It would be difficult, if not impossible, to compile a list of every type of ransomware proliferating today. While the following is not a complete list of today’s ransomware, it gives a sense of the major players and the variety in existence.
CryptoLocker – CryptoLocker is distributed via exploit kits and spam. When the malware is run, it installs itself in the Windows User Profiles folder and encrypts files across local hard drives and mapped and unmapped network drives. It only encrypts files with specific extensions, including Microsoft Office, OpenDocument, images and AutoCAD files. Once the dirty work is done, a message informing the user that files have been encrypted is displayed on said user’s screen demanding a Bitcoin payment.
CryptoWall – Like CryptoLocker, CryptoWall is distributed via spam or exploit kits. The initial version of CryptoWall used an RSA public encryption key but later versions (including the latest CryptoWall 3.0) use a private AES key, which is further masked using a public AES key. When the malware attachment is opened, the CryptoWall binary copies itself into the Microsoft temp folder and begins to encode files. CryptoWall encrypts a wider variety of file types than CryptoLocker but, when encryption is complete, also displays a ransom message on a user’s screen demanding payment.
CTB-Locker – When CTB-Locker runs, it copies itself to the Microsoft temp directory. Unlike most forms of ransomware today, CTB-Locker uses Elliptic Curve Cryptography (ECC) to encrypt files. CTB-Locker impacts more file types than CryptoLocker. Once files are encrypted, CTB-Locker displays a ransom message demanding payment in, you guessed it, Bitcoins.
Locky – This malware is spread using spam, typically in the form of an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. Bitcoin ransom is demanded when encryption is complete. Are you sensing a pattern here?
TeslaCrypt – Like most of the other examples here, it uses an AES algorithm to encrypt files. It is typically distributed via the Angler exploit kit specifically attacking Adobe vulnerabilities. Once a vulnerability is exploited, TeslaCrypt installs itself in the Microsoft temp folder. When the time comes for victims to pay up, TeslaCrypt gives a few choices for payment: Bitcoin, PaySafeCard and Ukash are accepted here.
TorrentLocker – TorrentLocker uses a technique called process hollowing, in which a Windows system process is launched in a suspended state, malicious code is installed, and the process is resumed. It uses explorer. exe for process hollowing. This malware also deletes Microsoft Volume Shadow Copies to prevent restores using Windows file recovery tools. Like the others outlined above, Bitcoin is the preferred currency for ransom payment.
KeRanger – According to ArsTechnica, KeRanger ransomware was recently discovered on a popular BitTorrent client. KeRanger is not widely distributed at this point, but it is worth noting because it is known as the first fully functioning ransomware designed to lock Mac OS X applications.
Security software is essential; however, you can’t rely on it alone. A proper ransomware protection strategy requires a three-pronged approach, comprising of education, security, and backup. Knowledge spreading and security software can help you avoid cyber-attacks. Patch management is essential. Be certain that your software is up-to-date and secure. In the end, it is backup that will help you pick up the pieces when all else fails. Consider using a modern offsite backup product that offers features that can permanently eliminate downtime.