{"id":7457,"date":"2016-07-20T09:39:00","date_gmt":"2016-07-20T13:39:00","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=7457"},"modified":"2019-11-22T10:09:58","modified_gmt":"2019-11-22T10:09:58","slug":"ask-expert-yornt-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/ask-expert-yornt-ransomware\/7457\/","title":{"rendered":"Ask the expert: Jornt van der Wiel talks ransomware"},"content":{"rendered":"<p>Jornt van der Wiel is a member of our GReAT \u2014 Global Research and Analysis Team \u2014 and our top ransomware and encryption expert. He lives in the Netherlands, and has been working for Kaspersky Lab for more than 2 years.<\/p>\n<p>We offered our readers a chance to ask Jornt any questions they might have about ransomware and encryption \u2014 and the response was amazing. In fact, there were too many questions to publish in just one blog post, so we split them into two groups. In this post, Jornt answers questions mostly regarding ransomware and in the next post, he\u2019ll talk encryption.<\/p>\n<p><b>Do you think that ransomware will concern us more and more in the future, compared to other malware categories such as classic vi-ruses and Trojan horses?<\/b><\/p>\n<p>Yes, for sure. We are seeing a rise both in new families being discovered and in infection attempts on users. The threat is becoming bigger and bigger every day. That is largely because ransomware is relatively easy to monetize. A criminal infects somebody, the victim pays, and once the payment is made, the victim receives the keys and is able to decrypt the files. There is no need for any additional communication or any other interactions. This is in contrast to banking malware, for example, which usually requires criminals to talk to their victims via chat.<\/p>\n<p><b>How can I avoid being affected by ransomware?<\/b><\/p>\n<p>\u2022 Always have the latest updates of your software installed;<\/p>\n<p>\u2022 Don\u2019t click on links or attachments in any suspicious e-mails;<\/p>\n<p>\u2022 Enable file extensions in Windows (so that you see if the filename is actually <i>invoice.pdf.exe<\/i> in-stead of just <i>invoice.pdf<\/i>);<\/p>\n<p>\u2022 Have your anti-virus solution updated and configured with heuristics on;<\/p>\n<p>\u2022 And, for when things go wrong, have backups. Store them offline, or store your files in the cloud with unlimited version control (so even if your files get encrypted on your local drive, which is then synced to the cloud, you can still retrieve the latest un-encrypted version).<\/p>\n<p><b>As a person, am I more vulnerable to ransomware than a company?<\/b><\/p>\n<p>Ransomware targets everybody. Sometimes, specific companies are targeted, but mostly, we see massive spam runs aimed at infecting anybody. On the other hand, large companies are not willing to pay the ransom; they usually have backups in place. Smaller companies are sometimes more likely to pay because restoring the backup might cost more than paying the ransom.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">10 tips to protect your files from ransomware <a href=\"https:\/\/t.co\/o0IpUU9CHb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/o0IpUU9CHb<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iteducation?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iteducation<\/a> <a href=\"https:\/\/t.co\/I47sPIiWFF\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/I47sPIiWFF<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/671348678607642624?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><b>When is it possible to decrypt files that were encrypted with ransomware?<\/b><\/p>\n<p>It is possible in the following cases:<\/p>\n<p>\u2022 The malware authors make an implementation mistake, making it possible to break the encryption. That was the case with Petya ransomware and with <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/cryptxxx-ransomware\/7102\/\" target=\"_blank\" rel=\"noopener\">CryptXXX<\/a>. Unfortunately, I cannot give you a list of the mistakes they made \u2014 that would help them not to make such mistakes again. But in general, it\u2019s not that easy to get encryption right. If you want to know more about encryption, and the mistakes people can make, I advise you to search for the Matasano crypto challenges.<\/p>\n<p>\u2022 The malware authors later feel sorry and publish the keys, or a \u201cmaster\u201d key, as in the <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/raknidecryptor-vs-teslacrypt\/7227\/\" target=\"_blank\" rel=\"noopener\">TeslaCrypt<\/a> case.<\/p>\n<p>\u2022 Law enforcement agencies seize a server with keys on it and share them. Last year, using keys recovered by Dutch police, we created a <a href=\"https:\/\/www.kaspersky.com\/blog\/coinvault-ransomware-removal-instruction\/8363\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">decryption tool for CoinVault victims<\/a>.<\/p>\n<p>Sometimes paying the ransom also works, but there is <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/ranscam-ransomware\/7428\/\" target=\"_blank\" rel=\"noopener\">no guarantee<\/a> that paying will actually lead to your files being decrypted. In addition, if you pay, you\u2019re supporting the criminal\u2019s business model and thus are partly responsible for more and more people getting infected with ransom-ware.<\/p>\n<p><b>In the <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/cryptxxx-decryption-20\/7179\/\" target=\"_blank\" rel=\"noopener\">instructions<\/a> for dealing with CryptXXX, you say that besides the encrypted file, you also need the un-encrypted file. What\u2019s the point of the software, then? If I had the un-encrypted file, I\u00a0wouldn\u2019t\u00a0need your tool\u2026<\/b><\/p>\n<p>A very good question, and thanks for bringing this up. This shows that we have to be more clear in the future. This ransomware encrypts all of your files with the same key. So, say you have 1,000 files encrypted, and of these files you have only one original file saved somewhere \u2014 for example, the file is a picture you e-mailed to somebody. If you feed just this one file into our decryption utility, we can recover the decryption key, and then your other 999 files can be decrypted. However, you do need that original file.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Alert?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Alert<\/a> We've got a <a href=\"https:\/\/twitter.com\/hashtag\/decryptor?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#decryptor<\/a> for those infected with <a href=\"https:\/\/twitter.com\/hashtag\/CryptXXX?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CryptXXX<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/t.co\/MTtTKQom79\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/MTtTKQom79<\/a> <a href=\"https:\/\/t.co\/N56Wof2BZY\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/N56Wof2BZY<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/724652181580853249?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 25, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><b>Is file encryption malware the only type of ransomware?<\/b><\/p>\n<p>No, there is also ransomware that locks your computer. However, that type is usually easy to by-pass or remove, which is why it is less and less popular these days. If you want to know more about locking ransomware and the ways to fight it, check out <a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-windowsunlocker-2\/12275\/\" target=\"_blank\" rel=\"noopener nofollow\">this post on our blog<\/a> about it.<\/p>\n<p><b>From what I see in the international press, addressing the ransomware problem is like a game of cat and mouse. You find a solution and your opponents try to bypass it. Is it really like that?<\/b><\/p>\n<p>Not really. Our <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/tip-of-the-week-cryptoware\/4847\/\" target=\"_blank\" rel=\"noopener\">System Watcher component<\/a>, which looks at behavior of running processes, can detect most of the new ransomware attacks it encounters \u2014 even those from yet-unknown ransomware. OK, there are rare examples that are not detected by our System Watcher. We then make a new behavioral signature that also catches the new type of attack. Again, this is very unusual.<\/p>\n<p><b>Criminals demand payment in bitcoins, which is hard to track. Is it possible to actually track those criminals and reach them?<\/b><\/p>\n<p>Actually, tracing a Bitcoin transaction is not difficult; transactions are recorded in the <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/bitcoin-blockchain-news\/5587\/\" target=\"_blank\" rel=\"noopener\">blockchain<\/a>. That is the nature of Bitcoin \u2014 you can trace any transactions. What you don\u2019t know is <em>who<\/em> is on the other end of the transaction. So, law enforcement agencies can trace transactions to a wallet, but they still need to find out to whom that wallet belongs.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Part 2 of our <a href=\"https:\/\/twitter.com\/hashtag\/Expert?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Expert<\/a> Q&amp;A with <a href=\"https:\/\/twitter.com\/vkamluk?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@vkamluk<\/a> discusses <a href=\"https:\/\/twitter.com\/hashtag\/DDoS?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#DDoS<\/a> &amp; more <a href=\"https:\/\/t.co\/dwZahpnAr8\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/dwZahpnAr8<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"http:\/\/t.co\/dbhaB6yFvI\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/dbhaB6yFvI<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/615549466544898048?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 29, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Bitcoin mixers have been introduced to frustrate tracing efforts. Think of a mixer as a machine into which you put many bitcoins, and then these bitcoins are swapped between owners many times, which makes tracing more difficult. So for example, I\u2019m a victim and I need to pay a bitcoin to a wallet. I make the payment to a wallet, and then the same bitcoin goes to a mixer. The bitcoin is swapped with someone else\u2019s bitcoin. Thus in the end, we don\u2019t know which bitcoin to trace anymore. And as you can guess, this happens a lot.<\/p>\n<p>Various research has been done on this subject (you can find a lot of it with Google), and it shows that tracing is sometimes possible. In short: Sometimes it is possible to trace the transactions back to one wallet, but it isn\u2019t easy \u2014 and even when you find the wallet, the bitcoin exchange has to work with law enforcement to reveal the wallet owner\u2019s credentials.<\/p>\n<p><b>How many years did it take to discover CoinVault and find its creators?<\/b><\/p>\n<p>The CoinVault story basically started when Bart from Panda Security tweeted that he had found additional CoinVault samples. It turned out that two of those were not CoinVault, but they were clearly related to it. We decided to write a blog post about it and create a timeline of the evolution of CoinVault. When we were 90% done with the post, we sent it to the National High Tech Crime Unit (NHTCU).<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Decrypting <a href=\"https:\/\/twitter.com\/hashtag\/CoinVault?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CoinVault<\/a> ransomware <a href=\"https:\/\/t.co\/AmZli3XWT8\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/AmZli3XWT8<\/a><br>Joint operation NHTCU &amp; Kaspersky <a href=\"https:\/\/twitter.com\/jorntvdw?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@jorntvdw<\/a> &amp; <a href=\"https:\/\/twitter.com\/spontiroli?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@spontiroli<\/a> <a href=\"https:\/\/t.co\/7aQ16Sz9d0\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/7aQ16Sz9d0<\/a><\/p>\n<p>\u2014 Dmitry Bestuzhev (@dimitribest) <a href=\"https:\/\/twitter.com\/dimitribest\/status\/587589615852322816?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 13, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>After we finished the post, we found some leads that led us to two possible suspects. Naturally, we shared this information with the NHTCU. The time between Bart\u2019s tweet and this discovery was at most one month, but of course, we hadn\u2019t spent all that time just working on the blog post \u2014 we also had non-CoinVault work. After the post was published, it took the NHTCU about half a year more to build a thorough case, and the criminals were finally <a href=\"https:\/\/www.kaspersky.com\/blog\/criminals-behind-the-coinvault-ransomware-are-busted-by-kaspersky-lab-and-dutch-police\/9886\/\" target=\"_blank\" rel=\"noopener nofollow\">arrested in September<\/a> of last year.<\/p>\n<p><b>How much money are cybercriminals making with ransomware?<\/b><\/p>\n<p>A very good question, but rather difficult to answer. We can only know for sure when we are able to trace, for example, all of the bitcoin transactions to a certain wallet. Or when police seize a command-and-control server that has payment info on it. But to give you an idea, let\u2019s say a criminal was able to infect 250,000 people (this is probably a close estimate if we are speaking about big campaigns). And let\u2019s assume they ask just $200 for decryption (the real average is about $400). If only 1% of the infected victims pay, the revenue would be about $500,000.<\/p>\n<p><b>Is it possible for an infected PC within a local network to spread the ransomware through the network to other computers that have the same operating system? Can one piece of ran-somware affect different operating systems?<\/b><\/p>\n<p>For the first part of your question: If the ransomware has worm capabilities, it can spread through a network. For instance, <a href=\"https:\/\/www.kaspersky.com\/blog\/zcryptor-ransomware\/12268\/\" target=\"_blank\" rel=\"noopener nofollow\">Zcryptor<\/a> and <a href=\"https:\/\/threatpost.com\/new-server-side-ransomware-hitting-hospitals\/117059\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">SamSam<\/a> are two ransomware families that have these capabilities.<\/p>\n<p>For the second part of your question: It is possible for one piece of ransomware to infect multiple operating systems if it targets web servers. So, for example, ransomware could target a server running a vulnerable content management system written in PHP. The ransomware might then infect a Windows computer that has a web server with PHP installed. And then it could scan other parts of the Internet searching for other computer to infect. The next computer might be running Linux \u2014 but with a PHP web server. To sum up, the answer is: Yes, there is multi-platform ransomware.<\/p>\n<p>Next week we will publish Jornt\u2019s answers to questions regarding encryption. Stay tuned!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to protect yourself from ransomware? Are there any cross-platform cryptors? How much time does it take to catch a cybercriminal? Jornt van der Wiel discusses all of that and more<\/p>\n","protected":false},"author":40,"featured_media":7458,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[1014,1522,1055,1499,36,441,97,1017],"class_list":{"0":"post-7457","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-coinvault","10":"tag-cryptors","11":"tag-interview","12":"tag-lockers","13":"tag-malware-2","14":"tag-ransomware","15":"tag-security-2","16":"tag-teslacrypt"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ask-expert-yornt-ransomware\/7457\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ask-expert-yornt-ransomware\/7424\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/ask-expert-yornt-ransomware\/7408\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/ask-expert-yornt-ransomware\/8744\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ask-expert-yornt-ransomware\/8648\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ask-expert-yornt-ransomware\/12545\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/ask-expert-yornt-ransomware\/2298\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ask-expert-yornt-ransomware\/12631\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/ask-expert-yornt-ransomware\/5877\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/ask-expert-yornt-ransomware\/6445\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/ask-expert-yornt-ransomware\/5175\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ask-expert-yornt-ransomware\/8229\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/ask-expert-yornt-ransomware\/12044\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ask-expert-yornt-ransomware\/12545\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ask-expert-yornt-ransomware\/12631\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ask-expert-yornt-ransomware\/12631\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/coinvault\/","name":"coinvault"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=7457"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7457\/revisions"}],"predecessor-version":[{"id":17683,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7457\/revisions\/17683"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/7458"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=7457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=7457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=7457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}