Blog

Rahul Thadani
Alert: Ransomware Infections on the Rise
February 5, 2015

Overview:

Over the last year or so, there has been tremendous growth in the number of ransomware attacks that have been spotted in the wild. Cybercriminals have effectively cracked this ‘business model’ and are generating a significant amount of money through this attack mechanism. What was once an attack technique that was aimed solely at susceptible individual users has now developed the ability to afflict advanced enterprise networks as well. Ransomware attacks are capable of causing significant system downtime, loss of critical data, Intellectual Property (IP) theft and more. In several industries, a ransomware attack is now considered on par with a significant data breach.

ransomware stats

The above mentioned statistics are for the months of February, March, April and May 2015 and they represent a significant rise in the numbers that were reported for the preceding 6 months. This goes to highlight the rising risks of ransomware in the online world and how we need to take steps to prevent such infections.

ransomware_collection_samples

The chart above sheds light on the number of machines that are protected from ransomware through Quick Heal products and the number of ransomware detections that is actually found out. What this translates to is detection of around 100,000 ransomware incidents on approximately 30,000 machines. The ransomware detection rate thus roughly translates to around 3 incidents per machine.

When compared against other malware, ransomware is highly destructive in nature and these large numbers showcase how much user data is under risk and made unusable until a ransom is paid. Here we will discuss ransomware under the following broad sections:

  • What is ransomware?
  • Infection vectors
  • Payment mechanisms
  • Mitigation techniques

What is ransomware?

Ransomware is a type of malware that restricts access to or damages infected computer systems for the sole purpose of extorting money from victims. This money can be in the form of direct payments or via Bitcoins. Ransomware also has the capability to encrypt user files on a system and display threatening or incriminating messages on screen in order to demand money via online payment mechanisms. Ransomware can be broadly classified into the following two types:

Encryptor: In this case it encrypts all important files and asks for a ransom to decrypt the files.
Screen Locker: It entirely locks the infected system and prevents the usage of the system until a ransom is paid.

Computer users have several important documents, images, photos, source code etc. stored on their systems and as a result of this, ransomware variants ensure that they have the capability to encrypt all possible file types. The extensions that are culpable to attack by ransomware are listed below:

ransomware_file_extensions

Some of the prevalent ransomware families that have been spotted in the wild are:

  • Cryptorbit aka Critroni aka CTB-Locker
  • Cryptolocker
  • CryptoWall aka Crowti
  • ZedoPoo
  • TorrentLocker aka Teerac
  • PornoBlocker
  • PornoAsset
  • Foreign
  • Genasom
  • Urausy
  • Reveton
  • Blocker

Here are some screenshots of a few ransomware families:

ransomware_ctb_locker

Encryptor: CTB-Locker

ransomware_cryptolocker

Encryptor: Cryptolocker

ransomware_urausy

Screen Blocker: Urausy

Top ransomware in 2015

top 10 stats

The table above shows the most common ransomware strains that were detected in the last few months of 2015. Most of these common strains reached machines in the form of malicious emails, further highlighting the need for users to be cautious about what emails they open and what attachments they actually download on their machines.

Infection vectors

Spam emails are a major contributor to spreading ransomware across the globe. This infection vector usually comes with attachments with two level .zip files and .scr file. However, recently these attachments have been spotted with .cab extensions as well, and this is highlighted in the below image.

ransomware_infection_vector

The malicious file inside this attachment is a downloader which installs and executes ransomware on the machine.

Some other malware families which act as a downloader for ransomware are listed below:

  • Upatre
  • Cutwail
  • Zbot
  • Kuluoz
  • Gamarue
  • Dalexis

Payment mechanisms

Ransomware samples commonly use various payment mechanisms that are mentioned below in order to collect ransom:

  • SMSs or phone calls to premium-rate numbers
  • Prepaid electronic payment – Ukash, MoneyPack etc.
  • Bitcoins – virtual currency which makes it difficult to trace the actual recipient of the money

Ransomware creators have also started hosting dedicated payment gateways running behind TOR networks for anonymity, as seen in the case of TorrentLocker.

Quick Heal strongly advises users to not pay ransom amounts that are demanded. Making such a payment encourages this menace and moreover, it does not provide any guarantee that decryption and data recovery will be provided by the attacker.

Mitigation techniques

We also recommend the following security measures to remain protected against ransomware attacks:

  • Ensure you are using the latest version of Quick Heal and it is updated with the latest virus databases.
  • Quick Heal provides multiple lines of defense against malware and you need to ensure Virus Protection, DNAScan, Advanced Behavior Detection System and Email Protection are all enabled. We strongly recommend that you configure your Quick Heal security product for maximum protection.
  • Since Quick Heal makes use of behavior based detection, we recommend that our users stay aware about any Behavior Based Detection (BDS) prompts that they receive. There have been cases where the BDS has detected a ransomware but a user has allowed execution without actually reading the prompt anyway.

Email Protection: Since ransomware commonly enters systems as spam emails with multiple levels of compressed .zip or .cab archives, or at times links to other downloadable files, you should make sure email protection is ON. Quick Heal Email Protection actively blocks such malicious and suspicious attachments.

Browser Sandbox is a great tool against malware using the Internet as infection vectors. Please enable Browser Sandbox from the Quick Heal dashboard & Internet and Network Settings. Alternatively, you can use the “Quick Heal Secure Browse” feature by launching it from your desktop while you are checking emails or accessing the Internet. The feature creates a secure layer around the OS to avoid tampering that can be carried out by malware.

Advanced Behavior Detection System is a proactive detection-based tool that takes into account the behavior of an application. If the application under suspicion is not installed by you, it is recommended to block activity of this application by selecting the ‘BLOCK’ action.

quick_heal_warning

External Drives and Devices: Enable Autorun Protection and scan USB drives or external hard drives before copying any files from them.

Periodically, scan the system using AntiMalware (Quick Heal dashboard >> Tools >> Launch AntiMalware) which detects Adware, pop-ups and potentially unwanted applications (PUAs). It removes the risk of downloading malware through “Malvertising”.

quick_heal_antimalware

Applying important software updates and patches

Ensure that Windows Update is enabled to automatically download and apply regular security updates. Also ensure that your system has the latest Windows security patches installed. Also apply updates for important software which is regularly targeted, such as:

  • The operating system on your machine
  • Microsoft Office – Office 2003, 2005 and 2008 with patches are targeted with vulnerable RTF CVE-2012-0158 and CVE-2010-3333
  • Java
  • Adobe Acrobat Reader
  • Web browsers like Internet Explorer, Chrome, Firefox, Opera etc.
  • Adobe Reader and Flash Player

Regular backup of important data

It is very important to understand the need for data backup policies for all your important data. It is highly recommended that you periodically backup your important data using the right combination of online and offline backups. Do not keep offline backups connected to your system as this data could be encrypted in case of an infection. Users should also ensure that critical and confidential data needs to be identified so that an effective data backup and recovery process can be planned for.

Follow best security practices

  • Do not open and execute attachments received from unknown senders. Cybercriminals use ‘Social Engineering’ techniques to allure users to open attachments or to click on links containing malware.
  • Keep strong passwords for login accounts and network shares.
  • Avoid downloading software from untrusted P2P or torrent sites. At times, they are Trojanized with malicious software.
  • Do not download cracked software as they could propagate the added risk of opening a backdoor entry for malware into your system.

UPDATED POST: Statistics of malware detection for the months of February, March, April and May 2015 and the top 10 malware samples for each of these months have been added.

SHARE THIS STORY

Ransomware

Have something to add to this story? Share it in the comments.

Rahul Thadani
About Rahul Thadani
Rahul is a web enthusiast and blogger, and has been writing about the computer security industry for the last three years. Following the latest technology trends,...
Articles by Rahul Thadani »

91 Comments

Your email address will not be published.

CAPTCHA Image

  1. qamar mukhtarFebruary 5, 2015 at 7:08 PM

    Excellent piece of information shared on this forum by quick heal team !!

    Thanx n regards
    qamar

    Reply
  2. Hi i am using Quick heal antivirus. But while browsing i am getting very annoying adds in between. And automatically another web page opens. Its irritating. Any solution on this please?

    Reply
  3. vishal joshiFebruary 5, 2015 at 8:55 PM

    Really very important information

    Reply
  4. Joel FentinFebruary 6, 2015 at 1:29 AM

    Suddenly I am getting what may be ransomware. Periodically I get a popup telling me that I don’t have a legitimate copy of Windows 7. They want to sell me Windows. I can make the popup go away, but it comes back sooner or later.

    My copy of windows came with the Dell computer and is legit. Not sure what to do or not do.

    If the answer to this goes to a blog or list, I don’t know which nor how to find it.

    Thanks

    Reply
    • Hi Joel,

      The message that you are getting is a standard notification from Windows for users who do not have a legit Windows license. Nevertheless, we recommend you to get in touch with our support team in case you suspect that this is a kind of Ransomware infection:

      1. You can submit your query at http://bit.ly/Askus. The Team will get back to you with a solution.
      2. You can also contact them at 0-927-22-33-000.
      3. Alternatively, you can chat with our engineers by visiting this link >> http://bit.ly/QHSupport

      Regards,

      Reply
  5. thank u very much for the alertness

    Reply
  6. Thanks for enlightening us.

    Reply
  7. Karthik harshavardhanFebruary 6, 2015 at 9:27 AM

    i dont know why my phone is hanging up every time and strucking for 30min and releasing some and again strucking can u resolve my problem please

    Reply
    • Hi Karthik,

      Have you tried a factory reset on your device? Most of the time, this resolves the issue. However, ensure that you have backed up your data and apps before you perform a factory reset.

      Regards,

      Reply
  8. In my system virus protection is turned off what i have to do

    Reply
    • Hi Daniel,

      Please check if your system has an antivirus installed or not. If not, then get a reliable antivirus software. If your system has an antivirus, open the software, and turn on the virus protection.

      Regards,

      Reply
  9. Nice app

    Reply
  10. Manamohan MishraFebruary 6, 2015 at 1:11 PM

    Suddenly I am not being allowed to save a file in any other folder except desktop or user / document folder.
    It needs access permission.
    How can I provide the permission?
    Also pdf downloads are not being downloaded, which was previously being done.
    Thanks in advance awaiting for response.
    Manmohan Mishra

    Reply
    • Hi Manmohan,

      In order to resolve this issue, we would recommend that you contact our technical support center. You can reach them in the following two ways –

      1. You can call them on 0-927-22-33-000.
      2. You can submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Do let us know if there is something else that we can help you out with.

      Regards.

      Reply
  11. Sanjeeb sanjuFebruary 6, 2015 at 1:21 PM

    very nice this app I love it’s thanks.

    Reply
  12. i don’t have to worry about these things because i have quickheal..which will fight for sure …thanks for the news i will be more cautious by now..thank you so much..

    Reply
  13. GAURAV GUPTAFebruary 6, 2015 at 4:13 PM

    I RECENTLY UPDATED MY QUICK HEAL AS WELL AS MY CHROME BROWSER. PROBLEM I AM FACING IS MY GOOGLE CHROME IS NOT STARTING SOMETIMES. ACTUALLY IT SHOWS IN THE TASK MANAGER THAT THE CHROME IS RUNNING BUT IN DOST NOT STARTS. P
    PLZ HELP

    Reply
    • Hi Gaurav,

      In order to resolve this issue, we would recommend that you contact our technical support center. You can reach them in the following two ways –

      1. You can call them on 0-927-22-33-000.
      2. You can submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Do let us know if there is something else that we can help you out with.

      Regards.

      Reply
  14. GAUTAM SHARMAFebruary 6, 2015 at 4:42 PM

    HELLO FRIEND’S M USING QUICK HEAL ….AND IT’S PERFORMANCE IS GOOD

    Reply
  15. purshottam sainikFebruary 6, 2015 at 6:08 PM

    I had purchased quick heal antivirus pro from a local shop. When I loaded CD, nothing happened, I called the help number found from the web address. I spoke to a lady, who enquired about 20 digit id. She asked me to get in touch with the dealer. I got it from the bill descreption. After ten minutes I called again the help centre. A msle voice said hallow Mr. Purshottam, what can I help you. I was surprised by the personal touch I got from an unlnown and distant person whom I did not know. He sloved my prolem within a minute asking me to folloow link he would sent in email. Things were sorted. It may be business marketing training but I loved it. Thankyou to all who develop such humanite atmosphere.

    Reply
    • Hi Mr. Purshottam,

      We are glad we could be of service and that you were satisfied with the service we provided. Thank you for sharing this feedback. We also look forward to serving you and your IT security needs further in the upcoming future.

      Best Regards.

      Reply
  16. Dear Sir,

    I have dell laptop. I have noticed may be recent one icon running in my tray – QuickSet. Please let me know is this any kind of threat, security issue?

    If this not useful I prefer to remove this. Please let me know how to remove?

    Regards
    Arun

    Reply
  17. premrajvarmaFebruary 6, 2015 at 8:08 PM

    Quick heal good software

    Reply
  18. Hi Rajib,
    Thanks for your valuable information.
    but, yesterday one of our domain user had get infected with CBT-Locker, which is come through the spam mail.
    we have clean the malware after knowing the issue but office file are damage with the extension of .jqsvxxx file. we are successful change the extension but the data were encrypted & unable fix.
    kindly tell us if tool to fix the data.

    Regards

    Reply
    • Hi Amit,

      This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:

      1. Call our help center on 0-927-22-33-000.
      2. Submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Our team will contact you with a solution as soon as possible.

      Best Regards.

      Reply
  19. Very good efforts. Please keep it up and provide new protection even on payment basis, if needed.

    Reply
  20. GAUTAM KUMAR ROYFebruary 6, 2015 at 11:22 PM

    MY SYSTEM GOT INFECTED BY CRYPTOWALL RANSOME WARE AND MY FILES WERE ENCRYPTED. PLEASE SUGGEST AND SOLUTION FOR THIS, AND PLEASE LET ME KNOW , HOW CAN I GET MY FILES BACK.

    Reply
    • Hi Gautam,

      This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:

      1. Call our help center on 0-927-22-33-000.
      2. Submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Our team will contact you with a solution as soon as possible.

      Best Regards.

      Reply
  21. Ramesh SahajlanFebruary 6, 2015 at 11:51 PM

    Really very important information.Thanks Dear Rajib Singha sir

    Reply
  22. Few days earlier I have had made an on-line payment and it strucked don’t know the exact reason and my PC was also working very slow so is it the same problem or what can you please reply.

    Regards
    S P V

    Reply
    • Hi Sushil,

      If your payment was unsuccessful for certain reasons, we don’t believe this can be related to the PC slowing down. Please make sure that your bank account has no suspicious activity. In all likelihood, you can carry out a full system scan of your device and this should resolve this issue.

      Best Regards.

      Reply
  23. As I am using the Guardian 2014 License Copy but still my PC does not respond and one day when I was trying to Install the opera mini from on-line after installation my desktop screen was totally blank Please reply.

    Regards
    S P V

    Reply
    • Hi Sushil,

      In order to resolve this issue, we recommend that you get in touch with our technical support team. They will be able to provide you with a solution immediately. You can reach them in the following two ways:

      1. You can call them on 0-927-22-33-000.
      2. You can submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Do let us know what else we can do for you.

      Regards.

      Reply
  24. rahul tiwariFebruary 7, 2015 at 5:26 AM

    Hello sir in the market there are maney apps available which gives free balance and free net data for use . I want want to these apps are secure or not ?

    Reply
    • Hi Rahul,

      Can you share some more details about these apps, like their names and what purpose they fulfill? However, it is best to be aware that free balance and free net data sounds too good to be true. So you should be wary of such apps and they are probably indicative of some security threat that is contained within them. We would suggest that you stay away from them.

      Regards.

      Reply
  25. Nice antivires

    Reply
  26. Chirag PatelFebruary 7, 2015 at 9:54 AM

    Don’t be over confident even if you are using Quick Heal. I have recent example of this type of attack even though that company is using Quick Heal End Point security Business edition.

    Quick heal support just raised their hands that they can not help with it. The company is using quick heal since last 7 – 8 years trusting Quick. Heal but eventually they lost their data. this is the ongoing case of February 2015.

    Reply
  27. Very helpful information to avoid such kind of infections…

    Reply
  28. prashant vyawahareFebruary 7, 2015 at 11:39 AM

    My computer folders and files are encrypted by Ransomware infections how i recovered my folders and files

    Reply
    • Hi Prashant,

      This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:

      1. Call our help center on 0-927-22-33-000.
      2. Submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Our team will contact you with a solution as soon as possible.

      Best Regards.

      Reply
  29. informations are good, but if somebody is already a victim, how he will get
    his data back, pl. provide any solution also..

    Reply
    • Hi Uday,

      In cases such as this, contacting our support center is the advisable option. The ransomware has to be analyzed and cracked in order to find the decryption key for various samples, so this is an ongoing process. In case you have faced such incidents, we suggest you contact our support center for assistance.

      Regards.

      Reply
  30. klinton biswasFebruary 7, 2015 at 2:17 PM

    I love this

    Reply
  31. BHASKAR SAHUFebruary 7, 2015 at 10:39 PM

    Very useful message, one get alert of this malawar ……thanks for the news.

    Reply
  32. chandra kant sankhalaFebruary 8, 2015 at 9:59 AM

    veery good

    Reply
  33. Ashish SharmaFebruary 8, 2015 at 12:52 PM

    Very nice

    Reply
  34. why after i finish my install the quickheal antivirus still cannot use. it show this” virus protection will be loaded when you start your system next time”

    Reply
  35. pawan kumar sinhaFebruary 8, 2015 at 1:56 PM

    Sir,Ia already a victim of this and important files are encrypted.Please suggest how to recover my files.

    mw number is 7858823483

    Reply
    • Hi Pawan,

      This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:

      1. Call our help center on 0-927-22-33-000.
      2. Submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Our team will contact you with a solution as soon as possible.

      Best Regards.

      Reply
  36. Lacchu ram negiFebruary 8, 2015 at 3:27 PM

    Good

    Reply
  37. I have Quick Heal Total Protection for my Laptop, despite this sometimes my Lappy gets overheated and stops responding and CPU Usage reach till 100% after this happen I starts quick heal boot time scanning and after getting it done everything will be fine for next one or two days and same thing starts happening again.

    My question is what is the cause of these things happening?
    Is there any other solution?

    Reply
    • Hi Mr. Raman,

      One possible cause for this could be your laptop’s shelf life. After 2-3 years of persistent usage, laptops generally see a noticeable performance dip. However, the fact that boot time scans allow the laptop to function properly for some time could also be indicative of a wider and deeper threat within the machine of too much clutter and temporary registry entries. We suggest that you contact our technical support team to resolve this issue. You can reach them on 0-927-22-33-000.

      Best regards.

      Reply
  38. Prafulla Kumar MallickFebruary 9, 2015 at 12:33 AM

    Thank You Quick Heal for this useful information.

    Reply
  39. vinod kayarkarFebruary 9, 2015 at 10:09 AM

    Ransomware threat – very useful info. However, not sure how effective the steps/actions indicated by you will be effective. I am also facing the problem of pop ups. Have tried the block pop ups but still facing problem.
    Any advice?

    Reply
  40. Rajiv Kumar PandeyFebruary 9, 2015 at 12:36 PM

    About ten days before my computer was attacked by Ransomware.It encrypted all the important files and asked for ransom to decrypt.Although I have Quick heal total protection updated. Now I am not able to open word and other important file. What to do now?

    Reply
    • Hi Rajiv,

      This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:

      1. Call our help center on 0-927-22-33-000.
      2. Submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Our team will contact you with a solution as soon as possible.

      Best Regards.

      Reply
  41. Baldev SinghFebruary 9, 2015 at 3:43 PM

    Thanks for Sharing valuable information .

    Reply
  42. Tanmoy ChakrabortyFebruary 9, 2015 at 4:27 PM

    Quick Heal is the best.

    Reply
  43. When i am trying to update my antivirius it is giving a meaasege that updaye definition file is corrupt. Aborting the update process.The antivirus is not getting updated. Please tell how to resolve this issue. Thanks In Advance. Adit.

    Reply
  44. QUICK HEAL NO 1 OF THE BEST

    Reply
  45. Rajesh TiwariFebruary 12, 2015 at 3:18 PM

    I am also using update version of QH, in spite of it, my computer infected with cryptowall ransomware, and the quickheal people unable to resolve my issue.

    Reply
  46. satyabrataroy304@gmail.comFebruary 14, 2015 at 11:26 PM

    i like this quick heal for sefty.

    Reply
  47. installed quick heal on my pc….now it keeps going into blue screen shut down…reinstalled twice…sent e-mails with no reply be wary of this product!

    Reply
    • Hi Jeff,

      We are sorry for the trouble you are facing with our product. We believe this is a very rare case so there must be some conflict or compatibility issue due to which this issue is persisting. We request you to contact our support center in the following 2 ways:

      1. You can call us on 0-927-22-33-000.
      2. You can submit a ticket by visiting this link – http://www.quickheal.co.in/submitticket.

      Our technical support team will help you resolve this issue as soon as possible. We hope you give us the chance to rectify this and get to the bottom of the issue to fix it for you.

      Best regards.

      Reply
  48. hello good morning,
    if any one suffer with irritating ads, quick heal can support but one tool have solution for it name adw cleaner, and if problem persist uninstall google chrome and see
    but i am sure you will not have to uninstall chrome……

    Reply
  49. SHEELA VENUGOPALMarch 31, 2015 at 9:14 PM

    I am getting following nagging message:

    Detected: LNK.Ransomware.E
    File: C:Users…………………kioeyez.lnk

    File successfully repairs.

    It remains there all the time. I click close (x) still it comes back. How to stop this coming ?

    Reply
  50. Hi,
    My laptop is already infected and the ransomware has encrypted my files. I don’t know how to repair them as I haven’t created any backup or restore points. Any idea how to get them back? The ransomware’s name is bitcrypt.

    Reply
  51. I JUST FORGET MY PARENTAL CONTROL PASSWORD AND MY EMAIL ID HAS ALSO BEEN STOP WORKING.
    SO IS THERE WAS ANY PROCESS TO GET THAT PASSWORD ON MY PC ONLY.
    I WANT IT.
    PLEASE HELP ME.

    Reply
  52. Alva ThomasDecember 4, 2015 at 2:58 PM

    To stop the internet scam we can use online security just like antivirus software and popup blockers software.So i will suggest to the users to intall this type of software.Here i will suggest you a pop up blocker that i.e. ablockplus.org.Add this blocker with your browser be be safe during internet surfing.

    Reply
  53. all my files are encrrypted.. quickheal is not showing any malwares????

    Reply
  54. Sun TechnologiesApril 1, 2016 at 6:53 PM

    we are satified by using the quick heal anti virus and we are gettinga good support when ever their is any problem and we are satified with Quick heal.

    Reply
  55. Problem # HELP DECRYPT #
    @___README___@
    6le9fBxxSz.cerber3
    h1lJc5ksT7.cerber3

    Reply