Subscribe to the Zog Blog to get news Delivered straight to Your box!


How Ransomware Is Getting More Dangerous

With all the summertime barbeques and parties heating up, who has time to worry about the latest computer virus that can either encrypt your network OR steal ALL of your passwords?

The truth is criminals aren’t taking the summer off—and in fact, many masterminds have been investing more time into creatively designing new viruses that give them more options when it comes to stealing from or extorting your business for money.

Today I want to discuss a Trojan virus that has been around for nearly a decade that is popping up again with a vengeance. This time it has been retrofitted with some new sneaky feature that allows a criminal to penetrate your network and (1) encrypt all of your data and holding it for ransom or (2) stealthily mining your network for valuable information—SSNs, password credentials—to further exploit.

Either way, these new modifications recently discovered in the Rakhni Trojan (officially Trojan-Ransom.Win32.Rakhni) is giving the bad guys choices on how they can get the most out of exploiting your network.

I really hope that this Trojan phenomenon won’t become a trend, but as I’ve mentioned before, once a criminal has his or her hands on a new and improved weapon, rest assured they will be testing out ransoming and exploiting networks for valuable information, determining which route will help them make more money the quickest.

How are businesses—including those in healthcare—getting infected?

This specific Trojan virus has been found infecting network from email campaigns. Phishing emails, containing fake documents or links to infected sites are the two vectors that are leading to means of infection.

After opening an email and clicking on an attachment, victims are prompted to enable editing capabilities within the PDF. As you open the PDF attachment, a piece of malware is launched and once you confirm enabling editing of the PDF, it gets executed.

At this point, the virus goes one step farther to fool you from ever thinking that you’re infected with a virus. A message box will pop up with an error—looking as if it is from Adobe, which has misguided the majority of victims thus far from ever thinking that their computer had been infected with a virus.

Criminals are smart—they’re designing and creating ways that make their attacks go undetected!

Cybercriminals are not run of the mill workers. They are crafty. They are manipulators. They understand computer networks. They even have become social engineering experts. The latest cyberattacks have gone undetected internationally and continue to infect businesses, healthcare offices and even large hospitals and insurance companies.

The main reason?

These criminals are outsmarting the IT Security and Support systems your IT support team have put in place (likely years ago), are fooling your users into clicking on things perhaps they shouldn’t be and are even making the aftermath of clicking on their malicious link or file attachment seem like normal day to day errors.

If you or your staff were to have clicked on that download and ignored the rather benign-looking error pop-up from Adobe, what would happen next?

Once downloaded (this is according to cybersecurity researchers that are actively exploring latest cyberattacks) this particular virus decides whether to encrypt your data or stealthily steal your information.

If you have specific folders or applications on your machine or on other machines on your network, it will install the cryptor executable, which will end up crawling your machine and then the rest of your network with a ransomware encrypting ALL of your files and ransoming your business for those files.

Once the cryptor executable is initiated, it will only start encrypting your machine once it’s been idle for at least two minutes. At that point, it searches out and encrypts a wide variety of file types.

In every folder it encrypts, the cryptor virus includes a text file with its ransomware message. The message warns that using decryptors will corrupt the original files, provides a deadline for payment and an email address.

If you don’t have those specific folders or use certain applications, it will make a couple more decisions on how to proceed.

The virus will look at how many processors your machine has. What it is particularly interested in is seeing if your machine will be capable of running more than one process at once (so that you can continue running your Word docs, Power Points, EHR system, or other software without noticing a big difference in performance). If your machine fits the needed specs and is powerful enough, the virus will install a mining executable to continuously steal information off of your network.

Note: many experts believe that if your infected computer is high performing, cybercriminals will likely default to stealing sensitive information rather than encrypting your network because the payoff is much bigger (they actually get SSNs, can steal real identities, get credentials to bank accounts and other logins to exploit rather than simply getting a relatively small ransom payment fulfilled).

When on your computer, what else will criminals look for?

Experts have been warning that criminals will steal ANY information they can use for extortion. Their mission is to get as much money out of your business as possible and will try by any means possible to making as much from stealing and extorting.

In order to further disguise the data mining tool as being a trusted process, the attacker signs in with a fake Microsoft Corporation certificate. At that point this trusted process then goes about assisting with mining your computer and your network for valuable information.

In the event your computer isn’t powerful enough? The virus jumps to become a worm and copies itself all over every computer on the network (and to other networks if you move your machine—say to a coffee shop or a different office).

It essentially runs a command searching for other machines, creates a list of those machines with shared resources (for example that shares access to data or even drivers), and then installs the worm on all other computers on the network.

This Rakhni Trojan continues to change and improve, becoming more powerful as new tools and exploits are created or found. With every tweak, it becomes harder to detect and harder to track.

So what are you to do? Here are three essentials to ensure your team is sufficiently protected from bringing Rakhni on your network:

Keep your network clean—by now you probably are aware that some of the biggest threats in cyberspace can be eliminated by making sure your network isn’t easy to break into. That means patching and keeping your systems updated, relying on software that is still supported and keeping tabs of any risks on your network and prioritizing fixes for those risks.

Monitor your network for suspicious activity—your IT Support should be able to detect suspicious activity on your network. Period. By understanding what your day to day normal activity looks like, IT Support teams that are actually monitoring your network for security issues will be able to detect data mining processes (like the likes of Rakhni) before it becomes a major problem.

Get a security assessment performed—most cybersecurity experts agree that one of the best ways to understand how your network is doing is by having someone else take a look under the hood. One of the easiest ways to get your checkup done is through a free network security assessment.

Scroll to Top