Alert: Ransomware Infections on the Rise
Overview:
Over the last year or so, there has been tremendous growth in the number of ransomware attacks that have been spotted in the wild. Cybercriminals have effectively cracked this ‘business model’ and are generating a significant amount of money through this attack mechanism. What was once an attack technique that was aimed solely at susceptible individual users has now developed the ability to afflict advanced enterprise networks as well. Ransomware attacks are capable of causing significant system downtime, loss of critical data, Intellectual Property (IP) theft and more. In several industries, a ransomware attack is now considered on par with a significant data breach.
The above mentioned statistics are for the months of February, March, April and May 2015 and they represent a significant rise in the numbers that were reported for the preceding 6 months. This goes to highlight the rising risks of ransomware in the online world and how we need to take steps to prevent such infections.
The chart above sheds light on the number of machines that are protected from ransomware through Quick Heal products and the number of ransomware detections that is actually found out. What this translates to is detection of around 100,000 ransomware incidents on approximately 30,000 machines. The ransomware detection rate thus roughly translates to around 3 incidents per machine.
When compared against other malware, ransomware is highly destructive in nature and these large numbers showcase how much user data is under risk and made unusable until a ransom is paid. Here we will discuss ransomware under the following broad sections:
- What is ransomware?
- Infection vectors
- Payment mechanisms
- Mitigation techniques
What is ransomware?
Ransomware is a type of malware that restricts access to or damages infected computer systems for the sole purpose of extorting money from victims. This money can be in the form of direct payments or via Bitcoins. Ransomware also has the capability to encrypt user files on a system and display threatening or incriminating messages on screen in order to demand money via online payment mechanisms. Ransomware can be broadly classified into the following two types:
Encryptor: In this case it encrypts all important files and asks for a ransom to decrypt the files.
Screen Locker: It entirely locks the infected system and prevents the usage of the system until a ransom is paid.
Computer users have several important documents, images, photos, source code etc. stored on their systems and as a result of this, ransomware variants ensure that they have the capability to encrypt all possible file types. The extensions that are culpable to attack by ransomware are listed below:
Some of the prevalent ransomware families that have been spotted in the wild are:
- Cryptorbit aka Critroni aka CTB-Locker
- Cryptolocker
- CryptoWall aka Crowti
- ZedoPoo
- TorrentLocker aka Teerac
- PornoBlocker
- PornoAsset
- Foreign
- Genasom
- Urausy
- Reveton
- Blocker
Here are some screenshots of a few ransomware families:
Encryptor: CTB-Locker
Encryptor: Cryptolocker
Screen Blocker: Urausy
Top ransomware in 2015
The table above shows the most common ransomware strains that were detected in the last few months of 2015. Most of these common strains reached machines in the form of malicious emails, further highlighting the need for users to be cautious about what emails they open and what attachments they actually download on their machines.
Infection vectors
Spam emails are a major contributor to spreading ransomware across the globe. This infection vector usually comes with attachments with two level .zip files and .scr file. However, recently these attachments have been spotted with .cab extensions as well, and this is highlighted in the below image.
The malicious file inside this attachment is a downloader which installs and executes ransomware on the machine.
Some other malware families which act as a downloader for ransomware are listed below:
- Upatre
- Cutwail
- Zbot
- Kuluoz
- Gamarue
- Dalexis
Payment mechanisms
Ransomware samples commonly use various payment mechanisms that are mentioned below in order to collect ransom:
- SMSs or phone calls to premium-rate numbers
- Prepaid electronic payment – Ukash, MoneyPack etc.
- Bitcoins – virtual currency which makes it difficult to trace the actual recipient of the money
Ransomware creators have also started hosting dedicated payment gateways running behind TOR networks for anonymity, as seen in the case of TorrentLocker.
Quick Heal strongly advises users to not pay ransom amounts that are demanded. Making such a payment encourages this menace and moreover, it does not provide any guarantee that decryption and data recovery will be provided by the attacker.
Mitigation techniques
We also recommend the following security measures to remain protected against ransomware attacks:
- Ensure you are using the latest version of Quick Heal and it is updated with the latest virus databases.
- Quick Heal provides multiple lines of defense against malware and you need to ensure Virus Protection, DNAScan, Advanced Behavior Detection System and Email Protection are all enabled. We strongly recommend that you configure your Quick Heal security product for maximum protection.
- Since Quick Heal makes use of behavior based detection, we recommend that our users stay aware about any Behavior Based Detection (BDS) prompts that they receive. There have been cases where the BDS has detected a ransomware but a user has allowed execution without actually reading the prompt anyway.
Email Protection: Since ransomware commonly enters systems as spam emails with multiple levels of compressed .zip or .cab archives, or at times links to other downloadable files, you should make sure email protection is ON. Quick Heal Email Protection actively blocks such malicious and suspicious attachments.
Browser Sandbox is a great tool against malware using the Internet as infection vectors. Please enable Browser Sandbox from the Quick Heal dashboard & Internet and Network Settings. Alternatively, you can use the “Quick Heal Secure Browse” feature by launching it from your desktop while you are checking emails or accessing the Internet. The feature creates a secure layer around the OS to avoid tampering that can be carried out by malware.
Advanced Behavior Detection System is a proactive detection-based tool that takes into account the behavior of an application. If the application under suspicion is not installed by you, it is recommended to block activity of this application by selecting the ‘BLOCK’ action.
External Drives and Devices: Enable Autorun Protection and scan USB drives or external hard drives before copying any files from them.
Periodically, scan the system using AntiMalware (Quick Heal dashboard >> Tools >> Launch AntiMalware) which detects Adware, pop-ups and potentially unwanted applications (PUAs). It removes the risk of downloading malware through “Malvertising”.
Applying important software updates and patches
Ensure that Windows Update is enabled to automatically download and apply regular security updates. Also ensure that your system has the latest Windows security patches installed. Also apply updates for important software which is regularly targeted, such as:
- The operating system on your machine
- Microsoft Office – Office 2003, 2005 and 2008 with patches are targeted with vulnerable RTF CVE-2012-0158 and CVE-2010-3333
- Java
- Adobe Acrobat Reader
- Web browsers like Internet Explorer, Chrome, Firefox, Opera etc.
- Adobe Reader and Flash Player
Regular backup of important data
It is very important to understand the need for data backup policies for all your important data. It is highly recommended that you periodically backup your important data using the right combination of online and offline backups. Do not keep offline backups connected to your system as this data could be encrypted in case of an infection. Users should also ensure that critical and confidential data needs to be identified so that an effective data backup and recovery process can be planned for.
Follow best security practices
- Do not open and execute attachments received from unknown senders. Cybercriminals use ‘Social Engineering’ techniques to allure users to open attachments or to click on links containing malware.
- Keep strong passwords for login accounts and network shares.
- Avoid downloading software from untrusted P2P or torrent sites. At times, they are Trojanized with malicious software.
- Do not download cracked software as they could propagate the added risk of opening a backdoor entry for malware into your system.
UPDATED POST: Statistics of malware detection for the months of February, March, April and May 2015 and the top 10 malware samples for each of these months have been added.
91 Comments
Excellent piece of information shared on this forum by quick heal team !!
Thanx n regards
qamar
good
Hi i am using Quick heal antivirus. But while browsing i am getting very annoying adds in between. And automatically another web page opens. Its irritating. Any solution on this please?
Hi Sneha,
We recommend you to turn ON pop-up blocker in your browser or install an add-on/extension that blocks Ads. Follow the links below to know how to turn ON pop-up blocker:
1. https://support.google.com/chrome/answer/95472?hl=en
2. https://support.mozilla.org/en-US/kb/pop-blocker-settings-exceptions-troubleshooting
3. https://support.microsoft.com/kb/909604
Regards,
The POP-UP BLOCKER is already ON of Google Chrome but still I am facing the problem & it’s very irritating me while surfing. Please guide me.
When I had clicked on REPLY, then also pop-ups started.
Hi Jaydip,
Please go to your system’s Control Panel and uninstall any unknown program that might have gotten installed. Also, check for unknown extension in your Google Chrome browser, and remove them if any. You can also reset your browser to solve this issue. To know how to do this, please visit – https://support.google.com/chrome/answer/3296214?hl=en
Regards,
Try using Quick Heal AntiMalware as explained in above blog
Quick Heal dashboard >> Tools >> Launch AntiMalware
Really very important information
Suddenly I am getting what may be ransomware. Periodically I get a popup telling me that I don’t have a legitimate copy of Windows 7. They want to sell me Windows. I can make the popup go away, but it comes back sooner or later.
My copy of windows came with the Dell computer and is legit. Not sure what to do or not do.
If the answer to this goes to a blog or list, I don’t know which nor how to find it.
Thanks
Hi Joel,
The message that you are getting is a standard notification from Windows for users who do not have a legit Windows license. Nevertheless, we recommend you to get in touch with our support team in case you suspect that this is a kind of Ransomware infection:
1. You can submit your query at https://bit.ly/Askus. The Team will get back to you with a solution.
2. You can also contact them at 0-927-22-33-000.
3. Alternatively, you can chat with our engineers by visiting this link >> https://bit.ly/QHSupport
Regards,
thank u very much for the alertness
Thanks for enlightening us.
i dont know why my phone is hanging up every time and strucking for 30min and releasing some and again strucking can u resolve my problem please
Hi Karthik,
Have you tried a factory reset on your device? Most of the time, this resolves the issue. However, ensure that you have backed up your data and apps before you perform a factory reset.
Regards,
In my system virus protection is turned off what i have to do
Hi Daniel,
Please check if your system has an antivirus installed or not. If not, then get a reliable antivirus software. If your system has an antivirus, open the software, and turn on the virus protection.
Regards,
Nice app
Suddenly I am not being allowed to save a file in any other folder except desktop or user / document folder.
It needs access permission.
How can I provide the permission?
Also pdf downloads are not being downloaded, which was previously being done.
Thanks in advance awaiting for response.
Manmohan Mishra
Hi Manmohan,
In order to resolve this issue, we would recommend that you contact our technical support center. You can reach them in the following two ways –
1. You can call them on 0-927-22-33-000.
2. You can submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Do let us know if there is something else that we can help you out with.
Regards.
very nice this app I love it’s thanks.
i don’t have to worry about these things because i have quickheal..which will fight for sure …thanks for the news i will be more cautious by now..thank you so much..
I RECENTLY UPDATED MY QUICK HEAL AS WELL AS MY CHROME BROWSER. PROBLEM I AM FACING IS MY GOOGLE CHROME IS NOT STARTING SOMETIMES. ACTUALLY IT SHOWS IN THE TASK MANAGER THAT THE CHROME IS RUNNING BUT IN DOST NOT STARTS. P
PLZ HELP
Hi Gaurav,
In order to resolve this issue, we would recommend that you contact our technical support center. You can reach them in the following two ways –
1. You can call them on 0-927-22-33-000.
2. You can submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Do let us know if there is something else that we can help you out with.
Regards.
HELLO FRIEND’S M USING QUICK HEAL ….AND IT’S PERFORMANCE IS GOOD
I had purchased quick heal antivirus pro from a local shop. When I loaded CD, nothing happened, I called the help number found from the web address. I spoke to a lady, who enquired about 20 digit id. She asked me to get in touch with the dealer. I got it from the bill descreption. After ten minutes I called again the help centre. A msle voice said hallow Mr. Purshottam, what can I help you. I was surprised by the personal touch I got from an unlnown and distant person whom I did not know. He sloved my prolem within a minute asking me to folloow link he would sent in email. Things were sorted. It may be business marketing training but I loved it. Thankyou to all who develop such humanite atmosphere.
Hi Mr. Purshottam,
We are glad we could be of service and that you were satisfied with the service we provided. Thank you for sharing this feedback. We also look forward to serving you and your IT security needs further in the upcoming future.
Best Regards.
Dear Sir,
I have dell laptop. I have noticed may be recent one icon running in my tray – QuickSet. Please let me know is this any kind of threat, security issue?
If this not useful I prefer to remove this. Please let me know how to remove?
Regards
Arun
Hi Arun,
QuickSet is a proprietary program developed and preinstalled by Dell in all their laptops. It has certain network driver properties which Dell recommends you to have on your laptop. In case you wish to install it, we suggest you have a look at Dell’s website containing the relevant information before you decide to go ahead and remove it. Have a look at this Dell link for your perusal – https://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=CDJ0K.
Regards.
Quick heal good software
Hi Rajib,
Thanks for your valuable information.
but, yesterday one of our domain user had get infected with CBT-Locker, which is come through the spam mail.
we have clean the malware after knowing the issue but office file are damage with the extension of .jqsvxxx file. we are successful change the extension but the data were encrypted & unable fix.
kindly tell us if tool to fix the data.
Regards
Hi Amit,
This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:
1. Call our help center on 0-927-22-33-000.
2. Submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Our team will contact you with a solution as soon as possible.
Best Regards.
Very good efforts. Please keep it up and provide new protection even on payment basis, if needed.
MY SYSTEM GOT INFECTED BY CRYPTOWALL RANSOME WARE AND MY FILES WERE ENCRYPTED. PLEASE SUGGEST AND SOLUTION FOR THIS, AND PLEASE LET ME KNOW , HOW CAN I GET MY FILES BACK.
Hi Gautam,
This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:
1. Call our help center on 0-927-22-33-000.
2. Submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Our team will contact you with a solution as soon as possible.
Best Regards.
Really very important information.Thanks Dear Rajib Singha sir
Few days earlier I have had made an on-line payment and it strucked don’t know the exact reason and my PC was also working very slow so is it the same problem or what can you please reply.
Regards
S P V
Hi Sushil,
If your payment was unsuccessful for certain reasons, we don’t believe this can be related to the PC slowing down. Please make sure that your bank account has no suspicious activity. In all likelihood, you can carry out a full system scan of your device and this should resolve this issue.
Best Regards.
As I am using the Guardian 2014 License Copy but still my PC does not respond and one day when I was trying to Install the opera mini from on-line after installation my desktop screen was totally blank Please reply.
Regards
S P V
Hi Sushil,
In order to resolve this issue, we recommend that you get in touch with our technical support team. They will be able to provide you with a solution immediately. You can reach them in the following two ways:
1. You can call them on 0-927-22-33-000.
2. You can submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Do let us know what else we can do for you.
Regards.
Hello sir in the market there are maney apps available which gives free balance and free net data for use . I want want to these apps are secure or not ?
Hi Rahul,
Can you share some more details about these apps, like their names and what purpose they fulfill? However, it is best to be aware that free balance and free net data sounds too good to be true. So you should be wary of such apps and they are probably indicative of some security threat that is contained within them. We would suggest that you stay away from them.
Regards.
Nice antivires
Don’t be over confident even if you are using Quick Heal. I have recent example of this type of attack even though that company is using Quick Heal End Point security Business edition.
Quick heal support just raised their hands that they can not help with it. The company is using quick heal since last 7 – 8 years trusting Quick. Heal but eventually they lost their data. this is the ongoing case of February 2015.
Hi Chirag,
Thanks for sharing your feedback. We can assure you that we are trying our best to preserve the confidentiality of data in cases such as this.
Best regards.
Very helpful information to avoid such kind of infections…
My computer folders and files are encrypted by Ransomware infections how i recovered my folders and files
Hi Prashant,
This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:
1. Call our help center on 0-927-22-33-000.
2. Submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Our team will contact you with a solution as soon as possible.
Best Regards.
informations are good, but if somebody is already a victim, how he will get
his data back, pl. provide any solution also..
Hi Uday,
In cases such as this, contacting our support center is the advisable option. The ransomware has to be analyzed and cracked in order to find the decryption key for various samples, so this is an ongoing process. In case you have faced such incidents, we suggest you contact our support center for assistance.
Regards.
I love this
Very useful message, one get alert of this malawar ……thanks for the news.
veery good
Very nice
why after i finish my install the quickheal antivirus still cannot use. it show this” virus protection will be loaded when you start your system next time”
Our Support Team can help you solve this issue:
1. You can submit your query at https://bit.ly/Askus. The Team will get back to you with a solution.
2. You can also contact them at 0-927-22-33-000.
3. Alternatively, you can chat with our engineers by visiting this link >> https://bit.ly/QHSupport
Regards,
Sir,Ia already a victim of this and important files are encrypted.Please suggest how to recover my files.
mw number is 7858823483
Hi Pawan,
This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:
1. Call our help center on 0-927-22-33-000.
2. Submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Our team will contact you with a solution as soon as possible.
Best Regards.
Good
I have Quick Heal Total Protection for my Laptop, despite this sometimes my Lappy gets overheated and stops responding and CPU Usage reach till 100% after this happen I starts quick heal boot time scanning and after getting it done everything will be fine for next one or two days and same thing starts happening again.
My question is what is the cause of these things happening?
Is there any other solution?
Hi Mr. Raman,
One possible cause for this could be your laptop’s shelf life. After 2-3 years of persistent usage, laptops generally see a noticeable performance dip. However, the fact that boot time scans allow the laptop to function properly for some time could also be indicative of a wider and deeper threat within the machine of too much clutter and temporary registry entries. We suggest that you contact our technical support team to resolve this issue. You can reach them on 0-927-22-33-000.
Best regards.
Thank You Quick Heal for this useful information.
Ransomware threat – very useful info. However, not sure how effective the steps/actions indicated by you will be effective. I am also facing the problem of pop ups. Have tried the block pop ups but still facing problem.
Any advice?
Hi Vinod,
Do you receive these pop-ups while visiting every website?
Regards,
About ten days before my computer was attacked by Ransomware.It encrypted all the important files and asked for ransom to decrypt.Although I have Quick heal total protection updated. Now I am not able to open word and other important file. What to do now?
Hi Rajiv,
This is a serious issue and needs to be resolved with the help of our technical support team. We recommend that you contact our support team in the following two ways:
1. Call our help center on 0-927-22-33-000.
2. Submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Our team will contact you with a solution as soon as possible.
Best Regards.
nice
good
Thanks for Sharing valuable information .
Quick Heal is the best.
When i am trying to update my antivirius it is giving a meaasege that updaye definition file is corrupt. Aborting the update process.The antivirus is not getting updated. Please tell how to resolve this issue. Thanks In Advance. Adit.
Hi Adit,
Our Support Team can help you solve this issue:
1. You can submit your query at https://bit.ly/Askus. The Team will get back to you with a solution.
2. You can also contact them at 0-927-22-33-000.
3. Alternatively, you can chat with our engineers by visiting this link >> https://bit.ly/QHSupport
Regards,
QUICK HEAL NO 1 OF THE BEST
nice
I am also using update version of QH, in spite of it, my computer infected with cryptowall ransomware, and the quickheal people unable to resolve my issue.
Hi Rajesh,
We request to send us screenshots of the infection, if possible, to the following link – https://bit.ly/Askus. Our engineers will look into it again.
Regards,
i like this quick heal for sefty.
installed quick heal on my pc….now it keeps going into blue screen shut down…reinstalled twice…sent e-mails with no reply be wary of this product!
Hi Jeff,
We are sorry for the trouble you are facing with our product. We believe this is a very rare case so there must be some conflict or compatibility issue due to which this issue is persisting. We request you to contact our support center in the following 2 ways:
1. You can call us on 0-927-22-33-000.
2. You can submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Our technical support team will help you resolve this issue as soon as possible. We hope you give us the chance to rectify this and get to the bottom of the issue to fix it for you.
Best regards.
hello good morning,
if any one suffer with irritating ads, quick heal can support but one tool have solution for it name adw cleaner, and if problem persist uninstall google chrome and see
but i am sure you will not have to uninstall chrome……
I am getting following nagging message:
Detected: LNK.Ransomware.E
File: C:Users…………………kioeyez.lnk
File successfully repairs.
It remains there all the time. I click close (x) still it comes back. How to stop this coming ?
Hi Sheela,
Our Support Team can help you solve this issue:
1. You can submit your query at https://bit.ly/Askus. The Team will get back to you with a solution.
2. You can also contact them at 0-927-22-33-000.
3. Alternatively, you can chat with our engineers by visiting this link >> https://bit.ly/QHSupport >> Chat with Us
Regards,
Hi,
My laptop is already infected and the ransomware has encrypted my files. I don’t know how to repair them as I haven’t created any backup or restore points. Any idea how to get them back? The ransomware’s name is bitcrypt.
Hi Venkat,
To resolve this, we recommend that you contact our technical support team. Once you submit a ticket they will call you back with some suitable solutions. You can submit this ticket by visiting the following link – https://www.quickheal.co.in/submitticket
Regards.
I JUST FORGET MY PARENTAL CONTROL PASSWORD AND MY EMAIL ID HAS ALSO BEEN STOP WORKING.
SO IS THERE WAS ANY PROCESS TO GET THAT PASSWORD ON MY PC ONLY.
I WANT IT.
PLEASE HELP ME.
Hi Jitu,
Our support team can help you with this:
1. Kindly submit your query at https://bit.ly/Askus
2. You can also contact them at 0-927-22-33-000
3. Alternatively, you can chat with our engineers by visiting https://bit.ly/QHSupport
Regards.
To stop the internet scam we can use online security just like antivirus software and popup blockers software.So i will suggest to the users to intall this type of software.Here i will suggest you a pop up blocker that i.e. ablockplus.org.Add this blocker with your browser be be safe during internet surfing.
all my files are encrrypted.. quickheal is not showing any malwares????
Hi Rajaram,
May we request you to contact our technical support team. They will help you resolve this issue as soon as possible. You can reach them here – https://www.quickheal.co.in/submitticket.
Regards.
we are satified by using the quick heal anti virus and we are gettinga good support when ever their is any problem and we are satified with Quick heal.
Problem # HELP DECRYPT #
@___README___@
6le9fBxxSz.cerber3
h1lJc5ksT7.cerber3
Hi Sumeet,
Thank you for writing in. Our support engineers would gladly help you with this issue. Please visit https://bit.ly/QHChat to chat with us online. You can also raise a ticket at https://bit.ly/Askus and we will get back to you at the earliest.
Regards,