July 20, 2016

Ask the expert: Jornt van der Wiel talks ransomware

Interviews Security Threats

Jornt van der Wiel is a member of our GReAT — Global Research and Analysis Team — and our top ransomware and encryption expert. He lives in the Netherlands, and has been working for Kaspersky Lab for more than 2 years.

Ask the expert: Jornt van der Wiel talks ransomware

We offered our readers a chance to ask Jornt any questions they might have about ransomware and encryption — and the response was amazing. In fact, there were too many questions to publish in just one blog post, so we split them into two groups. In this post, Jornt answers questions mostly regarding ransomware and in the next post, he’ll talk encryption.

Do you think that ransomware will concern us more and more in the future, compared to other malware categories such as classic viruses and Trojan horses?

Yes, for sure. We are seeing a rise both in new families being discovered and in infection attempts on users. The threat is becoming bigger and bigger every day. That is largely because ransomware is relatively easy to monetize. A criminal infects somebody, the victim pays, and once the payment is made, the victim receives the keys and is able to decrypt the files. There is no need for any additional communication or any other interactions. This is in contrast to banking malware, for example, which usually requires criminals to talk to their victims via chat.

How can I avoid being affected by ransomware?

  • Always have the latest updates of your software installed;
  • Don’t click on links or attachments in any suspicious e-mails;
  • Enable file extensions in Windows (so that you see if the filename is actually invoice.pdf.exe instead of just invoice.pdf);
  • Have your anti-virus solution updated and configured with heuristics on;
  • And, for when things go wrong, have backups. Store them offline, or store your files in the cloud with unlimited version control (so even if your files get encrypted on your local drive, which is then synced to the cloud, you can still retrieve the latest unencrypted version).

As a person, am I more vulnerable to ransomware than a company?

Ransomware targets everybody. Sometimes, specific companies are targeted, but mostly, we see massive spam runs aimed at infecting anybody. On the other hand, large companies are not willing to pay the ransom; they usually have backups in place. Smaller companies are sometimes more likely to pay because restoring the backup might cost more than paying the ransom.

When is it possible to decrypt files that were encrypted with ransomware?

It is possible in the following cases:

  • The malware authors make an implementation mistake, making it possible to break the encryption. That was the case with Petya ransomware and with CryptXXX. Unfortunately, I cannot give you a list of the mistakes they made — that would help them not to make such mistakes again. But in general, it’s not that easy to get encryption right. If you want to know more about encryption, and the mistakes people can make, I advise you to search for the Matasano crypto challenges.
  • The malware authors later feel sorry and publish the keys, or a “master” key, as in the TeslaCrypt case.
  • Law enforcement agencies seize a server with keys on it and share them. Last year, using keys recovered by Dutch police, we created a decryption tool for CoinVault victims.

Sometimes paying the ransom also works, but there is no guarantee that paying will actually lead to your files being decrypted. In addition, if you pay, you’re supporting the criminal’s business model and thus are partly responsible for more and more people getting infected with ransomware.

In the instructions for dealing with CryptXXX, you say that besides the encrypted file, you also need the unencrypted file. What’s the point of the software, then? If I had the unencrypted file, I wouldn´t need your tool…

A very good question, and thanks for bringing this up. This shows that we have to be more clear in the future. This ransomware encrypts all of your files with the same key. So, say you have 1,000 files encrypted, and of these files you have only one original file saved somewhere — for example, the file is a picture you e-mailed to somebody. If you feed just this one file into our decryption utility, we can recover the decryption key, and then your other 999 files can be decrypted. However, you do need that original file.

Is file encryption malware the only type of ransomware?

No, there is also ransomware that locks your computer. However, that type is usually easy to bypass or remove, which is why it is less and less popular these days. If you want to know more about locking ransomware and the ways to fight it, check out this post on our blog about it.

From what I see in the international press, addressing the ransomware problem is like a game of cat and mouse. You find a solution and your opponents try to bypass it. Is it really like that?

Not really. Our System Watcher component, which looks at behavior of running processes, can detect most of the new ransomware attacks it encounters — even those from yet-unknown ransomware. OK, there are rare examples that are not detected by our System Watcher. We then make a new behavioral signature that also catches the new type of attack. Again, this is very unusual.

Criminals demand payment in bitcoins, which is hard to track. Is it possible to actually track those criminals and reach them?

Actually, tracing a Bitcoin transaction is not difficult; transactions are recorded in the blockchain. That is the nature of Bitcoin — you can trace any transactions. What you don’t know is who is on the other end of the transaction. So, law enforcement agencies can trace transactions to a wallet, but they still need to find out to whom that wallet belongs.

Bitcoin mixers have been introduced to frustrate tracing efforts. Think of a mixer as a machine into which you put many bitcoins, and then these bitcoins are swapped between owners many times, which makes tracing more difficult. So for example, I’m a victim and I need to pay a bitcoin to a wallet. I make the payment to a wallet, and then the same bitcoin goes to a mixer. The bitcoin is swapped with someone else’s bitcoin. Thus in the end, we don’t know which bitcoin to trace anymore. And as you can guess, this happens a lot.

Various research has been done on this subject (you can find a lot of it with Google), and it shows that tracing is sometimes possible. In short: Sometimes it is possible to trace the transactions back to one wallet, but it isn’t easy — and even when you find the wallet, the bitcoin exchange has to work with law enforcement to reveal the wallet owner’s credentials.

How many years did it take to discover CoinVault and find its creators?

The CoinVault story basically started when Bart from Panda Security tweeted that he had found additional CoinVault samples. It turned out that two of those were not CoinVault, but they were clearly related to it. We decided to write a blog post about it and create a timeline of the evolution of CoinVault. When we were 90% done with the post, we sent it to the National High Tech Crime Unit (NHTCU).

After we finished the post, we found some leads that led us to two possible suspects. Naturally, we shared this information with the NHTCU. The time between Bart’s tweet and this discovery was at most one month, but of course, we hadn’t spent all that time just working on the blog post — we also had non-CoinVault work. After the post was published, it took the NHTCU about half a year more to build a thorough case, and the criminals were finally arrested in September of last year.

How much money are cybercriminals making with ransomware?

A very good question, but rather difficult to answer. We can only know for sure when we are able to trace, for example, all of the bitcoin transactions to a certain wallet. Or when police seize a command-and-control server that has payment info on it. But to give you an idea, let’s say a criminal was able to infect 250,000 people (this is probably a close estimate if we are speaking about big campaigns). And let’s assume they ask just $200 for decryption (the real average is about $400). If only 1% of the infected victims pay, the revenue would be about $500,000.

Is it possible for an infected PC within a local network to spread the ransomware through the network to other computers that have the same operating system? Can one piece of ransomware affect different operating systems?

For the first part of your question: If the ransomware has worm capabilities, it can spread through a network. For instance, Zcryptor and SamSam are two ransomware families that have these capabilities.

For the second part of your question: It is possible for one piece of ransomware to infect multiple operating systems if it targets web servers. So, for example, ransomware could target a server running a vulnerable content management system written in PHP. The ransomware might then infect a Windows computer that has a web server with PHP installed. And then it could scan other parts of the Internet searching for other computer to infect. The next computer might be running Linux — but with a PHP web server. To sum up, the answer is: Yes, there is multiplatform ransomware.

Next week we will publish Jornt’s answers to questions regarding encryption. Stay tuned!