Ransomware 1.0
A Personal Experience
“You’re the security guy, right?”
“Yes Sir”
“I have an issue with my laptop, I can’t view my files, the text looks really weird.”
“Text looks really weird? Let me take a look.”
These were the words that preceded what would be a first encounter with the much talked-about ransomware.
Instantly, I rushed to see what he meant by “the text looks really weird”, and simply did not want to believe the suggestions my mind had come up with.
Is this a cyberattack? Why are all the files visually unreadable? Is this even real?
For one who has always emphasized being conscious about our online activity and deliberately doing the best to stay out of harm’s way, it was mind-boggling to come to terms with the fact that a ransomware attack was at my door-step. Prior, the closest encounter with such was through the news, as well as other cybersecurity articles regarding the rise of ransomware on the threat landscape. The reaction had always been the same — see it on the news, discuss about it, remind everyone to ensure best security practices, and go on about life as usual.
But here it was, staring me in the face, all files with an extension ‘.paas’ appended to each of them.
How did this happen? Where did we slip up?
What is Ransomware?
For the uninitiated, ransomware is a type of malicious software that encrypts — basically making all files on the computer unreadable or an outright lockdown — the victim’s system and is used as a negotiation tool to extort money before the victim can gain access to their encrypted system.
To regain access to their system, the victim is required to pay a certain amount of money, after which, based on probability, the decryption key is sent to them. In some cases, it doesn’t work out that way, and such files are lost forever. An example of this, albeit a popular one, is the WannaCry event of May, 2017.
Ransomware attacks have risen rapidly, like the juggernaut of malware, with the most recent being the Colonial Pipeline attacks which occurred just a month ago, leading to a gas demand shock across the United States. The company had to cower to the attackers ransom demands to get their systems in working condition again.
Instinctively, I disconnected the system from the network immediately, as it was important to isolate the system and prevent any further spread.
But, how did it get in?
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. — Secrets and Lies: Digital Security in a Networked World by Bruce Schneier.
Curious to understand how the system got infected, and through series of questions, it was discovered that the malware had found its way into the system through an attachment in a mail, the never-ending phishing tactic.
Upon activation, it went through every available file in the system, made it all unreadable in such a way that even though the files could still open, the information had been tampered with. As if that wasn’t enough, it blocked access to installation of any sort of antivirus, effectively putting the entire system at its mercy.
We are as strong as our weakest link.
I also noticed something else. All files in the system had an extension ‘.paas’ appended to them. So if a file was named ‘work.docx’, the virus renamed it to ‘work.docx.paas’, and any attempt to reverse it ended up corrupting the file.
PAAS
Designed to make files inaccessible by encrypting them, paas is a computer virus from the STOP/DJVU malware family. The program uses a strong algorithm, Salsa 20, to encrypt all files on the victim’s system. It also goes on to recruit the services of a spyware, AZORULT Trojan, to run on the compromised system and gather all information it can, ranging from passwords, browsing history, login credentials, to so many more.
PAAS doesn’t gain access only through mails, it also maliciously finds its way into systems through torrents, cracks, and illegally-downloaded free versions of paid software etc.
Based on a Google search, the ransom demanded for the files to be decrypted is $490 in Bitcoin for the first three days, or $980 if paid later.
All attempts to get in an anti-malware proved abortive, and ‘free’ services offered by products other than the ones I’m familiar with made me really paranoid, didn’t want a case of bringing in another trojan to cause further damage to whatever was left of the system at that point.
In my search for decryption tools, I found the No More Ransom Project but this variant of malware didn’t have a tool for it, and in spite of following instructions from familiar cybersecurity sites, it just won’t let go of the files.
So I began asking questions again, some of which had been asked before.
When did this happen? What’s the source address in the mail? Has this system been backed up recently?
How recent?
In a twist of fate, the odds were back in our favor. The files had been backed up before the attack. This was the much sought ‘breakthrough’, as other efforts to restore the files had proved abortive and the system itself didn’t have a restore point.
In light of this new knowledge, I decided to reset the system completely, effectively wiping off everything on it including the malware. Then installed an antivirus, which previously was not possible, and did a thorough scan just to clear whatever paranoia was left.
Pre-emptive Measures: Backup
Considering that this was the ‘saving grace’, it is important to understand how to effectively backup your system.
For lower versions, the process is detailed in the link below.
The procedure below is based on a system running Windows 10.
- Connect your external drive to your pc, preferably a 2TB drive.
- Select Start or simply tap the Windows key ‘⊞’ on your keyboard.
- Click Settings
- Go to Update & Security
- Select Backup > Add a drive
- Then select the drive connected earlier.
Using this process, Windows will automatically backup your system to the external drive. In case of further instructions on recovery, it is all detailed in the link below.
Lessons Learned
- Irrespective of the quality of security put into a system or network, it is still heavily dependent on our ability to remain security conscious. Details often overlooked while surfing the web or interacting online play a significant role in falling prey to malware.
- All emails, links, online interactions should be vetted regardless of the source address. There have been instances where credentials are stolen and used to phish other unsuspecting persons on the victim’s contact list. Be very careful, especially with attachments that contain ‘.exe’ extension files.
- Don’t leave fate to chance even if the mail requests an urgent reply. Do due diligence on it to ensure that all parameters are right.
- Use a strong antivirus and keep it constantly updated. Preferably Norton, Bitdefender, or Kaspersky. There are programs which seem to be secure and powerful enough to combat intrusions, but in real situations, they don’t just work.
- Lastly, backup. This is arguably the most important take from this experience. Backups play a major role in limiting damage done by these attacks, and cannot be taken for granted. It is in our best interest to keep these backups in different locations, and constantly update them.
I hope we take cues from this event and apply security measures to our own personal systems to avoid unnecessary damage caused by negligence. The landscape is evolving, and we must evolve with it.
