How does ransomware get on people's computers?

Question

I've noticed increased frequency of ransomware questions around Stack Exchange. Some of the people I remotely know had their devices recently infected as well.

I'm starting to be concerned. When people ask me how to avoid viruses, I typically tell them things like not to download files from suspicious websites and attachments other than documents. But is it really correct of me to assume that people who become infected executed suspicious files on their computer?

This concern raises especially now when I see questions from people who became infected here on Stack Exchange - meaning technically aware people are obviously just as vulnerable.

How does the ransomware possibly get on their computers? What's a good way to prevent this from happening?

Answer 1

According to the IBM X-Force Threat Intelligence Quarterly Report, fourth quarter 2015, the primary sources of ransomware attack are unpatched vulnerabilities, drive-by infections, and spear-phishing emails:

Source: IBM X-Force

How to prevent ransomware attacks

User education

Educate your users not to download files from unknown contacts. Usually ransomware is sent in emails claiming pending invoices with Word documents. When you open the document, ransomware will get installed and start doing its job.

Scanning and filtering mail servers

Scan your mail servers to stop phishing attempts reaching intended recipients.

Backup data regularly

Make sure to back up your critical data regularly and secure them. This will help you avoid paying the ransom, and reduce recovery time.

Vulnerability? Patch critical software and OS right away

Patch your critical software like your browser, browser plugins, email clients and operating systems right after you get a notification. Did you know that the Panama Papers leak (2.6 TB of data) happened because of vulnerable web servers and mail servers?

Look at the ransomware growth in the last three years:

Source: McAfee Labs, 2015.

Answer 2

While the measures you describe in your question are not wrong, they are not correct either:

• Documents are not safe to open either.

  • Often times, exploits come in the form of interestingFile.txt.exe.

    Windows hiding the .exe by default leads users to think that's just a text file when indeed they execute code.

    There are other ways to keep executable code from being recognized as such by the user as well. For example using Unicode and the Right-To-Left mark as well, as PlasmaHH suggested in the comments.

  • There is a variety of macro malware for Office products.

• Drive-by exploits

  Those are an actual threat to everyone not just using 2-3 websites and everyone blindly following links.

  This is especially true as there are (many?) zero day exploits that are unknown to the public and hence not yet fixed. There are even events like pwn2own, showing such exploitations live - going to a prepared website, that can be it.

In fact, as Philipp points out correctly in the comments, infections can happen on any website basically, that included content from somewhere else - for example ads.

The other part of your question tends to be

Why is there so much ransomware now and there weren't so many infections before?

Well, because ransomware tends to be more profitable than using infections to establish a bot net - which usually went unnoticed to most users (as that was the point).

So there has been no real increase in infections - just an increase in visibility of the infections.

---

To address the operating system question from the comments

Windows is usually - as it has the biggest market share - targeted the most often (by all malware), but ransomware does also exist for *NIX flavours. This includes Mac OS X and Linux.

Mac OS X being drive-by exploited has been shown in this years Pwn2Own if I'm not mistaken.

Answer 3

Are you safe from ransomware just by not downloading suspicious files?

Unfortunately, it is a mistake to assume that you are safe from ransomware just by not downloading files from suspicious websites.

As an example, just last month, the OS X version of the popular BitTorrent client Transmission (v2.90) was infected with ransomware. This infected version of Transmission was distributed through Transmission’s official website (their main server was compromised) for a day or two, so anyone who downloaded it then would have been infected. Surprisingly enough, attepting to update within the app (Transmission uses the Sparkle framework) would have been safe, since the attackers apparently didn’t update the checksum for Sparkle in the compromised version, causing the (potentially automatic) in-app update to fail with a signature mismatch.

Unfortunately, I was almost caught by this ransomware. Due to a vulnerability in the Sparkle framework that was recently disclosed at the time, I was manually updating all my applications that used the Sparkle framework instead of updating them in-app, and that included updating to Transmission v2.90 by manually downloading it from the official website. I only managed to get away unscathed thanks to downloading it a few days before the server compromise happened. Honestly, I was pretty scared once I found out about the compromise a few days later. I’d say I learned a valuable lesson here, which was that you can never blindly trust an application you’ve downloaded from the Internet, even from developers you trust (unless you vet the source code yourself).

Mitigating the Damage of Ransomware

The issue with ransomware is that it encrypts all of your files. If you have a way to prevent applications from being able to read or write to any arbritrary file on your system (by running all downloaded applications in a sandbox, for example), that should essentially make the ransomware benign. On Windows, you can sandbox applications with Sandboxie. On OS X, you can intercept all read and writes from applications running on your system with Hands Off! (demonstrated here).

Another solution is to use Qubes OS, which is an operating system that essentially lets you sandbox different activities/applications inside different virtual machines in a very elegant way. It also supports using Windows 7 inside one of those virtual machines as well.

Answer 4

The how it gets there part of your question has been well answered already, so I'll go for some ways to protect yourself, though the only way of truly being safe is not to use a computer connected to the internet, as even the below aren't 100% safe.

• Don't open any document from anywhere unless you've been expecting to receive it, and from that specific person/company.
• If you don't want to be that paranoid, only open documents from trusted sources i.e. people you know and communicate with frequently*, or from a website you trust and have explicitly requested a document to download from (or have one sent to you).
• When browsing the internet, do so on a virtual machine^. Have a standard image which you clone before doing any browsing, regardless of if it's websites you always trust. Once finished, delete the clone so any infection you may have picked up has gone, and you still have the standard install.
• Keep a backup of anything and everything you hold dear to you. Don't always rely on external cloud providers as they might not keep documents for as long as they state, or even have versioning in place to roll back to a point in time where you weren't infected.
• Keep your computer up-to-date. A lot of attacks will rely on vulnerabilities in certain applications. If these get patched then they can't work via that vector. If you don't update your software, you leave those holes open.

There's probably loads more, but these are the ones which come to mind immediately.

*I mention the frequent communication part for people you know, as if they get infected they may end up sending e-mails with infected attachments without their knowledge. If you don't normally get an e-mail or attachment from them, don't trust it.

^ This is quite an extreme length to go, and not an option for a lot of people, or not desirable by most