New Cry Ransomware Attacks Computers via Google Maps API

Heard about the recent ransomware threat “Cry”?

Well, it was discovered on last week by security researchers “MalwareHunterTeam”.  Like many of the similar ransomware programs, this appears to come from a government agency called “Central Security Treatment Organization”.  If infected a computer, this ransomware will encrypt the victim’s files to .cry extension. Then, it will then demand approximately 1.1 bitcoins or $625 USD to provide the decryption key.
This ransomware, has already begun to known by a number of names including Cry, CSTO ransomware, etc. Lawrence Abrams, owner of BleepingComputer.com along with MalwareHunterTeam, and Daniel Gallagher, have analyzed some of the characteristics shown in this ransomware. For them, this ransomware can send information about the victim to the Command & Control server using UDP (User Datagram Protocol). It will also websites such as Imgur.com and Pastee.org to put victim’s information. And, to your surprise, it will choose Google Maps API to find the victim’s location with the help of nearby wireless SSIDs.

Abram explains how this ransomware deals with Imgur:

“Once the file has successfully been uploaded Imgur will respond with a unique name for the filename. This filename can be broadcasted over UDP to the 4096 IP addresses to notify the Command & Control server that a new victim has been infected”

Many details about this ransomware is still has to be unveiled. But one thing is sure – within two weeks, this ransomware have infected around 8000 computers!

How Cry Ransomware attacks your Computer?

Mostly, spam email attachments are the main delivery method of Cry ransomware. Those mails will have elements to convince the victim that the attachment is a reliable invoice, bank statement, ticket or any other harmless file. If the user download that file, the ransomware infects user’s computer and it searches for file types that are important for the user. Such important files become encrypted leaving all other parts of computer to remain functional so that it can demand payment of the ransom.

If a computer is infected with CRY ransomware, it may leave some ransom notes “Recovery_[random_chars].html” and “!Recovery_[random_chars].txtencrypts” on a user’s desktop. These notes inform that the user’s files have encrypted with .cry extension. And to decrypt those files, it demands 1.1 bitcoin ($625).

How to Get Rid of a Ransomware Attack?

In a recent article, I have covered the effect of Ransomware as a cyber-security threat. Hope, all you have read it. This time, I just want to share some tips for helping you to get rid of ransomware attack.

Certainly, Ransomware attacks are on the rise, more than ever. Every day, you may read about some info on this threat, if you are a constant follower of information security related news. It has become as one among the favorite tools of cyber criminals – as it’s very profitable, making a million-dollar market. For Symantec, this number has reached even £3 million a year.

What to do After Ransomware Attack?

As you know, your computer can be infected by two types of ransomware- lock screen ransomware and file encryption ransomware. If the ransomware type infected on your machine is file encryption type, you can try to get rid of your system from that. Following steps may be useful for you then.

  • If your system is part of a network, remove it immediately from the network.
  • Check for available restore points, using which you can restore your computer to a “last known good configuration”. (Before doing this, it’s good to make a copy of encrypted files for future analysis)
  • Restart your machine in Safe Mode and Scan it using an antivirus software.
  • Know the type of Ransomware detected on your PC (You can use an online service called ID Ransomware for that).
  • If you have identified the type of Ransomware, download a ransomware decryption tool to get your data back.

Be Safe from Ransomware Attacks in Future

To minimize the chances of Ransomware attacks in future, you can take some precautions like:

  • Don’t visit unsafe, suspicious websites.
  • Don’t open email attachments from suspicious sources.
  • Beware of unsure links in emails or social media.
  • Protect your computer with a strong anti-spyware and enable Firewall.

Follow Safe with Tech Social channels for the latest updates on Cyber Security and Privacy news.

 

Ransomware- Past, Present and Future

The term “Ransomware” is quite familiar in cyber security circles now. But, imagine a situation 10 years back- where you’re seeing an alert message on your PC such that your machine/files are locked up and demanding a ransom for unlocking it. Might be hard to conceive, right?

Yes, ransomware can infect your PC’s any time if you aren’t prepared well. Once infected, they may either encrypt your personal files (like Cryptolocker) or block your entire PC access (like WinLocker).

Through various methods, a ransomware can reach on your PC – visiting malicious websites, opening spam emails, opening suspicious email attachments and through many other ways.

Rise of Geographic Tracking Ransomware

Remember Joseph Edwards, a 17-year kid from Berkshire, who hanged himself after receiving a fake police warning to pay a fine of 100 pounds for browsing illegal websites. The case was reported on 2012. It was a ransomware, Reveton (also called Police Ransomware or Police Trojan) infected on Edward’s PC.

Reveton had a specialty. It was capable of tracking geolocation of its victim. Thus, people leaving in the US used to get the warning message from FBI whereas for French people, the messages would be labelled from Gendarmerie Nationale.

CryptoLocker Arrives

It was on 2013, the infamous file encryption ransomware program CryptoLocker, hit for the first time. According to University of Kent’s 2014 security research report, 1/30 systems affected by this ransomware, and 40% of those paid the ransom.

Experts have suggested several measures to mitigate the severity of a CryptoLocker attack. But, these attacks are only increasing in number. In the very next year, CryptoWall, a close variant of CryptoLocker, affected many PCs globally.

Keith Jarvis, Dell SecureWorks counter threat unit researcher, presented a threat analysis report on these ‘CryptoWall’s. By his report, CryptoWall affected 625,000 victims within 5 months encrypting 5.25 billion files and collecting more than $1 million in ransoms!

Future of Ransomware

Joe Marshall is a security researcher at Cisco Talos. In his opinion, in future, we’ve to expect the threat from “self-propagating” malware or cryptoworms.

In a threatpost article, he has shared his thoughts on this. He says “This new ransomware is a mix of old and new. It has adopted self-propagating properties of worms and malware of the past. And it has new tricks when it comes to traversing corporate networks laterally to find the most vulnerable targets,”
Here’s an infographic on ransomware.

Ransomware - Infographic

Share this Image On Your Site