What is ransomeware?:a detailed guide and prevention methods




So here’s it, my blog on “ransom ware”. And how I got inspired to write this? Well it was the need of the hour. With more attacks like “wannacry” unfolding regularly I thought it must be brought under limelight and let my lovely people know about a major cyber threat, to which nobody I repeat ‘NOBODY’ is safe from.



                In today’s date, all those who use the internet for any purpose, may it be work, entertainment, education, communication, socializing, business, etc. are prone to ransomware attacks.
        So if you have come here to know about the malware called #RANSOMEWARE and why it’s being trending nowadays, you’re at the right place.

 So I’ll be proceeding in the following manner:
1.  What is ransomware?
2.  How ransomware came into existence?
3.  Types of ransomware?
4.  Characteristics and abilities of ransomware
5.  How does ransomware spread and infect your system(s)?
6.  What are the top targets of attackers?
7.  Why the ransomware is not often detected by anti-virus?
8.  The most famous ransomware families
9.  How to prevent yourself from ransomware?
10.  How to decrypt your data for free!

1. What is Ransomware?

Ransomware is a type of malicious software that blocks access to the victim's data or threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem - and difficult to trace digital currencies such as Bitcoin are used for the ransoms, making tracing and procescuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan that is disguised as a genuine file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high profile example, the "WannaCry worm", traveled automatically between computers without user interaction.

2. How Ransomeware came into existence?

It may be difficult to imagine, but the first ransomware in history emerged in 1989 (that’s 28 years ago). It was called the AIDS Trojan, whose modus operandi seems crude nowadays.
The "AIDS Trojan" was written by Joseph Popp in 1989. It had a very severe design failure that it was not necessary to pay the extortionist at all. Its payload changed the file attributes to hidden files on the hard drive and encrypted only their names, and displayed a message claiming that the user's license to use a certain piece of software had expired. The user was asked to pay US$189 to "PC Cyborg Corporation" in order to obtain a repair tool even though the decryption key could be extracted from the code of the Trojan. The Trojan was also known as "PC Cyborg". Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research.

The idea of abusing anonymous cash systems to safely collect ransom from human kidnapping was introduced in 1992 by Sebastiaan von Solms and David Naccache. This money collection method is a key feature of ransomware. In the von Solms-Naccache scenario a newspaper publication was used (since bitcoin ledgers did not exist at the time the paper was written).

The real concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviralextortion and is a three-round protocol carried out between the attacker and the victim which will be discussed in the "how ransomeware spread and infect your system".

The appearance of Bitcoin, and evolution of encryption algorithms helped turn ransomware from a minor threat used in cyber vandalism, to a full-fledged money-making machine. As a result, every cybercriminal wants to be a part of this.


This graph shows just how many types of encrypting malware researchers have discovered in the past 10 years.
ransomware families
Image source: F secure

And keep in mind 3 things, so you can get an idea of how big the issue really is:
  • There are numerous variants of each type (for example, CrytpoWall is on its 4th version);
  • No one can map all the existing families out there since most attacks go unreported.
  • New ransomware is coming out in volumes at an ever-increasing pace.
histogram showing fake AV, locker & crypto ransomware
Image source


If you’re curious to learn more about the history of this malware threat, I’ll provide you external sources in the end of this blog.
Cyber criminals are not just malicious hackers who want public recognition and are driven by their interest for cyber mischief. They’re business-oriented and try to cash out on their efforts.
Ransomware is here to stay. The current conditions are a perfect storm which makes it the easiest and viable source of money for any malicious hacker out there:
  • Ransomware-as-a-service, where malware creators sell its services in exchange for a cut in the profits. (Yes ransomware source codes are literally sold in dark web markets to scrip kiddies!)
  • Anonymous payment methods, such as Bitcoin, that allow cyber criminals to obtain ransom money knowing their identity can’t be easily revealed.
  • It’s impossible to make a completely secure software program. Each and every program has its weaknesses, and these can be exploited to deliver ransomware, as was the case with WannaCry.
  • The number of infections would drastically shrink if all users were vigilant. But most people aren’t, and they end up clicking infected links and other malicious sources.

3. Types of ransomware?

The ransomware economy is evolving drastically and there are chances that many more types and methods of digital-extortion techniques will come into existence in future.
   As on time of writing this blog there are 3 types of ransomware prevalent in market.

The three types of ransomware in circulation:

1.  Encryptors:
Encryptors incorporate advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the  blocked content. Examples include CryptoLockerLockyCrytpoWall and more.

2.  Non-encryptors or Lockers:
a.   Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware  or Winlocker. (These ransomware can be removed by deleting the Trojan files from another O.S. like Linux !)
b.  some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families. (Bring it to our workshop! We will get it clear*)

3.  Leakware (also called Doxware):
The converse of ransomware is a cryptovirology attack, it threatens to publish stolen information from the victim's computer rather than deny the victim access to it. In a leakware attack, malware exfiltrates (extracts) sensitive user data (eg. Usernames, passwords, sensitive files, personal software) either to the attacker or alternatively, to remote instances of the malware, and the attacker threatens to publish the victim's data unless a ransom is paid. In the extortion attack, the victim is denied access to its own valuable information and has to pay to get it back, where in the attack that is presented here the victim retains access to the information but its disclosure is at the discretion of the computer virus". The attack can yield monetary gain in cases where the malware acquires access to information that may damage the victim user or organization, e.g., reputational damage that could result from publishing proof that the attack itself was a success.
 Crypto-ransomware, as encryptors are usually known, are the most widespread ones. The cyber security community agrees that this (Crypto-ransomware) is the most prominent and worrisome cyber threat of the moment.
Other types of ransomware viz. lockers and leakware are not so effective, as it doesn’t restrict user access to files, and user is not liable to loss of important data. Moreover these two types can be removed from the computer quite easily.
Hence, the chances of getting a locker or leakware are comparatively very low as compared with encryptors.

4 . Characteristics and abilities of ransomware

Ransomware has some key characteristics that set it apart from other malware:
  • It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
  • It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
  • It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
  • It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
  • It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
  • It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
  • Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
  • It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why the ransomware is not often detected by anti-virus?” section);
  • It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
  • It can spread to other PCs connected to a local network, creating further damage;
  • It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server(computer system) controlled by cyber criminals; encrypting files isn’t always the endgame!!!
  • It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.
Their feature list keeps growing every day, with each new security alert broadcasted by various malware researchers.
Since families and variants multiply, you need to understand that you need at least baseline protection to avoid data loss and other troubles.
Crypto-ransomware is a complex and advanced cyber threat which uses all the tricks available because it makes cyber criminals a huge profit. We’re talking millions!
If you’re curious how all this may affect YOU, keep reading, you’ll get your answer…

5. How does ransomware spread and infect your system(s)?

Cyber criminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content.
Nevertheless, these are the most common infection methods used by cybercriminals
  • Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
  • Security exploits in vulnerable software (weakness in the coding of program);
  • Internet traffic redirects to malicious websites;
  • Legitimate websites that have malicious code injected in their web pages;
  • Drive-by downloads;
  • Malvertising campaigns;
  • SMS messages (when targeting mobile devices);
  • Botnets;
  • Self-propagation (spreading from one infected computer to another automatically): WannaCry, for instance, used an exploit kit that scanned a user’s PC, looking for a certain vulnerability, and then launched a ransomware attack that targeted it.
  • Affiliate schemes in ransomware-as-a-service. Basically, the developer behind the ransomware earns a cut of the profits each time a user pays the ransom.
Crypto-ransomware attacks employ a subtle mix of technology and psychological manipulation (also known as social engineering).
These attacks get more refined by the day, as cyber criminals learn from their mistakes and tweak their malicious code to be stronger, more intrusive and better suited to avoid cyber security solutions. The WannaCry attack is a perfect example of this since it used a wide-spread Windows vulnerability to infect a computer with BASICALLY NO USER INTERACTION.
That’s why each new variant is a bit different from its forerunner. Malware creators incorporate new evasion tactics and pack their “product” with piercing exploit kits, pre-coded software vulnerabilities to target and more.
For example, here’s how online criminals find vulnerable websites, inject malicious JavaScript code into them and use this trigger to redirect potential victims to infected websites.


spreading of exploit through infected javascript code
This gets us to the next important answer in our common quest to understand how your files end up encrypted.
How do ransomware infections happen?
Though the infection phase is slightly different for each ransomware version, the key stages are the following:
infection from ransomware
1.  Initially, the victim receives an email which includes a malicious link or a malware-laden attachment. Alternatively, the infection can originate from a malicious website that delivers a security exploit to create a backdoor on the victim’s PC by using a vulnerable software from the system.
2.  If the victim clicks on the link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC.
3.  The downloader uses a list of domains or C&C servers controlled by cyber criminals to download the ransomware program on the system.
4.  The contacted C&C server responds by sending back the requested data.
5.  The malware then encrypts the entire hard disk content, personal files, and sensitive information. Everything, including data stored in cloud accounts (Google Drive, Dropbox) synced on the PC. It can also encrypt data on other computers connected to the local network. Here the yung and young methodology is used to encrypt the data as follows:



[attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
[victim→attacker] To carry out the cryptoviral extortion (ransomeware) attack, the malware generates a random symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key(key useful for decryting). This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext (encrypted file containing symmetric key) and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money (mainly bitcoins) to the attacker.
[attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker's private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.

methodology used by ransomware to encrypt files
Illustration: alice = ransomeware prog. On PC,
bob = attacker or hackers


The symmetric key is randomly generated and will not assist other victims. At no point is the attacker's private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.

6.  A warning pops up on the screen with instructions on how to pay for the decryption key.
Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.

ransom message shown by wannacry virus

Most of them feel betrayed because they can’t seem to understand one thing:
But I have antivirus! Why didn’t it protect me from this?



6. What are the top targets of attackers?

Cybercriminals soon realized that companies and organizations were far more profitable than users, so they went after the bigger targets: police departmentscity councils and even schools and, worse, hospitals!
To give you some idea, nearly 70% of infected businesses opted to pay the ransom and recover their files. More than half of these businesses had to pay a ransom worth $10,000 to $40,000 dollars in order to recover their data.
But for now, let’s find out how online criminals target various types of Internet users. This may help you better understand why things happen as they do right now.
Why ransomware creators and distributors target home users:
  • Because they don’t have data backups;
  • Because they have little or no cyber security education, which means they’ll click on almost anything;
  • Because the same lack of online safety awareness makes them prone to manipulation by cyber attackers;
  • Because they lack even baseline cyber protection;
  • Because they don’t keep their software up to date (even if specialists always nag them to);
  • Because they fail to invest in need-to-have cyber security solutions;
  • Because they often rely on luck to keep them safe online (I can’t tell you how many times I’ve heard “it can’t happen to me”);
  • Because most home users still rely exclusively on antivirus to protect them from all threats, which is frequently ineffective in spotting and stopping ransomware;
  • Because of the sheer volume of Internet users that can become potential victims (more infected PCs = more money).
Why ransomware creators and distributors target businesses:
  • Because that’s where the money is;
  • Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid;
  • Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means;
  • Because the human factor is still a huge liability which can also be exploited, but through social engineering tactics;
  • Because ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core;
  • Because cyber criminals know that business would rather not report an infection for fear or legal consequences and brand damage.
  • Because small businesses are often unprepared to deal with advanced cyber attacks and have a relaxed BYOD (bring your own device) policy.


damage caused by ransomware


Why ransomware creators and distributors target public institutions:
  • Because public institutions, such as government agencies, manage huge databases of personal and confidential information that cyber criminals can sell;
  • Because budget cuts and mismanagement frequently impact the cybersecurity departments.
  • Because the staff is not trained to spot and avoid cyber attacks (malware frequently uses social engineering tactics to exploit human naivety and psychological weaknesses);
  • Because public institutions often use outdated software and equipment, which means that their computer systems are packed with security holes just begging to be exploited;
  • Because a successful infection has a big impact on conducting usual activities, causing huge disruptions;
  • Because successfully attacking public institutions feeds the cyber criminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target).
In terms of platforms and devices, ransomware doesn’t discriminate either. We have versions tailor-made for personal computers (too many types to count, but more on that in “The most famous ransomware families” section), mobile devices (with Android as the main victim and a staggering growth) and servers.

The number of users encountering mobile ransomware at least once in the period April 2014 to March 2016.
The number of users encountering mobile ransomware at least once in theperiod April 2014 to March 2016.
When it comes to servers, the attack is downright vicious:
"  Some groups do this by infiltrating the target server and patching the software so that the stored data is in an encrypted format where only the cybercriminals have the key to decrypt the data.
The aim of this attack is to silently encrypt all data held on a critical server, along with all of the backups of the data.
This process may take some time, depending on the organization, so it requires patience for the cybercriminals to carry it out successfully.
Once a suitable number of backups are encrypted, the cybercriminals remove the decryption key and then make their ransom demands known, which could be in the order of tens of thousands of dollars.  "

Because of this, the FBI and many other institutions and security vendors in the industry urge users, companies and other decision-makers to prepare against this threat and set up strong cyber protection layers.
Attacks on critical infrastructure (electricity, water, etc.) are the next, and even the thought of that makes anyone shudder.


7. Why the ransomware is not often detected by anti-virus?

Ransomware uses several evasion tactics to stay hidden and allow it to:
  • Not get picked up by antivirus products
  • Not get discovered by cyber security researchers
  • Not get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.
So here are just a few of the tactics that encryption malware employs to remain covert and maintain the anonymity of its makers and distributors:
  1. Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
  2. It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments easily;
  3. It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
  4. It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals.
  5. It features Fast Flux, another technique used to keep the source of the infection anonymous;
  6. It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
  7. It has polymorphic behavior which gives it the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
  8. It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer is at its most vulnerable moment and take advantage of that to strike fast and effectively.
      If you’re keen on reading more about why your antivirus has trouble detecting advanced malware, you can read a guide on that exact topic.


8. The most famous ransomware families

By now you know that there’s plenty of versions out there. With names such as CryptXXX, Troldesh or Chimera, these strains sound like the stuff hacker movies are made of.
So while newcomers may want to get a share of the cash, a handful of families have established their domination.
If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.

WannaCry

On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without them taking any action.
Until May 24, 2017, the infection has affected over 200,000 victims in 150 countries and it keeps spreading.

map showing global wannacry infection locations
Source

 I'll be posting a dedicated article about wannacry later.

Uiwix

As a recent development, another type of encrypting malware that tries to replicate the impact that WannaCry had. However, it improves by not including a killswitch domain, while keeping its self-replicating abilities.
Up to date details in this security alert which also anticipates addition waves of malicious encryption.
Cerber ransomware
Cerber is a relatively old version encryption malware, and its usage has frequently gone up and down. However, recent updates and added features have brought it back firmly into center stage. In the first quarter of 2017, Cerber had a huge, 90% market share among all the ransomware families. For the time being, it is likely to stay on top of the food chain.

Locky

screenshot of locky ransomware
Image source.
One of the newest and most daring ransomware families to date is definitely Locky.
First spotted in February 2016, this strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000.
But they weren’t the only victims. In fact, many businesses were targeted with spam email campaigns.

Since then, Locky has had a rampant distribution across the world. Here’s its geographical distribution by April 2016.
geographical distribution of locky ransomware
Source: Securelist analysis
As you’ve seen, things never stop changing in cyber crime, so Locky’s descendant, Zepto, made its debut in early July 2016.

TorrentLocker

This file-encrypting malware emerged in early 2014 and its makers often tried to refer to it as CryptoLocker, in order to piggyback on its awareness.
Since then, TorrentLocker relied almost entirely on spam emails for distribution. In order to increase effectiveness, both the emails and the ransom note were targeted geographically.
Attackers noticed that attention to detail meant that they could trick more users into opening emails and clicking on malicious links, to they took it a step further. They used good grammar in their texts, which made their traps seem authentic to the unsuspecting victims.
torrentlocker endpoints by country
Source: Sophos analysis
TorrentLocker creators proved that they were attentively looking at what’s going on with their targeted “audience” when they corrected a flaw in their encryption mechanism. Until that point, a decryption tool created by a malware researcher had worked.
But soon they released a new variant which featured stronger encryption and narrowed the chances for breaking it to zero.
Its abilities to harvest email addresses from the infected PC are also noteworthy. Naturally, these emails were used in subsequent spam campaigns to further distribute the TorrentLocker.

CryptoLocker

global infection rate for crypto locker
Image source

 

     In June 2014, Deputy Attorney General James Cole, from the US Department of Justice, declared that a large joint operation between law agencies and security companies employed:
traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.
      He was talking about Operation Tovar, one of the biggest take-downs in the history of cyber security.
Operation Tovar aimed to take down the Gameover ZeuS botnet, which authorities also suspected of spreading financial malware and CryptoLocker.
     As Brian Krebs mentioned in his take on CryptoLocker:
The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption…
     CryptoLocker infections peaked in October 2013, when it was infecting around 150,000 computers a month!
infections per month sep2013-may2014
Image source

Since then, we’ve reported sightings of CryptoLocker in numerous campaigns spoofing postal or delivery services in Northern Europe.

CryptoWall

global cryptowall infection geographical distribution
source


Though the CryptoLocker infrastructure may have been temporarily down, it doesn’t mean that cybercriminals didn’t find other methods and tools to spread similar variants.
CryptoWall is such a variant and it has already reached its 4th version, CryptoWall 4.0.
This number alone shows how fast this malware is being improved and used in online attacks!
In 2015, even the FBI agreed ransomware is here to stay. This time, it wouldn’t stop to home computers, but it will spread to infect:
Businesses, financial institutions, government agencies, academic institutions, and other organizations… resulting in the loss of sensitive or proprietary information.
Until then, this prediction became reality and now we understand the severity and impact of the crypto-ransomware phenomenon.
In a similar manner to CryptoLocker, CryptoWall spreads through various infection vectors since, including browser exploit kits, drive-by downloads and malicious email attachments.

CTB Locker

CTB locker infection graph
Image source

CTB Locker is one of the latest variants of CryptoLocker, but at a totally different level of sophistication.
Let’s take a quick look at its name: what do you think CTB stands for?
  • C comes from Curve, which refers to its persistent Elliptic Curve Cryptography that encodes the affected files with a unique RSA key;
  • T comes from TOR, because it uses the famous P2P network to hide the cybercriminals’ activity from law enforcement agencies;
  • B comes from Bitcoin, the payment method used by victims to pay the ransom, also designed to hide the attackers’ location.
What’s also specific to CTB-locker is that includes multi-lingual capabilities, so attackers can use it to adapt their messaging to specific geographical areas.
If more people can understand what happened to their data, the bigger the payday.
CTB-Locker was one of the first ransomware strain to be sold as a service in the underground forums. Since then, this has become the norm, but two years ago it was an emerging trend.
Now, potential cyber criminals don’t really need strong technical skills, as they can purchase ready-made malware which include even dashboard where they can track their successful infections and return on investment.
In 2014, malware analyst Kafeine managed to access one of these black markets and posted all the information advertised by online criminals.
By taking a quick look at the malware creators’ ad, we can see that the following support services are included in the package:
  • instructions on how to install the Bitcoin payment on the server;
  • how to adjust the encryption settings in order to target the selected victims;
  • details such as the requested price and the localized language that should be used;
  • recommendations on the price that you can set for the decryption key.


Reveton

screenshot of reveton virus warning message
Image source.

In 2012, the major ransomware strand known as Reveton started to spread. It was based on the Citadel trojan, which was, in turn, part of the Zeus family.
Its signature feature was to display a warning from law enforcement agencies, which made people name it “police trojan” or “police virus“. Unlike the other kinds families mentioned here, Reveton was a locker, meaning that it restricted access to the computer itself, not just the files.
Once the warning appears, the victim is informed that the computer has been used for illegal activities, such as torrent downloads or for watching porn.
The graphic display enforced the idea that everything is real. Elements like the computer IP addresslogo from the law enforcement organization in that specific country or the localized content, all of these created the general illusion that everything is actually happening.
Brian Krebs published larger analysis on Reveton, indicating that security exploits have been used by cybercriminals and that:
insecure and outdated installations of Java remain by far the most popular vehicle for exploiting PCs.
Four years later, Java is the same pain in the proverbial backend.

TeslaCrypt

Image source.

 

When it first emerged, TeslaCrypt focused on a specific audience: gamers. Not all of them, but actually a segment that player a series of specific games, including Call of Duty, World of Warcraft, Minecraft and World of Tanks.
By exploiting vulnerabilities mainly in Adobe Flash (a serial culprit for ransomware infections), TeslaCrypt moves on to bigger targets, such as European companies.
Cyber security experts managed to find flaws in TeslaCrypt’s encryption algorithm twice. They created decryption tools and did their best so that the malware creators wouldn’t find out.
But, as you can guess, TeslaCrypt makers corrected the flaws and released new versions that featured stronger encryption and enhanced data leakage capabilities.
security researchers announced TeslaCrypt 4.0 in March 2016, but only two months later, it was shut down!

snapshot showing teslacypt's project closure message
To everyone’s surprise, the cyber criminals even apologized.
ESET researchers managed to get the universal master decryption key from them and built a decryptor that you can use if you happen to be a victim of TeslaCrypt.
No one knows why the guys behind TeslaCrypt quit, but we can only hope to see more of that in the cyber crime scene.
What will come next?
Although we can’t guess future encryption attacks, there is one trend that cyber criminals seem to be pursuing: attacks that are more targeted, more carefully prepared and which require a smaller infrastructure to be deployed.
We finally got to the best part, where you can learn what to do to stay protected against ransomware attacks.

9. How to prevent yourself from ransomware?

This is a promise that I want you to make to yourself: that you will take the threat of ransomware seriously and do something about it before it hits your data.
I’ve seen too many cries for help and too many people confused and panicking when their files get encrypted.
How I wish I could say that ransomware protection is not a life and death kind of situation! But if you work in a hospital and you trigger a crypto-ransomware infection, it could actually endanger lives. Learning how to prevent ransomware attacks is a need-to-have set of knowledge and you can do it both at home and at work.
So here’s what I want you to promise me: 

Locally, on the PC:=

1.  You won't store important data only on your PC.
2.  You will keep 2 backups of your data: on an external hard drive and in the cloud – Dropbox/Google Drive/etc.
3.  The Dropbox/Google Drive/OneDrive/etc. application on your computer should not be turned on by default. you should only open them once a day, to sync your data, and close them once that is done.
4.  Your operating system and the software you use should be up to date, including the latest security updates.
5.  For daily use, you shouldn’t use an administrator account on your computer. Use a guest account with limited privileges.
6.  You have turned off macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.

In the browser:=

7.  You have to remove the following plugins from all your browsers: Adobe Flash, Adobe Reader, Java and Silverlight. If you absolutely have to use them, you have to set the browser to ask you if you want to activate these plugins when needed.
8.  You have to adjust your browsers’ security and privacy settings for increased protection.
9.  You have to remove outdated plugins and add-ons from your browsers. Only keep the ones you use on a daily basis and keep them updated to the latest version.
10. Use an ad-blocker to avoid the threat of potentially malicious ads.
Online behavior
11.You'll never open spam emails or emails from unknown senders.
12.You'll never download attachments from spam emails or suspicious emails.
13.You'll never click links in spam emails or suspicious emails.
Anti-ransomware security tools
14. Use a reliable, paid antivirus product that includes an automatic update module and a real-time scanner.
15. You will install a traffic-filtering solution that can provide proactive anti-ransomware protection.
You can read an extended version of this plan in this dedicated article.
I’m really going to apply the 15 things on this list to be safe against#ransomware:

I want you to be prepared, so you’ll never have to deal with the dreaded question of: “should I pay the ransom or not?
My answer will always be a big, fat NO.
Paying the ransom gives you no guarantee that the online criminals at the other end of the Bitcoin transfer will give you the decryption key. And even if they do, you’d be further funding their greedy attacks and fueling the never-ending malicious cycle of cyber crime.
To put things into perspective, 7 out of every 10 users who paid the ransom didn’t get their data back (that's 70% users). They lost both the information and their money.

10. How to decrypt your data for free!!

There are hundreds of types of ransomware out there, but cyber security researchers are working around the clock to break the encryption that at least some of them use. Unfortunately, the most notorious families have proven to be unbreakable so far. In spite of this, there are many other cryptoware strains that are not that well coded and which specialists were able to crack.
To help you find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can use.
We recommend you read about how these tools work beforehand so that you’re sure that this is the best solution for your case.
Do keep in mind that decryptors could become obsolete because of constant updates and new, enhanced versions released by cyber criminals. It’s a never-ending battle, which is why we urge you to focus on prevention and having multiple backups for your data.

My personal take:
     As by now you know that most of the attacks covered here and almost majority of ransomware attacks, has been targeted on windows Operating systems and devices.
     So my recommendation for you is that you use Linux or Unix based operating systems over windows or if you are a fan of Apple products, you can go for the Macintosh lineup whose MacOS is based on Unix O.S.
    For those who wondering that Linux is way too complicated O.S. for daily use, then you must check-out the Ubuntu O.S. which gives you an experience similar to that of windows.

    Further if you guys want more information about linux and unix operating systems, please let me know your suggestions and opinions in comments !!

Conclusion

Ransomware brought extortion to a global scale, and it’s up to all of us, users, business-owners and decision-makers, to disrupt it.
We now know that:
  • creating malware or ransomware threats is now a business and it should be treated as such;
  • the“lonely hacker in the basement” stereotype died a long time ago;
  • the present threat landscape is dominated by well defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks;
  • even more,cyber criminal groups are hired by large states to target not only financial objectives, but political and strategic interests.
We also know that we’re not powerless and there’s a handful of simple things we can do to avoid ransomware. Cyber criminals have as much impact over your data and your security as you give them.
Stay safe and don’t forget the best protection is always a backup!

      so, you have reached the end if this article, now if you scrolled down just too see how long the article is, you are in a second thought to read the full article and probably you're not gonna continue. So to save you guys time here's a relatively short 15 min YouTube video from our channel BLUEBERRY IT SERVICES


 
what is ransomware? A brief explanation and prevention techniques.

     so if you found this article helpful, you may share this with your family, friends, colleagues and other acquaintances.

     you can follow me if you want regular updates about my blogs.  
 
follow blueberry it on google+
watch tech videos on our youtube channel
watch now

Like our facebook page


follow up on instagramTweet to us on twitter!!


Comments

Post a Comment

Popular posts from this blog

Unboxing Moto G5s Plus | Blueberry IT Services | BITS | Harsh Vaswani

Image
Unboxing Moto G5s Plus | Blueberry IT Services | BITS | Harsh Vaswani. Summary: Moto G5S Plus smartphone was launched in August 2017. The phone comes with a 5.50-inch touchscreen display with a resolution of 1080 pixels by 1920 pixels. Moto G5S Plus price in India starts from Rs. 13,024. The Moto G5S Plus is powered by 2GHz octa-core processor and it comes with 4GB of RAM. The phone packs 64GB of internal storage that can be expanded up to 128GB via a microSD card. As far as the cameras are concerned, the Moto G5S Plus packs a 13-megapixel primary camera on the rear and a 8-megapixel front shooter for selfies. The Moto G5S Plus runs Android 7.1 and is powered by a 3000mAh non removable battery. It measures 153.50 x 76.20 x 9.50 (height x width x thickness) and weighs 168.00 grams. The Moto G5S Plus is a dual SIM (GSM and GSM) smartphone that accepts Nano-SIM and Nano-SIM. Connectivity options include Wi-Fi, GPS, Bluetooth, USB OTG, 3G and 4G (with support for Band
Read more

Blueberry IT Services: Servicing domain.

Blueberry IT Services - a one stop solution for all your software needs.  Services include: OS Installations like: Windows, L inux, Android - on PC (yes it's possible.) PC slowdown repairs,  Antivirus installations,  special USB virus removals,  software troubleshooting,  software repairs,  Windows troubleshooting,etc. rooting android smart phones, tablets;  installing custom roms,recoveries,  upgrading to custom roms for getting latest android experience 
Read more