K-LOVE & KISSES 2014: REASONS TO BE CHEERFUL, PART 3.

“The person needs to be brought round to the idea that he has to part with his money. He needs to be morally disarmed, and his proprietary instincts need to be stifled.”

No, not Don Draper; this is a quote of Ostap Bender, a classic fictional hero from 1930s Russian literature. And no, there’s no relation to the other famous Bender!

Thus, it would appear that, curiously, Mr. Bender knew a thing or two about capitalism, despite being from a Communist country. Hmmm…

Anyway, what he knew is that it’s sometimes possible to make folks part with their hard-earned shekels if they are manipulated the right way – the folks, that is.

Fast-forward to today… and we find this kind of manipulation alive and well – in a modern, hi-tech, cyber kinda way: Today, folks gladly hand over their Benjamins to the crims behind blockers, aka ransomware, an especially sneaky form of computer malevolence. But have no fear, KL users: in the new version of KIS, we’ve got a nice surprise waiting for the blocking blockheads and their blockers.

Ransomware criminal market turnover made up more than $15 million, while the number of victims reached the tens of millions

The principle and tech behind blockers/ransomware are rather simple.

Using one of the various means available (for example, via a software vulnerability), a malicious program is sneaked into computer, which then displays an amusing (not) photo with scary (not – with KIS:) – text, and blocks the desktop and all other programs’ windows.

Unblocking is only possible (well, was possible – see below) by entering a unique code, which of course you can only get from the cyber-tricksters who infected the comp in the first place, and of course – for a fee, through premium SMS numbers or online payment systems. Until you pay the ransom, the comp remains kidnapped – no matter what you do (including Ctrl+Alt+Del), and no matter what programs you try to run (including antivirus); all you see is something like this:

ransomware1

Or this (if you’re French):

ransomware2

Or this (if you’re German):

ransomware3

Or this (if you’re Finnish):

poliisitietoverkkorikosransomware_img1

Or this (if you’re Russian):

ransomware4

… Or any of the thousands of other blocking screens similar to these, and for any platform – including Windows and Mac.

Several years ago the scale of the blocker epidemic got rather out of hand in Russia and ex-USSR countries, and in response blockheads started getting caught and sent to jail. Optimistically, turnover of this branch of computer crime in 2010 made up more than $3 million (pessimistically – more than $15 million), and the number of its victims reached the tens of millions! And out of that lot something like 5% of them actually paid the extortionists – who get a taste for the swag and high life, get more and more cocky, and get inspired to come up with new strains of blockhead malfeasance.

At the peak of the epidemic we released a free deblocker, available both as an app for mobile devices and as a web service. After entering the phone number or account of the extortionist given on the blocker, the deblocker generates an unblocking code, working a bit like ‘call a friend’. You’d think that the blocker epidemic might have been conquered once and for all with the advent of such a deblocker, but in fact no – the blockheads were just warming up…

The initially uniquely Russian phenomenon went global. And now Russian cyber-criminals hide from foreign justice due to the bureaucratic peculiarities of international cooperation

It’s true that, judging by the number of visits to our deblocker web service, the scale of the scam on the whole has been reduced by around ten times. BUT… the problem in fact just got worse. Here’s how:

First: the initially uniquely Russian (post-Soviet) phenomenon went global (together with premium SMS numbers and e-money). As it did, Russian (post-Soviet) cyber-blockheads were able to hide from foreign justice due to the bureaucratic peculiarities of international cooperation.

Second: earlier, blockers were ‘honest’ (sic!), and after payment of the ransom they actually would remove banners from screens (until they decided to block next time). These days there’s no such code of honor, and the banners stay put after payment. And not just because the blockheads are mean like that today: in fact, there’s actually no code contained in blockers today for unblocking, so deblocker services are rendered redundant! Ouch!

So what’s to be done?

First of all, apart from rare exceptions, there still remains the possibility of ‘surgical intervention’ and manual removal of blockers with free utilities, should a full-fledged antivirus let an attack through. Now, if you read the abundant words at the other end of that link, you’ll understand that such surgery is far from an easy task, and one that needs sorting by specialists. So, as we’re wont to do, we decided to tear up the rulebook that says ‘specialist needed’.

Now users in KIS 2014 have a most wholesome feature which is able to remove a blocker with the help of just four fingers – your own four. Or three, but used several times :) No surgery. No specialist. And the icing on the cake: without those rare exceptions I mentioned.

How?

So:

KIS 2014 now has a feature to remove a blocker with the help of just four fingers

For a couple of years already in KIS there’s been the Virtual Keyboard feature. This is an operating system driver that protects from keylogging. That is, even if a computer is infected with some super-duper Trojan or something, its attempts to intercept, for example, entered passwords, will be in vain, as keys aren’t physically pressed on the keyboard – they’re pressed on the Virtual Keyboard instead, which Trojans can’t see. Now we use this feature to fight blockheads and their blockers too…

Virtual Keyboard prevents blockers from taking full control over a keyboard. If the user enters the combination Ctrl+Alt+Shift+F4 (or Ctrl+Alt+Del several times) – Virtual Keyboard understands there’s an emergency situation and instructs KIS 2014 to launch the blocker deactivation procedure. Or, to be more precise, different antivirus components (signatures and heuristics) detect the infection and conduct a cleanup of the active processes and system registry, and unblock the screen. Then we delete the remains of the blocker with standard antivirus means, relaunch explorer.exe, and restore the ‘Start’ key (or whatever it is today) and the original desktop. Incidentally, the described scenario of blocker deactivation makes up the contents of our patent application currently undergoing expert examination.

Afterword

This summer a 21 year-old American became a blocker victim. This is what he found on his screen:

ransomware5

Eventually the guy turned himself into the police. It then transpired that there was in fact child porn on his PC. Well, as they say, you reap what you sow…

READ COMMENTS 12
Comments 9 Leave a note

    Lynne Regan

    always excellent articles Mr Kaspersky. You, your product and your team are very helpful. All the very best to you all.

    Lynne Regan

    just thought, my Windows email account was blocked but I do not now why. I also think my martian52 email is now blocked. My server is Telstra Bigpond.com.au. My modem is Thomson Gateway. I do not send out Pornography nor do I look for Pornography site. If there is something on my computer I would not have a clue about it at all. If it is hidden on this computer it has nothing to do with me. The only way I could fight this is if someone came to my door with it. I have no mind to look at my image all over the place in all sorts of situations – not good for my mind. I don’t have Facebook, nor iphone, nor a mobile phone nor any other technology other than my land line phone and my broad band. I have experienced too much trouble with technology to trust Facebook, iphone, mobile etc etc. I just have twitter and I have no idea if anyone sneaks into this computer.

    Lynne Regan

    even if people tried to leave evidence for me to look at my server would automatically block my email I think. I don’t think anyone wants me to find out what has really been going on. It have been very distressing indeed. I don’t lie because there is no point to it. People are far more powerful than I will ever be.

    Lynne Regan

    another strange thing about my connection: sometime via the Thomson Gateway (issued by the server Telstra) the little icon which indicated that I am connected has a yellow triangle indicated I have no internet connection when if fact I do. Plus when I press the world icon I automatically get Google Australia. Also, when I go through Kaspersky onto twitter I sometimes get Google connection to twitter (mostly) and sometimes Windows connection to twitter. Windows use to deny my reading tweets of other people yet I could do so via Google. There seemed to be a war going on between them!!! I am very tired of it all really – so, so much trouble. Sometimes Windows would take over the computer and I could not do anything at all. I have had to clear my hard drive that many times – unbelievable really; both my old one and my new one. (the old one was rendered useless) Plus Intel seems to make my computer screen freeze and go black. Many, many other things have happened – I persisted because I love listening to John Kelly Ensemble on RTElyricfm. Thanks for reading this.

    Lynne Regan

    oh yes, another thing I have noticed: I have had files which I cannot get rid of and I don’t know what they are at all. Plus, some of these files have been in a family members name, but I am still not able to access it. When I go back and look for it it has disappeared. It is all so ephemeral here one minute gone the next. I and my dad seem to get a lot of pressure to accept something I am against – it has and is very hard for us.

    Lynne Regan

    When I came to Australia as a young girl, I worked in Office work during the day and cleaned hospital on the weekends – did this for 7 years, I then nursed mentally handicapped, physically disabled and the aged. I then went to Western Australian University received a BA then went to Curtin University studying Librarianship. I worked in the Uni. Western Australian Library. I studied flute and Fine Arts. Other than the need to work on Reference sites, as a Reference Librarian, I have not studied Computers. I am a luditte in the sense of today’s Computer frenzy. I have never made pornography morphed or other. I look at this technology as a useful tool – it could be so very very good, but the computer wold seems to spend most its time in the sewer – which is a darn shame. There are so many interesting people, like yourself, who can tell about your experience with Volcanoes – a huge one has been found in the Pacific Ocean, it is supposed to be the biggest in the world. It is under the sea.
    I am not interested in pornography at all.

    Lynne Regan

    the history of my email: in 2010/ll I tried to have a email address with Firefox under my father’s name for my father – it completely disappeard. So I did the same with Google email under my father’s name for my father – it completely disappeared. So I tried again with Google email under my father’s name for my father – it completely disappeared. I have not tried again. I made my first email address with windows email under my name – it completely disappeared. My second email was working fine until January 2013 when it was blocked. I have never used my martian52 email to send out emails at all. It is now blocked.

    Another strange thing: when the virus scan is scanning I have noticed it comes across files/items which it asks me for a password – I have no idea at all what the password is. I have not put a password on any of the files. I don’t know if it skips it or scans it. I find it strange because it has not happened before. I think Kaspersky virus scan should be able to scan everything on my computer but it can’t because it wants my permission which I am unable to give because I have not put the password on those files/items.

    Lynne Regan

    did you know, and it happens all the time with my computer, that someone or something can actually turn Kaspersky security OFF. It has, just this very minute. happened.

    Another strange thing: earlier, with my first hard drive, when Windows reconfigured my computer – and it was happening on a daily basis, my computer completely shut down.

    It has happened again, the notification is saying I am not legal with Kaspersky!

    I have never been in a spa anywhere in the world – not ever!

    Lynne Regan

    also, this has happened constantly since September 2010 – very frustrating. Lots of phone calls to Telstra Bigpond but I’m afraid nothing was fixed. Had IT people round, nothing fixed but lots of money went out the door. DSL, ATM, PPP, IP IvP ceased to work, if not the DSL, then the ATM, PPP, then all the lot, IP could not be recognised could not get a IvP. I then went into Thomson Gateway, reconfigured my modem; it worked for a short while then “connection time-out” would cut me off after only minutes within connection. I would get that sorted out and the whole process would start again, DSL cut out, then I would get DSL back only to loose the ATM, PPP; then I would get the connection back only to loose the DSL, ATM and PPP. This went on up until just recently. Nearly every day. I stopped getting IT people in and started dealing with it myself.

    If this luditte had a sledge hammer handy it would have been used,

Trackbacks 3

Ransomware / Blockers – A New Approach to Fighting Them | InsecureNet.info – The Insecure Web

Nueva Técnica Para Combatir A Los Virus Secuestradores | Daily – Spanish – LatAm – blog.kaspersky.com.mx

Nowa metoda zwalczania oprogramowania żądającego okupu/blokerów | Używamy słów, by uratować świat | Oficjalny blog Kaspersky Lab

Leave a note