10 Weird and Scary Things Ransomware Can Do

Contel Bradford

Written by StorageCraft Blogger 

From out of nowhere it seems, Ransomware has emerged as one of the most dangerous security threats today. Although this malicious trend isn’t entirely new, the attacks have become alarmingly more sophisticated. Also, the victim count has steadily increased and it looks like the trend is now slowing down.

By now Recovery Zone regulars are familiar with the ransomware basics. Once installed, the malware blocks access to your files and demands you to pay a ransom amount in order to regain access. Unfortunately for the victims, this new wave of attacks stems far beyond the basics. Here are 10 things you may or may not have known ransomware can do:

1. Wear a Clever Disguise

Although ransomware is pretty unique in functionality, it gets around like the malware we’ve all come to know and loathe. For example, RAA, which is written entirely in JavaScript, is distributed in an email attachment pretending to be a legitimate .doc file. In the latest version, the message claims that you owe money to a supplier and must download an invoice to see the balance. If you fall for the rouse, you install both the ransomware and a password-thieving Trojan. This sort of deception enables ransomware to evade anti-virus scanners and render existing security software powerless.

The latest strain of DetoxCrypto malware is purposely trying to disguise itself as reputed security software Malwarebytes. Albeit, in an amateurish style, as the name of the poser software has typos: “Malwerbyte”. So beware what executables you install.

2. Works On Linux and Macs

As the world’s leading operating system, Windows is also number one with a bullet in the eyes of cyber attackers. And while Unix-like competitors have a reputation for offering better out of the box security, not even the best of them are spared in the ransomware onslaught. LinuxEncode gained a reputation as the first to target the Linux platform. It’s also one of the easiest to defeat due to its amateur approach to encryption. Then there’s KeRanger – some believe this is an updated version of LinuxEncode and the first ransomware launched on Mac OS X. KeRanger is distributed via BitTorrent client Transmission, suggesting that illegal downloads do in fact have a price.

3. It Can Talk To You

You’ve heard of talking mobile apps. Now meet the talking malware. After encrypting the victim’s files, the ransomware program known as Cerber delivers instructions on how to pay the ransom. The instructions are contained in TXT, HTML, and VBS files. The latter will recite the message in audio. Cerber demands an average ransom of $500 to $800 via anonymity network tunnel TOR with the amount doubling within a week’s time. Talk about a pain in the neck.

4. Target Mobile Phones, Tablets and Smart TV’s

Ransomware is primarily a computer-based threat that seeks to reek havoc on PCs and servers. However, it rears its ugly head on other devices as well. Stealing security headlines in this category is Fusob, a Trojan that targets porn viewers by masquerading as an XXX video player. The mobile commerce revolution is in full swing, and the fact that victims can transfer funds in swipe and tap fashion has to be incredibly appealing to ransomware creators. This theory is fueled by a Blue Coat report proclaiming ransomware as the number one security threat on mobile devices.

The only thing scarier than ransomware on your phone is the kind that invades your home. Franctic Locker or FLocker, originally started by targeting Android phones before eventually adopting capabilities that allowed it to attack Android-powdered smart TVs. Flocker attempts to send the victim into a panicked frenzy by locking their TV screen and alleging that they’ve committed a crime – all the while purporting as a law enforcement agency. The malware then demands a ransom of $200 be paid in iTunes gift card credits.

5. Perform Full System Encryption

Most of the ransomware threats on our list operate by encrypting your files. Some, however, aim to paralyze you entirely by locking up your whole system. Petya was one of the first discovered to have full system encryption capabilities. Overwriting the MBR allows it to encrypt the hard drive, crash the OS, and present the ransomware note. A few months after its initial discovery Petya returned, but it wasn’t alone. The updated version came bundled with a second piece of malware (Mischa) that performed the ransomware duties in the event that the initial infection failed to gain the necessary admin privileges.

6. Deletes Your Files One By One

The classic ransomware infection blocks access to your files until you pay up. Jigsaw goes one step further by encrypting your files and incrementally deleting them until the ransom is paid. Clearly the authors were heavily inspired by horror movie franchise Saw. The ransom note is accompanied by an image of Billy, the creepy puppet that makes an appearance in each film, as well as a red digital clock that performs the countdown.


7. Take Your Money and Delete Your Files

Some ransomware victims opt to simply pay the ransom to regain access to their mission-critical files as soon as possible. Sadly, giving in to the ransom demands can actually make matters worse. In a recent post we profiled RanScam, an aptly named infection that presents itself as ransomware, yet deletes your files whether you pay the ransom or not. Ironically this scheming malware was looked down upon by ransomware authors who realize that destroying files is a bad look for the community at large. After all, victims are not going to pay if they believe there’s no chance of their files will ever be returned.

8. Encrypt Unmapped Drives

When ransomware first emerged on the scene, the attacks looked to encrypt files in the default drive before moving on to other mapped drives. However, evolved strains like CryptoFortress, DMA Locker, and Locky emerged. CryptoFortress was the first to show the ability to lock files whether they are mapped to a specific drive or not. This functionality has made it more important than ever for IT administrators to protect shared network folders with strong permissions.

9. Pose as a Windows Update

In order to slap the cuffs on unsuspecting users, ransomware authors must first gain system access, which usually means packaging their malware in a clever disguise. It doesn’t get any craftier than posing as something that all users need – critical system updates. Fantom targets business users by pretending to be a Windows update complete with a Microsoft copyright and familiar dialog screen. But once you agree to the terms, the utility you think is updating your system is busy encrypting your files with AES encryption you couldn’t crack with a virtual sledgehammer. This one is scary!

10. Encrypt Backup Copies

Next to prevention, a solid backup and disaster recovery plan has proven to be the most effective way to combat ransomware. Malware writer are trying to cripple the best defense mechanism, too. The FBI was the first to send word regarding SAMAS. This ransomware strain not only targets the infected system, but all connected systems and resources. Among those resources are backup copies victims can ordinarily rely on to restore their files and avoid paying ransom fees. Needless to say, SAMAS is one of the most dangerous ransomware villains we’ve seen to date.

Malware seems to grow more advanced by the day and this extortion-driven threat is the worst possible example. Having an off-site backup is typically the best defense against ransomware. Nevertheless, a little common sense when browsing the Internet helps, too.

Learn more about how to prevent ransomware and discourage data kidnappers.

Original Article Link