Ransomware Fundamentals

The general concept of ransomware is that the victim is forced into paying a ransom in order to gain access to their computer or virtual property.

Crypto Ransomware

Crypto Ransomware (Short for Encryption Ransomware) encrypts or encodes the victims files on their computer or business network and then demands that the victim pay money in order to gain access to their files. This type of ransomware is the most popular among cyber-criminals and malware creators, due to the profits that they gain through this extortion method. An example of crypto ransomware is CryptoLocker.

Locker Ransomware

Locker Ransomware works by locking the victim out of their computer and then threatening them with the deletion of their files if they do not pay a certain amount of money. Locker Ransomware is usually easy to deal with, as they don’t encrypt any files or modify any of the user’s data. This means that the victim can use a rescue disk to remove the ransomware in order to gain access to their machine.

Crypto Ransomware (Technical Summary)

Creators of Crypto Ransomware usually use asymmetric¬†encryption algorithms such as AES and RSA in order to make it extremely hard for security researchers to create a decryption tool for the ransomware. When they encrypt the files, they send the decryption key to their server in a heavily encrypted form, so that even if a law enforcement agency gains access to the criminal’s server, there is no guarantee that the law enforcement agency will be able to get the decryption keys. Sometimes, the ransomware can act as a Remote Access Trojan. This gives the cyber-criminals access to the victims computer, allowing them to steal sensitive information as well as install more malware on their computer. In some cases, the malware creators use these RAT capabilities in order to decrypt the files of their victims.

Locker Ransomware (Technical Summary)

Locker Ransomware usually works by modifying the computer start-up routine (Master Boot Record) in order to launch the ransomware when the computer first turns on. The ransomware then blocks the normal logon screen and displays the ransom message instead. Locker Ransomware is not very popular among ransomware creators, because locker ransomware can easily be removed from the computer by a rescue disk or by removing the ransomware from the MBR. Occasionally, the ransomware may modify certain registry keys in order to make sure that the ransomware will launch first at start-up.

Why does ransomware work?

Most ransomware variants use many tactics in order to trick the victim into paying the ransom. These are:

Authority – Some ransomware claim that the ‘FBI’ or law enforcement agencies have access to their machine.

Time – The ransomware tells the user that if they do not pay the ransom by a certain time, their files will be deleted.

Urgency – Ransomware creators know that precious files (such as pictures, videos and other documents) are very important to their victims, resulting in their victims being more likely to pay the ransom in order to get their files back.

What should I do if I am infected by ransomware?

DON’T PAY THE RANSOM – There is no guarantee that you will get your files back if you pay the ransom. Statistics show that 1/5 people who pay the ransom, don’t get their files back. Even if you do pay the ransom, not only are you giving your money to a cyber criminals, but you are also confirming to the cyber criminals that the ransomware works.

REMOVE THE MALWARE FROM YOUR COMPUTER – Use a malware scanner, such as Malwarebytes Anti-Malware in order to remove the malware from your system. If a certain malware scanner is not able to remove the malware, use another malware scanner with a good reputation.

USE A DECRYPTION TOOL – Not every piece of ransomware has a decryption tool available, but a lot of them do. You can use the NoMoreRansom Tool in order to find out what type of ransomware you have been infected by. Once the tool has identified the ransomware, you will be presented with the decryption tool that will decrypt your files for free. Alternatively, you can look for the decryption tools manually by visiting this page.

How can I protect myself from ransomware?

First of all, get a good anti-malware software installed on your device.

Next, add exploit protection mechanisms or software that can protect you from 0-day exploits that can affect even the most up to date system.

Optionally, use custom YARA rules that identify known ransomware families and also have a YARA rule for generic ransomware behaviour.

CREATE BACKUPS! If all of this fails, it’s good practise to have a up-to-date backup ready in case of a ransomware attack.

Extra Stuff

https://twitter.com/_kmonica/status/803666307375894528

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s