Bryley Basics: How ransomware attacks

Eric Rainville and Gavin Livingstone, Bryley Systems Inc.

Most ransomware attacks through email; an end-user unwittingly opens an innocuous attachment within an email, which then loads software that quietly encrypts all data files.  Once completed, it announces its accomplishment (Hooray!) and provides instruction on how to pay the ransom (through an anonymous, online payment method) to then receive the key which removes the encryption.

The only effective ways to prevent ransomware:

  • Block the email before it is distributed to the email recipient.
  • Train email recipients to not open email attachments from uncertain sources.

Once infected, the recommended recourse is to restore the encrypted files from backup. (We recommend that you do NOT pay the ransom; this will likely put you at risk for future infections.)

An example of a recent ransomware email:

From: info@yortax.com

Sent: Wednesday, February 17, 2016 10:48 AM

To: XXX

Subject: February payment

Importance: High

We’re ready to pay, just need you to confirm the payment details.

Check the invoice, it’s attached, and let me know if everything is correct.

We will remit the payment as soon as we hear from you.

Thank you

This variant of ransomware infects a computer in a step-by-step fashion:

  • The email recipient opens the attached Microsoft Word (.doc) file.
  • The body of the text within the .doc file is a picture that tells the email recipient to “Enable editing features” and shows how to do so.
  • The email recipient follows this instruction and enables editing features.
  • Once editing features are enabled, the original .doc file downloads a document to your appdatatemp location and opens it at this location. (It looks like the same exact document, but with a different name.)
  • As requested, the email recipient again enables editing features, which causes an executable (.exe) file to be downloaded to the same location; the .exe either runs right away or runs at the next startup. (Sometimes, the .exe does not start encrypting files right away; it may have a timer to lie dormant and wait for a period of time.)

For remediation tips, see Dealing with CryptoLocker from the July 2015 issue of Bryley Information and Tips (BITs).