Académique Documents
Professionnel Documents
Culture Documents
Ransomware
Ransomware is a particularly prevalent type of Scareware that denies access either to the computer itself or
to specific files until the user makes the requested monetary payment. There are commonly two types of
ransomware:
Screen Lockers
Screen-lock Ransomware will deny access to the computer system as a whole. A common tactic is to
display the lineage of a well-known global or regional law enforcement agency, along with a message that
the user has been identified as performing illegal activity on their computer. This is another social
engineering attack and has the effect of frightening the user into meeting the demands for financial
payment, in return for regaining access to the computer.
File Encryptors
This type of Ransomware works by systematically encrypting files found on local drives. As with screen-
locking Ransomware, the objective is to hold these files to ransom until the financial demands are met.
The level of encryption used by these threats can vary from the simple to the extremely complex. Its not
uncommon for the more sophisticated Ransomware to use RSA encryption, with a decryption key that is
downloaded directly from the attacker-controlled server. In these cases the only practical remediation
available is to restore the encrypted files from backup storage.
Payloads
The payload of Rogue Security Software can vary depending on the specific threat. Generally the intention
is to fraudulently extort money from the user and there is no other payload as such. However, there is
every possibility that further malicious functionality may be included in a particular threat instance, and for
this reason a sample of the threat will need to be submitted to McAfee Labs for analysis.
Infection Vectors
The methods by which Rogue Security Software and Scareware can find its way onto a users system are
numerous. Commonly they will be downloaded by other malware but they can also arrive via drive-by
downloads from compromised web-pages, Peer-to-Peer network sharing applications and Spam campaigns.
Home users are particularly vulnerable to this type of threat, and attackers are known to use Search Engine
Optimisation (SEO) techniques to ensure that searches for terms such as free anti-virus will result in pages
hosting Rogue Security Software being offered as some of the top search results. In this way, ironically,
users that actively intend to make their computing experience more secure can, unknowingly, directly
download malware to their computers.
Rogue Security Software is often written with complex, custom packing/encryption to attempt to evade
legitimate security software.
Hardening Actions
Configure McAfee Products to be effective against these threats:
More E-Mail and Web Security product details are available here. Read more about our Solution Services US
UK - DE India Australia - Japan.
Educate personnel to prevent security breaches:
o Ensure users are aware of, and can recognise the social engineering techniques used by Rogue
Security Software (McAfee Foundstone Security Education - Ultimate Hacking: Human - US - UK -
DE FR - India Australia). Ensure that all end users are educated in safe computing practices and
that there is a clear escalation process available to them if they become suspicious.
o Only purchase security software from trusted vendors and retailers. Do not attempt to download
free utilities from untrusted sources (e.g. Peer-to-Peer file sharing applications).
o The presence of Rogue Security Software can be an indicator of an otherwise undetected attack.
Always enable Access Protection Rules and Potentially Unwanted Application detection to
maximise security against Rogue Security Software.
Employ browser security settings to prevent malicious content from running on compromised web pages.
McAfee Foundstone Security Education: Ultimate Hacking: Windows Security US - UK - DE FR India -
Australia.
Ultimately, if you need specialized help call our Incident Response & Forensics Team: US - UK - DE - FR
India - Australia
Emergency? Hacked999@Foundstone.com