NOTA BENE

Notes, comment and buzz from Eugene Kaspersky – Official Blog

October 10, 2013

K-LOVE & KISSES 2014: REASONS TO BE CHEERFUL, PART 3.

“The person needs to be brought round to the idea that he has to part with his money. He needs to be morally disarmed, and his proprietary instincts need to be stifled.”

No, not Don Draper; this is a quote of Ostap Bender, a classic fictional hero from 1930s Russian literature. And no, there’s no relation to the other famous Bender!

Thus, it would appear that, curiously, Mr. Bender knew a thing or two about capitalism, despite being from a Communist country. Hmmm…

Anyway, what he knew is that it’s sometimes possible to make folks part with their hard-earned shekels if they are manipulated the right way – the folks, that is.

Fast-forward to today… and we find this kind of manipulation alive and well – in a modern, hi-tech, cyber kinda way: Today, folks gladly hand over their Benjamins to the crims behind blockers, aka ransomware, an especially sneaky form of computer malevolence. But have no fear, KL users: in the new version of KIS, we’ve got a nice surprise waiting for the blocking blockheads and their blockers.

Ransomware criminal market turnover made up more than $15 million, while the number of victims reached the tens of millions

The principle and tech behind blockers/ransomware are rather simple.

Using one of the various means available (for example, via a software vulnerability), a malicious program is sneaked into computer, which then displays an amusing (not) photo with scary (not – with KIS:) – text, and blocks the desktop and all other programs’ windows.

Unblocking is only possible (well, was possible – see below) by entering a unique code, which of course you can only get from the cyber-tricksters who infected the comp in the first place, and of course – for a fee, through premium SMS numbers or online payment systems. Until you pay the ransom, the comp remains kidnapped – no matter what you do (including Ctrl+Alt+Del), and no matter what programs you try to run (including antivirus); all you see is something like this:

ransomware1

Or this (if you’re French):

ransomware2

Or this (if you’re German):

ransomware3

Or this (if you’re Finnish):

poliisitietoverkkorikosransomware_img1

Or this (if you’re Russian):

ransomware4

… Or any of the thousands of other blocking screens similar to these, and for any platform – including Windows and Mac.

Several years ago the scale of the blocker epidemic got rather out of hand in Russia and ex-USSR countries, and in response blockheads started getting caught and sent to jail. Optimistically, turnover of this branch of computer crime in 2010 made up more than $3 million (pessimistically – more than $15 million), and the number of its victims reached the tens of millions! And out of that lot something like 5% of them actually paid the extortionists – who get a taste for the swag and high life, get more and more cocky, and get inspired to come up with new strains of blockhead malfeasance.

At the peak of the epidemic we released a free deblocker, available both as an app for mobile devices and as a web service. After entering the phone number or account of the extortionist given on the blocker, the deblocker generates an unblocking code, working a bit like ‘call a friend’. You’d think that the blocker epidemic might have been conquered once and for all with the advent of such a deblocker, but in fact no – the blockheads were just warming up…

The initially uniquely Russian phenomenon went global. And now Russian cyber-criminals hide from foreign justice due to the bureaucratic peculiarities of international cooperation

It’s true that, judging by the number of visits to our deblocker web service, the scale of the scam on the whole has been reduced by around ten times. BUT… the problem in fact just got worse. Here’s how:

First: the initially uniquely Russian (post-Soviet) phenomenon went global (together with premium SMS numbers and e-money). As it did, Russian (post-Soviet) cyber-blockheads were able to hide from foreign justice due to the bureaucratic peculiarities of international cooperation.

Second: earlier, blockers were ‘honest’ (sic!), and after payment of the ransom they actually would remove banners from screens (until they decided to block next time). These days there’s no such code of honor, and the banners stay put after payment. And not just because the blockheads are mean like that today: in fact, there’s actually no code contained in blockers today for unblocking, so deblocker services are rendered redundant! Ouch!

So what’s to be done?

First of all, apart from rare exceptions, there still remains the possibility of ‘surgical intervention’ and manual removal of blockers with free utilities, should a full-fledged antivirus let an attack through. Now, if you read the abundant words at the other end of that link, you’ll understand that such surgery is far from an easy task, and one that needs sorting by specialists. So, as we’re wont to do, we decided to tear up the rulebook that says ‘specialist needed’.

Now users in KIS 2014 have a most wholesome feature which is able to remove a blocker with the help of just four fingers – your own four. Or three, but used several times :) No surgery. No specialist. And the icing on the cake: without those rare exceptions I mentioned.

How?

So:

KIS 2014 now has a feature to remove a blocker with the help of just four fingers

For a couple of years already in KIS there’s been the Virtual Keyboard feature. This is an operating system driver that protects from keylogging. That is, even if a computer is infected with some super-duper Trojan or something, its attempts to intercept, for example, entered passwords, will be in vain, as keys aren’t physically pressed on the keyboard – they’re pressed on the Virtual Keyboard instead, which Trojans can’t see. Now we use this feature to fight blockheads and their blockers too…

Virtual Keyboard prevents blockers from taking full control over a keyboard. If the user enters the combination Ctrl+Alt+Shift+F4 (or Ctrl+Alt+Del several times) – Virtual Keyboard understands there’s an emergency situation and instructs KIS 2014 to launch the blocker deactivation procedure. Or, to be more precise, different antivirus components (signatures and heuristics) detect the infection and conduct a cleanup of the active processes and system registry, and unblock the screen. Then we delete the remains of the blocker with standard antivirus means, relaunch explorer.exe, and restore the ‘Start’ key (or whatever it is today) and the original desktop. Incidentally, the described scenario of blocker deactivation makes up the contents of our patent application currently undergoing expert examination.

Afterword

This summer a 21 year-old American became a blocker victim. This is what he found on his screen:

ransomware5

Eventually the guy turned himself into the police. It then transpired that there was in fact child porn on his PC. Well, as they say, you reap what you sow…

comments 9 Leave a note

Lynne Regan

always excellent articles Mr Kaspersky. You, your product and your team are very helpful. All the very best to you all.

0
Reply to conversation

Lynne Regan

just thought, my Windows email account was blocked but I do not now why. I also think my martian52 email is now blocked. My server is Telstra Bigpond.com.au. My modem is Thomson Gateway. I do not send out Pornography nor do I look for Pornography site. If there is something on my computer I would not have a clue about it at all. If it is hidden on this computer it has nothing to do with me. The only way I could fight this is if someone came to my door with it. I have no mind to look at my image all over the place in all sorts of situations – not good for my mind. I don’t have Facebook, nor iphone, nor a mobile phone nor any other technology other than my land line phone and my broad band. I have experienced too much trouble with technology to trust Facebook, iphone, mobile etc etc. I just have twitter and I have no idea if anyone sneaks into this computer.

0
Reply to conversation

Lynne Regan

even if people tried to leave evidence for me to look at my server would automatically block my email I think. I don’t think anyone wants me to find out what has really been going on. It have been very distressing indeed. I don’t lie because there is no point to it. People are far more powerful than I will ever be.

0
Reply to conversation

Lynne Regan

another strange thing about my connection: sometime via the Thomson Gateway (issued by the server Telstra) the little icon which indicated that I am connected has a yellow triangle indicated I have no internet connection when if fact I do. Plus when I press the world icon I automatically get Google Australia. Also, when I go through Kaspersky onto twitter I sometimes get Google connection to twitter (mostly) and sometimes Windows connection to twitter. Windows use to deny my reading tweets of other people yet I could do so via Google. There seemed to be a war going on between them!!! I am very tired of it all really – so, so much trouble. Sometimes Windows would take over the computer and I could not do anything at all. I have had to clear my hard drive that many times – unbelievable really; both my old one and my new one. (the old one was rendered useless) Plus Intel seems to make my computer screen freeze and go black. Many, many other things have happened – I persisted because I love listening to John Kelly Ensemble on RTElyricfm. Thanks for reading this.

0
Reply to conversation

Lynne Regan

oh yes, another thing I have noticed: I have had files which I cannot get rid of and I don’t know what they are at all. Plus, some of these files have been in a family members name, but I am still not able to access it. When I go back and look for it it has disappeared. It is all so ephemeral here one minute gone the next. I and my dad seem to get a lot of pressure to accept something I am against – it has and is very hard for us.

0
Reply to conversation

Lynne Regan

When I came to Australia as a young girl, I worked in Office work during the day and cleaned hospital on the weekends – did this for 7 years, I then nursed mentally handicapped, physically disabled and the aged. I then went to Western Australian University received a BA then went to Curtin University studying Librarianship. I worked in the Uni. Western Australian Library. I studied flute and Fine Arts. Other than the need to work on Reference sites, as a Reference Librarian, I have not studied Computers. I am a luditte in the sense of today’s Computer frenzy. I have never made pornography morphed or other. I look at this technology as a useful tool – it could be so very very good, but the computer wold seems to spend most its time in the sewer – which is a darn shame. There are so many interesting people, like yourself, who can tell about your experience with Volcanoes – a huge one has been found in the Pacific Ocean, it is supposed to be the biggest in the world. It is under the sea.
I am not interested in pornography at all.

0
Reply to conversation

Lynne Regan

the history of my email: in 2010/ll I tried to have a email address with Firefox under my father’s name for my father – it completely disappeard. So I did the same with Google email under my father’s name for my father – it completely disappeared. So I tried again with Google email under my father’s name for my father – it completely disappeared. I have not tried again. I made my first email address with windows email under my name – it completely disappeared. My second email was working fine until January 2013 when it was blocked. I have never used my martian52 email to send out emails at all. It is now blocked.

Another strange thing: when the virus scan is scanning I have noticed it comes across files/items which it asks me for a password – I have no idea at all what the password is. I have not put a password on any of the files. I don’t know if it skips it or scans it. I find it strange because it has not happened before. I think Kaspersky virus scan should be able to scan everything on my computer but it can’t because it wants my permission which I am unable to give because I have not put the password on those files/items.

0
Reply to conversation

Lynne Regan

did you know, and it happens all the time with my computer, that someone or something can actually turn Kaspersky security OFF. It has, just this very minute. happened.

Another strange thing: earlier, with my first hard drive, when Windows reconfigured my computer – and it was happening on a daily basis, my computer completely shut down.

It has happened again, the notification is saying I am not legal with Kaspersky!

I have never been in a spa anywhere in the world – not ever!

0
Reply to conversation

Lynne Regan

also, this has happened constantly since September 2010 – very frustrating. Lots of phone calls to Telstra Bigpond but I’m afraid nothing was fixed. Had IT people round, nothing fixed but lots of money went out the door. DSL, ATM, PPP, IP IvP ceased to work, if not the DSL, then the ATM, PPP, then all the lot, IP could not be recognised could not get a IvP. I then went into Thomson Gateway, reconfigured my modem; it worked for a short while then “connection time-out” would cut me off after only minutes within connection. I would get that sorted out and the whole process would start again, DSL cut out, then I would get DSL back only to loose the ATM, PPP; then I would get the connection back only to loose the DSL, ATM and PPP. This went on up until just recently. Nearly every day. I stopped getting IT people in and started dealing with it myself.

If this luditte had a sledge hammer handy it would have been used,

0
Reply to conversation
Trackbacks 3

Ransomware / Blockers – A New Approach to Fighting Them | InsecureNet.info – The Insecure Web

Nueva Técnica Para Combatir A Los Virus Secuestradores | Daily – Spanish – LatAm – blog.kaspersky.com.mx

Nowa metoda zwalczania oprogramowania żądającego okupu/blokerów | Używamy słów, by uratować świat | Oficjalny blog Kaspersky Lab

Leave a note
April 17, 2015

On a plane to Singapore: the kino – very poor.

Hi all! Continuing a fave theme of mine here. No, not volcanoes; no, not cliffs; and no, not banya. Instead: planes, aeroplanes and airplanes… Recently we flew on an Internetted Singapore Airlines Boeing 777 to Changi. And the experience was… mixed.

April 1, 2015

Internet on a jet.

Back on the road again… Rather – up in the air. So I continue one of my fave, recurring themes – flying and planes and all that. 2015 kicked off with some serious avia action for me: I’m already on my 30th flight, having been up in the skies 130+ hours. Not that I’m complaining – […]

March 31, 2015

A hotel on the banks of the Colorado. Woh!

There are a great many beautiful and unusual towns and cities in the world, there are volcanoes, there are valleys and canyons, and islands and lakes. There are also of course rivers: loads of them – all different. There are the grandiose, like the super-wide Amazon with its adjacent jungles, anacondas, piranhas, crocodiles and other […]

March 28, 2015

Hold on tight! In an off-road vehicle – off-road in Utah.

A few words about the vehicle that transported us about in Utah. And let’s not forget the super chauffeur… Here she is, a classic of the genre, giving the Land Rover Defender a run for its money: the Toyota Land Cruiser. Quite an old one at that. Only demonstrates the ruggedness of this remarkable 4×4: […]

March 27, 2015

A quick guide to Utah arches.

Why this national park is called the Arches is a rhetorical question. But if you haven’t been following this mini-on-the-road series from Utah, then read this. Yes, you want huge natural rock arches – you need to come here. There’s just so much awesome archness here. Wikipedia says there are as many as 2000 here, […]

March 25, 2015

U tire of Utah’s canyons? Not possible!

The red rocks of Utah – a simply captivating sight; from the outside, that is, which is what we checked out yesterday. Today it was time we had a look at all this from the inside. So off we headed to the Arches National Park‘s Fiery Furnace rocky massif. This is what we saw…

More