      • To use the fingerprint scanner make sure to define the same fingerprint as many times as you can, on my Samsung Galaxy S5 I can define 3 different fingerprints, each requiring 10 swipes of the fingerprint I swipe the same finger 30 times for best recognition
  2. Install a security suite on your phone (I like Trustgo from trustgo.com, but there are many out there) The security suite should be able to completely wipe your phone - most can do that. Here are just a few of the ones I have tried:
    1. Trustgo
    2. lookout
    3. 360 security
    4. There are mobile versions of almost every desktop AV /AM suite.  Some versions only work if you own the desktop version.  Many of the endpoint solutions that workplaces license have a mobile component as well, which is not always advertised - so check that out as well.
  3. Use a password manager on your phone
  4. Check your phone for security problems such as Stagefright (Stagefright detector from Zimperium, Inc)
  5. Use a secondary scanner like Bluebox Security Scanner or Security Pal
  6. Use an app locker like App Lock Pal
  7. Use a monitoring app like Clueful Privacy Advisor
  8. Test your android security acumen with apps like Android Exam Test FREE AND-402 (not a great app, but you will learn something)
  9. Encrypt your phone (be careful with this as it may render apps on your card unusable, although it is reversible) and your card (especially if you store backups on your card)
  10. Remember that some ransomware specifically looks for financial apps on your phone.
  11. If you are using something like Android Pay, make sure you understand the risks
Assume the worst
  1. it will get through your mailserver
  2. it will bypass your AV/AM scanner or disable it
  3. it will delete / turn off system restore, and there go all your restore points
  4. it will encrypt any and all backups it can find (so make sure there are some it can't find)
  5. it will access and encrypt network shares, mapped or not - and you will be blamed
  6. your computer will be encrypted
  7. even if you pay the ransom you won't get a decryption key that works
  8. If you do get anything, it will carry another payload, which will, in all likelihood, make things worse not better.
I’ve been encrypted, What do I do?
Before doing anything else, disconnect completely from any network and USB drives.  Your USB drives have probably already been encrypted, if you are seeing the ransom message.  To begin with, everyone should understand that a majority of ransomware attacks will end with the user either paying the ransom (not recommended)  or reformatting the computer/factory resetting the phone.  So in the majority of cases, the first step should be the last as well, reformat/reset the device.  Even if you do that, you can never truly trust that device again.  There is only one true way to trust a device that has been compromised, on computers, nuke the harddrive (I suggest using Darik’s Boot and Nuke – DBAN), then reinstall a fresh copy of the operating system, with phones, do a factory reset and reformat the SD card (if it has one).  DO NOT copy your files over from the infected computer/device, no matter how clean you THINK they are!  Restore files from a backup that was done before the device was infected. 
For those computers that can be “rescued,” without using a decryption key from the writers of the malware (as I said it may carry more malware), decrypt the files using either the keys that have been captured and made public, or with the tools provided.  Once you have a clean computer and can access your files, this means you have scanned the computer with all the tools you have, some of the tools listed below, and others that have already been suggested, and the scans are all clean, and you have uploaded several files that either still look suspicious or were encrypted, to virustotal.com and that scan came back COMPLETELY clean as well.  Remove the physical disk from the computer and scan it again as an external drive on a computer that is not connected to the internet and does not have ANYTHING important on it (in case it does get attacked/infected).  If everything still comes up clean, copy the files off of the drive, nuke the drive using DBAN, then put it back in the original machine and reinstall the OS (in my opinion, you have not gained much and have used a lot of time doing this instead of nuking the drive right away).
Tools to help you out if your files have been encrypted with a crypt family trojan.  But before I go on, BE WARY of any tool that claims to decrypt your files.  Most tools can't because of the sheer amount of work involved (see above).  If they suggest you download the tool first, "CAVEAT EMPTOR", they may be carrying a payload of malware.  Always download these tools into a sandbox first.  For those unfamiliar with sandboxing, think of it as the same thing as a playground sandbox, except on your computer.  It lets a piece of software run, but at the same time prevents it from affecting anything outside the defined sandbox, including the rest of your computer.  The paid sandboxes can be fairly powerful and somewhat easy to use.  I have used Sandboxie and recommend it, but know that it is a paid solution. This article gives suggestions on how to run anything in a sandbox. Remember a virtual machine may not be good enough.  There are virii that are written specifically with virtual machine files in mind.  Many of these actually will not execute if they detect they are in a virtual machine, but WILL execute once they are out of the VM.  There is an excellent page of tools here.

Tools by Kaspersky:
Kaspersky No ransom site (Decrypt keys that have been made public when the C&C server or botnet was taken down)
Kaspersky ransomware blog by Andrey Pozhogin
Kaspersky webinar Unlock the key to Repel Ransomware by Andrey Pozhogin
Kaspersky ransomware blog about TeslaCrypt 2.0

Cisco decrypt it yourself tool
CoinVault Ransomware Decryptor
7 best Ransomware removal tools (according to techworld)
How can you deal with the Ransomware Epidemic? (TechWeek Europe)
Ransomware Removal Kit
Trend Micro Ransomware Removal Tool (I have not used this tool)
Recover Teslacrypt .vvv files (untried)
Ransomware cracked - 2 variants (untried)
Get your files back if struck by Cryptolocker (untried)
10 Decryption cases - Ransomware Happy Ending (untried)

Update 2016-04-13: If you have been hit by the version of Ransomware known as Petya, there is a decryption website.  Bleepingcomputer posted about it here and the direct link is here

I am also looking into a tool that has been developed by a current member of Experts Exchange, prestoncooper, (apparently a SQL expert - certified by Microsoft - see his profile) which purports to scan networks shares for signs of ransomware infection.  I am currently still testing it, but the software and documentation can be found here.

There are also two programs I have been testing that bill themselves as antiransomware applications.  I have been testing the Malwarebytes Antiransomware beta for a couple of months now and have had no problems.  MBARW is still in beta and more than a few people have reported false positives.  The program has gotten better and the developers seem to be very responsive. I installed BitDefender Antiransomware on another computer and have had no problem with it either.  The biggest problem I have seen with these applications, especially the BD app, is that there are either very few or no configuration options.  It is rather unclear how they even work.  So be aware of this if you intend to use one of the above applications.

It should be noted that most ransomware, once it has encrypted your files, cannot be easily taken off a system (unless the ransomware Command And Control server has been taken down and the private keys have been posted online).  The only real solutions are preventative ones.  If caught early enough, this means BEFORE the malware has a chance to encrypt your files, the system can be cleaned.  It is by far preferable to restore from a recent unencrypted backup.  Mitigation in this sense means that you have software on your machine that will prevent the ransomware from communicating with the Command and Control server, since it is only after this communication that the ransomware will start encrypting your files (UPDATE: This new ransomware - currently only attacking Russian users of Windows - can encrypt files without ever contacting a C&C server. So please take this into account).  A good endpoint solution will block programs not specifically on a “whitelist” from sending information to an unknown IP address.  Malwarebytes Pro has a similar ability.  RUBotted also alerts you to such activity.  Programs like HitmanPro.Alert, Cryptoprevent, and Cryptoguard have similar abilities.  Running more than one of these is not a bad idea as long as only one is allowed to do on-access scanning (scanning files when they are accessed, changed, downloaded, or modified in any way).
Not all ransomware actually encrypts files.  Some malware variants “piggyback” on known encryptors, like CryptoLocker, with similar screen popups, but don’t do the actual work of encrypting your files, although they may change the file extensions to make them look “encrypted.”  Most of the malware affecting android phones do not actually encrypt files but rather block access to your phone.  Although the effect is the same, unless your phone was rooted to begin with, it is very unlikely that any data can be recovered.  This specifically runs contrary to my stance in my previous article about why you shouldn’t root your phone.  In this case, you are better off with a rooted phone.

Other sources:
January 2015 FBI Public Advisory  
FBI Ransomware hits Android
University of Kent report (PDF)
Cisco Disrupts Major Ransomware distribution campaign
Ransomware Goes back to the  future - Security Intelligence


Thanks to user btan for making several suggestions I have incorporated into this article.  Btan has a great article on the inner workings of Ransomware and some good advice as well.

References (see below for link to complete reference list)
  1. “Advisory: Information about the PC CYBORG (AIDS) Trojan Horse.” 2015. Accessed September 22. http://www.securityfocus.com/advisories/700
  2. “AlphaCrypt.” 2015. Webroot Threat Blog. Accessed September 22. http://www.webroot.com/blog/2015/05/04/alphacrypt/
  3. “APT-Style Evasion Techniques Spotted in ‘Kofer’ Ransomware Campaign | SecurityWeek.Com.” 2015. Accessed September 22. http://www.securityweek.com/apt-style-evasion-techniques-spotted-“kofer”-ransomware-campaign
  4. “Archiveus Trojan | KnowBe4.” 2015. Accessed September 22. https://www.knowbe4.com/archiveus-trojan.
  5. “Coinvault, Are We Reaching the End of the Nightmare? - Securelist.” 2015. Accessed September 22. https://securelist.com/blog/research/72187/coinvault-are-we-reaching-the-end-of-the-nightmare/.
  6. “Emsisoft Blog.” 2015. Accessed September 22. http://blog.emsisoft.com/.
  7. “Kaspersky Lab.” 2015. Accessed September 22. http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-detects-mobile-Trojan-Svpeng-Financial-malware-with-ransomware-capabilities-now-targeting-US-users.
  8. “Latest Version of Svpeng Targets Users in US - Securelist.” 2015. Accessed September 22. https://securelist.com/blog/mobile/63746/latest-version-of-svpeng-targets-users-in-us/.
  9. “Locker: Cryptolocker’s Latest Strain of Ransomware Awakens.” 2015. Backblaze Blog | The Life of a Cloud Backup Company. Accessed September 22. https://www.backblaze.com/blog/locker-cryptolocker-progeny-awakens/.
  10. “New Ransomware Alert: CryptoLocker Copycat PClock Discovered.” 2015. Accessed September 22. http://blog.emsisoft.com/2015/01/04/new-ransomware-alert-cryptolocker-copycat-pclock-discovered/.
  11. “Ransomware and Bitcoin Theft Combine in BitCrypt | Security Intelligence Blog | Trend Micro.” 2015. Accessed September 22. http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-and-bitcoin-theft-combine-in-bitcrypt/
  12. “TeslaCrypt - Encrypting Ransomware That Now Grabs Your Games.” 2015. Webroot Threat Blog. Accessed September 22. http://www.webroot.com/blog/2015/03/12/teslacrypt-encrypting-ransomware-that-now-grabs-your-games/
  13. “TorrentLocker Ransomware Hits ANZ Region | Security Intelligence Blog | Trend Micro.” 2015. Accessed September 22. http://blog.trendmicro.com/trendlabs-security-intelligence/torrentlocker-ransomware-hits-anz-region/
  14. “Trojan: W32/Gpcode Description | F-Secure Labs.” 2015. Accessed September 22. https://www.f-secure.com/v-descs/gpcode.shtml.
  15. “CryptorBit and HowDecrypt Information Guide and FAQ.” 2015. Accessed September 22. http://www.bleepingcomputer.com/virus-removal/cryptorbit-ransomware-information.
  16. “Trojan.Cryptodefense | Symantec.” 2015. Accessed September 22. https://www.symantec.com/security_response/writeup.jsp?docid=2014-032622-1552-99.
  17. “CryptoDefense, the CryptoLocker Imitator, Makes Over $34,000 in One Month.” 2015. Symantec Security Response. Accessed September 22. http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month
  18. “CryptoLocker - What Is and How to Avoid the Malware.” 2015. MediaCenter Panda Security. Accessed September 22. http://www.pandasecurity.com/mediacenter/malware/cryptolocker/
  19. “Cryptolocker 2.0 Turns into Worm That Spreads via USB Drives | Security | Techworld.” 2015. Accessed September 22. http://www.techworld.com/news/security/cryptolocker-20-turns-into-worm-that-spreads-via-usb-drives-3495444/
  20. “Cryptowall 3.0: Back to the Basics.” 2015. blogs@Cisco - Cisco Blogs. Accessed September 22. http://blogs.cisco.com/security/talos/cryptowall-3-0
  21. “Trojan.Cryptowall | Symantec.” 2015. Accessed September 22. http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99.
  22. “Inside CryptoWall 2.0: Ransomware, Professional Edition | Ars Technica.” 2015. Accessed September 22. http://arstecchnica.com/information-technology/2015/01/inside-cryptowall-2-0-ransomware-professional-edition/
  23. “Crowti Update - CryptoWall 3.0 - Microsoft Malware Protection Center - Site Home - TechNet Blogs.” 2015. Accessed September 22. http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx.
  24. “CRYPVAULT: New Crypto-Ransomware Encrypts and ‘Quarantines’ Files.” 2015. Accessed September 22. http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/
  25. “UPDATED: All You Need to Know About CTB Locker, the Latest Ransomware Generation.” Heimdal Security Blog. Accessed September 22, 2015. https://heimdalsecurity.com/blog/ctb-locker-ransomware/
  26. “Remove the Everything on Your Computer Has Been Fully Encrypted Ransomware.” Accessed September 22, 2015. http://www.bleepingcomputer.com/virus-removal/remove-everything-on-your-computer-has-been-encrypted
  27. “Trojan:Win32/Harasom.A.” Accessed September 22, 2015. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Harasom.A#tab=2
  28. “Android Ransomware ‘Koler’ Turns into a Worm, Spreads via SMS | PCWorld.” Accessed September 22, 2015. http://www.pcworld.com/article/2837372/android-ransomware-koler-turns-into-a-worm-spreads-via-sms.html
  29. “This Nasty Android Ransomware Changes Your Phone’s PIN Code.” PCWorld, September 11, 2015. http://www.pcworld.com/article/2983138/security/android-ransomware-changes-a-devices-pin-code.html
  30. “PrisonLocker – a Step Up From Cryptolocker.” Infosecurity Magazine. Accessed September 22, 2015. http://www.infosecurity-magazine.com/news/prisonlocker-a-step-up-from-cryptolocker/
  31. “PrisonLocker Ransomware an ‘Evolution’ From CryptoLocker | SecurityWeek.Com.” Accessed September 22, 2015. http://www.securityweek.com/prisonlocker-ransomware-evolution-cryptolocker
  32. “Trojan: ​W32/Ransomcrypt Description | F-Secure Labs.” Accessed September 22, 2015. https://www.f-secure.com/v-descs/trojan_w32_ransomcrypt.shtml
  33. “REVETON Ransomware Spreads with Old Tactics, New Infection Method.” Accessed September 22, 2015. http://blog.trendmicro.com/trendlabs-security-intelligence/reveton-ransomware-spreads-with-old-tactics-new-infection-method/
  34. “‘Reveton’ Ransomware Upgraded with Powerful Password Stealer | PCWorld.” Accessed September 22, 2015. http://www.pcworld.com/article/2466980/reveton-ransomware-upgraded-with-powerful-password-stealer.html
  35. “900,000 Android Phones Hit by Ransomware in 30 Days.” Accessed September 22, 2015. https://blog.knowbe4.com/bid/395085/900-000-Android-Phones-Hit-by-Ransomware-in-30-days
  36. “Android Phones Hit by ‘Ransomware.’” Bits Blog. Accessed September 22, 2015. http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/
  37. “U.S. Targeted by Coercive Mobile Ransomware Impersonating the FBI | Lookout Blog.” Accessed September 22, 2015. https://blog.lookout.com/blog/2014/07/16/scarepakage/
  38. Ducklin, Paul. “CryptoLocker Wannabe ‘Simplelocker’ Scrambles Your Files, Holds Your Android to Ransom.” Naked Security. Accessed September 22, 2015. https://nakedsecurity.sophos.com/2014/06/06/cryptolocker-wannabe-simplelocker-android/
  39. “SynoLocker Demands 0.6 Bitcoin to Decrypt Synology NAS Devices - CSO | The Resource for Data Security Executives.” Accessed September 22, 2015. http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/
  40. “Urausy Police Ransomware | FBI Virus | KnowBe4.” Accessed September 22, 2015. https://www.knowbe4.com/urausy-police-ransomware
  41. “Troj/Xorist-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall Solutions | Sophos Data Protection for Business.” Accessed September 22, 2015. https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Xorist-A.aspx
  42. Eric. 2015. “How Do I Remove Azazel Ransomware? (azazel Virus Removal Guide ).” EasyVirusKilling.com. Accessed September 23. http://easyviruskilling.com/how-do-i-remove-azazel-ransomware-azazel-virus-removal-guide/
  43. “AAEH | US-CERT.” 2015. Accessed September 23. https://www.us-cert.gov/ncas/alerts/TA15-098A.
  44. “Crypto Ransomware | US-CERT.” 2015. Accessed September 23. https://www.us-cert.gov/ncas/alerts/TA14-295A
  45. “Recent Reports of DHS-Themed Ransomware (UPDATE) | US-CERT.” 2015. Accessed September 23. https://www.us-cert.gov/ncas/current-activity/2013/07/30/Recent-Reports-DHS-Themed-Ransomware-UPDATE
  46. “Cyber Threats to Mobile Phones | US-CERT.” 2015. Accessed September 23. https://www.us-cert.gov/security-publications/cyber-threats-mobile-phones https://www.us-cert.gov/sites/default/files/publications/cyber_threats_to_mobile_phones.pdf
  47. “Ten Ways to Improve the Security of a New Computer | US-CERT.” 2015. Accessed September 23. https://www.us-cert.gov/security-publications/ten-ways-improve-security-new-computer / https://www.us-cert.gov/sites/default/files/publications/TenWaystoImproveNewComputerSecurity.pdf
  48. 29, Michael Kassner | September, 2015, and 8:30 Am Pst. “Ransomware: To Pay or Not to Pay.” TechRepublic. Accessed September 29, 2015. http://www.techrepublic.com/article/ransomware-to-pay-or-not-to-pay/
  49. “To Pay or Not to Pay - That’s the Ransomware Question | Cybersecurity | TechNewsWorld.” Accessed September 29, 2015. http://www.technewsworld.com/story/80640.html
  50. Facebook, Aarti Shahani Twitter. “Ransomware: When Hackers Lock Your Files, To Pay Or Not To Pay?” NPR.org. Accessed September 29, 2015. http://www.npr.org/sections/alltechconsidered/2014/12/08/366849122/ransomware-when-hackers-lock-your-files-to-pay-or-not-to-pay
  51. “Ransomware Hostage Rescue Manual | KnowBe4.” Accessed September 29, 2015. https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
  52. “Hey Scandos, Missed That Parcel? Here’s Some Ransomware Instead.” Accessed September 29, 2015. http://www.theregister.co.uk/2015/09/24/missed_parcel_ransomware_scam_cryptolocker/
  53. Zetter, Kim. “Hacker Lexicon: A Guide to Ransomware, the Scary Hack That’s on the Rise.” WIRED, September 17, 2015. http://www.wired.com/2015/09/hacker-lexicon-guide-ransomware-scary-hack-thats-rise/
  54. Ransomware: A growing Menace. Symantec Whitepaper Accessed September 29, 2015. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf
  55. “237.21 Bitstamp BTC/USD - BitcoinWisdom.” Accessed September 30, 2015. https://bitcoinwisdom.com/markets/bitstamp/btcusd
  56. “Bitcoin Price - Bitcoin Charts - Coinbase.” Accessed September 30, 2015. https://www.coinbase.com/charts
  57. “Bitcoin Charts / Charts.” Accessed September 30, 2015. http://bitcoincharts.com/charts/bitstampUSD#tgSzm1g10zm2g25zv
  58. “Bitcoin Price Index - Real-Time Bitcoin Price Charts.” CoinDesk. Accessed September 30, 2015. http://www.coindesk.com/price/
  59. “Preev.com” BTC to USD converter. Accessed September 30, 2015. http://preev.com/
  60. “History of Bitcoin.” Wikipedia, the Free Encyclopedia, September 28, 2015. https://en.wikipedia.org/w/index.php?title=History_of_Bitcoin&oldid=683221853
  61. “How Malware Works: Anatomy of a Drive-by Download Web Attack (Infographic) | Sophos Blog.” Accessed September 30, 2015. https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
  62. “6 Ways to Defend Against Drive-by Downloads.” CIO, February 10, 2012. http://www.cio.com/article/2448967/security0/6-ways-to-defend-against-drive-by-downloads.html
  63. “Cybereason Labs Research: Operation Kofer – New Mutating Ransomware Group.” 2015. Cybereason. Accessed September 30. http://www.cybereason.com/cybereason-labs-research-operation-kofer-new-mutating-ransomware-group/  http://go.cybereason.com/rs/996-YZT-709/images/Cybereason Labs Reasearch Analysis - Kofer.pdf
  64. “Heads Up! Nasty New Hybrid Strain: The AIDS of Ransomware.” Accessed October 1, 2015. https://blog.knowbe4.com/heads-up-nasty-new-hybrid-strain-the-aids-of-ransomware
  65. “Fresh Ransomware Campaign Has a 0% Detection Rate.” Infosecurity Magazine. Accessed October 1, 2015. http://www.infosecurity-magazine.com/news/fresh-ransomware-campaign-has-a-0/
  66. “Post Office Email Scams Dropping Crypt0l0cker Ransomware.” The State of Security. Accessed October 1, 2015. http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/post-office-email-scams-target-denmark-drop-crypt0l0cker-ransomware/
  67. “Virus Alert! Crytpolocker: What You Should Know...| New Jersey.” IT Service Solutions | New Jersey. Accessed October 1, 2015. http://www.afscott.com/virus-alert-crytpolocker-know/
  68. “CryptoLocker Ransomware Infections | US-CERT.” Accessed October 1, 2015. https://www.us-cert.gov/ncas/alerts/TA13-309A
  69. “How Hackers Can Disguise Malicious Programs With Fake File Extensions.” 2015. Accessed October 1. http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/
  70. “What Is Principle of Least Privilege (POLP)? - Definition from WhatIs.com.” 2015. SearchSecurity. Accessed October 3. http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP
  71. “Principle of Least Privilege.” 2015. Wikipedia, the Free Encyclopedia. https://en.wikipedia.org/w/index.php?title=Principle_of_least_privilege&oldid=681453612
  72. “Least Privilege | Build Security In.” 2015. Accessed October 3. https://buildsecurityin.us-cert.gov/articles/knowledge/principles/least-privilege
  73. Principle of least privilege PDF from SANS https://www.sans.org/reading-room/whitepapers/bestprac/implementing-privilege-enterprise-1188
  74. Wiley Pathways Network Security Fundamentals. 2015. Accessed October 3. https://books.google.com/books/about/Wiley_Pathways_Network_Security_Fundamen.html?id=Gdux_6ckDYwC
  75. “Ransomware, Kidnapping Your Information, from Files to Photos | The Sunday Times Sri Lanka.” 2015. Accessed October 4. http://www.sundaytimes.lk/151004/business-times/ransomware-kidnapping-your-information-from-files-to-photos-166404.html
  76. “On Determining the Proper Question by Albert Einstein (Gurteen Knowledge).” 2015. Accessed October 4. http://www.gurteen.com/gurteen/gurteen.nsf/id/determining-the-proper-question
  77. “The 7 Best Ransomware Removal Tools - How to Clean up Cryptolocker, CryptoWall and Extortion Malware.” Techworld. Accessed October 9, 2015. http://www.techworld.com/security/7-best-ransomware-removal-tools-how-clean-up-cryptolocker-cryptowall-extortion-malware-3626974/
  78. “PornDroid Ransomware Trojan Tries Material Design to Boost Payments.” Accessed October 13, 2015. http://www.cso.com.au/article/586574/porndroid-ransomware-trojan-tries-material-design-boost-payments/
  79. “To Scare People Better, Android Ransomware Gets a Snazzy UI.” ITworld, October 12, 2015. http://www.itworld.com/article/2992258/to-scare-people-better-android-ransomware-gets-a-snazzy-ui.html
  80. “Ransomware Targets Gullible Viewers of Porn - Bangalore Mirror.” Accessed October 13, 2015. http://www.bangaloremirror.com/bangalore/others/Ransomware-targets-gullible-viewers-of-porn/articleshow/49328598.cms.
I have stopped adding references to this article, but the sources are continually changing and growing.  If anyone is interested I keep a reference database of ransomware related articles - as of this writing (01/05/2016) DB count is 264.  This link will show all updates I make to the citation library.  It uses the Zotpress plugin to show a Zotero reference library in Wordpress.
Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (9)

Thomas Zucker-ScharffSenior Data Analyst


So far I have not encountered any false negatives, in other words, when I have tried infecting the machine with several different ransomware variants, none have actually encrypted my files.  In the beginning of the beta the ransomware alert was still being displayed, with the count down and everything, but no files were actually encrypted.  So I would have to say that is a no to false negatives.  That is only for Malwarebytes Antiransomware.  I have NOT done the same test for the BD antiransomware due to the fact that the system it is on.
Most Valuable Expert 2013

Good to know, thanks!
btanExec Consultant
Distinguished Expert 2022

Recently there is also a ID ranswore toolkit which may be handy for identification though it may not be 100% since it is still signature based.
Thomas Zucker-ScharffSenior Data Analyst


Thanks for the link btan.  The one I am looking at, Ransomware Detection Service, is similar to the one you point to, but console based instead of web based.  Also it is more for looking at network shares and identifying where an infection originated than anything else.  It should be noted that the website you linked is indeed an ID website and specifically says:

Can you decrypt my data?

No. This service is strictly for identifying what ransomware may have encrypted your files

Which is pretty much the same as RDS.
Thanks for sharing. Guys if these keys don't work for you and you don't mind spending a little money, then you can visit www.vanskeys.com to get heap and genuine keys for office in all versions.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.