I don’t know how technologically inclined you are, so I will ask this simple, rhetorical question: What is ransomware?
The answer is: Ransomware is a form of cyber-attack in which criminals take control of your computer’s files and block access to them until you pay a fee to release them.
Cybercriminals gain control of your files by placing malicious software on your computer. They can accomplish this goal in several ways; however, these are the two most common methods:
- You open an attachment in an email, either a Microsoft Word document or an Adobe PDF file that contains a worm or a Trojan.
- You click on a link in an email.
Here’s a summary of what happens next.
Once the malicious software is downloaded to your computer, one element will contact a “command and control” server on the internet to obtain a unique key. Another element then executes and uses that key to encrypt your files. To accomplish that task, it takes the contents of your files and turns each one into a mass of numbers and letters that your computer’s programs cannot read. After all that mayhem is complete, one of the rogue software elements sends a confirmation to the cybercriminal.
In some cases, before your files are encrypted, the cybercriminals will copy them to the internet. Part of the extortion message you receive may include a statement that they will release your confidential information to the public. This message is designed to be an added incentive to make you pay “full freight” to get the decryption key. In some reported instances, victims have been known to bargain for a lower fee and have successfully reduced the amount of the ransom.
How Does All This Happen?
Two of the main components that allow ransomware to run wild are Emotet and Trickbot.
Emotet is malicious software that is categorized as a Trojan, which means it appears as something innocuous; however, it carries an undesirable harmful payload. Initially, it was designed to steal banking credentials. Later iterations added features including money transfer and evasive functions.
Emotet arrives primarily in phishing attacks via emails that contain malicious links or Microsoft Word files that contain macros.
Once Emotet is on a computer, it attempts to establish persistence on the computer and then propagates through the local network via spreader modules. When it is activated, it will connect to the command and control server to report a new infection. It receives configuration data, downloads and runs files, receives instructions, and then uploads the requested data to the command and control server. The instructions it receives can launch other forms of malware based on the criminals’ intent and goals.
The fact that Emotet is easily released on an unsuspecting victim makes it a very serious threat. Bad actors can send a phishing email to millions of email accounts. Probability theory dictates that someone, somewhere, will click on the link or download the file and thus become infected. For any business – large or small – all it takes is one email to reach its target, and all the computers in the company could become compromised.
The Cybersecurity & Infrastructure Security Agency (CISA) reports that Emotet “can evade typical signature-based detection.” It is virtual machine aware and “can generate false indicators if in a virtual environment.” This means that the typical “sandbox” features used by some advanced security software may not be able to identify it.
Trickbot is another Trojan that uses various modules to attack a computer. These attacks include obtaining banking credentials and exfiltrating data.
The primary way in which Trickbot establishes persistence is by creating a scheduled task that runs with System privileges. The task is set to run at startup and repeatedly after that. The malware extracts and executes its code before contacting the command and control server. Trickbot’s program contains an initial encrypted list of servers to contact. Once a connection is established, it receives an updated list, and those servers have various modules and configuration files.
After it has started, Trickbot will steal passwords, steal email information, deploy web injections, and spread to other devices on the network.
What Does This Mean To You?
By now, I’m sure your eyes are glazing over, and you are wondering why I am subjecting you to this discourse.
We live in a world of coronavirus now, and unfortunately, the threat and associated risk of COVID-19 is everywhere — and equally, unfortunately, it is not going away any time soon. Cybercriminals will soon be counting on the turmoil and rampant misinformation about vaccines to lure the unwary into dangerous territory.
Wearing a mask, keeping your distance, and washing your hands will help lower your risk of getting the virus. For similar reasons, if you receive an email with an attachment, especially from someone you don’t know, you must always exercise caution!
The steps these malicious programs take on your computer occur extraordinarily fast — usually in less than a minute. You may not know that something terrible has happened until you see the ransom demand on your desktop.
It is because of programs like Emotet and Trickbot, along with others, that you must make sure you use next-generation advanced endpoint solutions to protect your computers and networks.