Skip to main content

Ransomware in the Enterprise

Published: November 26, 2013

Authors: Marianne Mallen (Antivirus Researcher), Vidya Sekhar (Program Manager), Ben Hope (Technical Writer) - Microsoft Malware Protection Center

The enterprise space isn’t immune to emerging malware threats – an infection can be costly and frustrating to any organization. One problem affecting the enterprise space is ransomware - a type of malware designed to render a computer or its files unusable until you pay a certain amount of money to the attacker. This threat is affecting machines in greater numbers, and because it locks users out of their files, it can be an expensive problem for an organization with time-sensitive deadlines.

Ransomware often masquerades as an official-looking warning from a well-known law enforcement agency in the victim’s locale, such as the US Federal Bureau of Investigation (FBI), or the Metropolitan Police Service of London (also known as Scotland Yard). This warning can block the desktop of an infected computer, accusing the user of committing a crime.  It demands payment of a fine via electronic money transfer before control of the machine is restored. A ransomware infection doesn’t in any way indicate any illegal activities have actually been performed on the infected computer, nor does it follow local legal process.

Some recent ransomware threats are also known as “FBI Moneypak” or the “FBI virus” because of their common use of law enforcement logos and requests for payment using Green Dot MoneyPak, a brand of reloadable debit card.

Here are some examples of the different lock screens used by some of the more prevalent ransomware families masquerading as warnings from various national and international police forces:

Ranswomare lock screen examples
Figure 1. Ransomware lock screen examples

Some ransomware families, such as Reveton or Weelsof, operate by displaying a lock screen and preventing access to any of the computer’s functions (but they offer to provide a password when the ransom is paid). Other threats, such as GPCoder and Crilock, take a different approach and use complex methods
of encryption such as AES and RSA to render files unusable. In all cases, the computer is held hostage for a “ransom”. It’s only when that ransom has been paid that computer can be unlocked – or so the perpetrators say. More often, access to the computer is not restored, even after payment.

We can review common ransomware behaviors by looking at the top two families seen during the reporting period for the latest Microsoft Security Intelligence Report (SIRv15), January 2013 to June 2013.  Within this report Microsoft measures the prevalence of a threat using its encounter rate – the number of computers that come in contact with a specific threat. An encounter doesn’t mean the computer was infected; the measurement includes encounters where security software blocks the infection.

Ransomware trends
Figure 2. Encounter rate trends for the top six ransomware families (January through June 2013)

Win32/Reveton was the most commonly encountered ransomware family worldwide during the first half of 2013. It was also the highest among ransomware families affecting enterprises.

Reveton provides an example of typical ransomware behavior: locking a computer and displaying a webpage that covers the entire desktop and demanding the user pay a fine for the supposed possession of illicit material. The lock screen webpage, and the identity of the law enforcement agency that is allegedly responsible for it, are often customized depending on the location of the infected machine. Microsoft data shows that Reveton encounters declined slightly between January and March this year before increasing and spiking again during the following three months. The number of detections especially spiked in the Czech Republic, Slovakia, and Cyprus – contributing to the worldwide rise.

Another common ransomware family is Win32/Weelsof. This threat was especially prevalent at the start of 2013 and targeted computers in specific locations. During the SIRv15 reporting period, Weelsof was focused on Ireland, France, and Greece – with the usual localized warnings that claim to be from a national police force. Weelsof can infect a computer when a user visits a compromised or malicious website (which may have appeared seemingly innocuous to the user), the website may have been compromised by an exploit or injected iFrames. This makes it a particular challenge to enterprise as a website that is deemed “safe” by the IT department could later be hacked to spread a malicious threat.

Once the malware binary is downloaded and run, it connects to a server where it downloads the scare page setup and configuration that will be used to demand a ransom. Weelsof attacks in three stages:

  1. Scare page – This is an encrypted data file that uses RC4 encryption, retrieved with https://<maliciousdomain>/<random number>/get_dsn.php
  2. Location – The ransomware retrieves the geo-location of the computer it has infected, with https://<maliciousdomain>/<random number>/get_coce.php
  3. IP address – Weelsof gets the IP address of the infected machine, with https://<maliciousdomain>/<random number>/get.php.

The malware decrypts the file containing the scare page contents and displays the scare page and locks the desktop, rendering the machine unusable. This may be the first sign an IT department has that a computer within the business is infected with malware.

After the release of SIRv15 we have seen a new ransomware emerge that has a potentially devastating payload for any unprotected computer it infects – Crilock, or Cryptolocker. Since early September this threat has impacted 34,000 machines.

Crilock encrypts your files using an AES-256 key that is unique to each file and then encrypts the file-specific AES key using a 2048-bit RSA public key. The malware authors demand payment for key recovery as part of their ransom scheme. The threat targets the most useful and potentially damaging file types on any connected drive, including network shares.  As well as targeting the more common document and image file extensions, this threat also searches for and encrypts many files types more commonly found on business machines.  It then demands a ransom that must be paid within a specified time period. Crilock even has an online payment scheme where you can pay and upload your encrypted files.

Crilock is usually downloaded by exploits or other malware. Microsoft has seen Crilock download at the end of an infection chain that involves Win32/Upatre and the credential-stealing Win32/Zbot. Upatre uses spam campaigns designed to convince a user to open a malicious attachment. This can be by imitating a  USPS package delivery, tax return or account statement email. It has been sending large volumes of this spam in recent months. Once the attachment is opened, Crilock is downloaded as the final payload in this infection chain. This distribution method reinforces the need for enterprise filter mail and educate users about the risk of opening a potentially harmful attachment. In many cases the best remediation for a Crilock infection is to restore all the affected files from backup.

Dealing with a ransomware infection

The most important tool for dealing with ransomware is to make sure computers are backed up. Once infected, ransomware, such as Crilock can encrypt files making them inaccessible. In some cases the computer must be reformatted, since the lock screen prevent access to files on the PC. Cloud technologies such as OneDrive for Business have a built-in version history allowing you to revert to previous unencrypted copies of your files.

You should also use appropriate spam rules and increase awareness about the risks of opening unsolicited spam emails and links in your enterprise.

There is no guarantee that paying a ransom will result in your computer being unlocked, and files being returned by an attacker. There have been cases when some files have been returned after the ransom was paid, however we don’t recommend paying the ransom. Ransomware is distributed by malicious attackers, not legitimate authorities, and paying the ransom won’t guarantee your computer will be restored to a usable state.

Microsoft provides a number of tools and utilities, such as the Microsoft Safety Scanner and Windows Defender Offline that can help remove a variety of malware infections even if the computer’s normal operation is being blocked.

About the Authors

Marianne Mallen, Vidya Sekhar, and Ben Hope photos

Marianne Mallen, Antivirus Researcher, Vidya Sekhar, Program Manager, and Ben Hope, Technical Writer, are all part of the Microsoft Malware Protection Center (MMPC) team. The MMPC works around the clock to identify, detect, and combat malware. The team also regularly shares analysis of the latest threats and malware trends.

For more information on the MMPC, visit www.microsoft.com/security/portal/mmpc.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.