Ransomware virus is not a certain virus, but a general term for a class of viruses. It mainly spreads in the form of emails, programs, Trojan horses, and web page hanging horses. It uses various encryption algorithms to encrypt files. Generally, the infected person cannot decrypt them. Only by obtaining the decrypted private key can it be cracked.
The earliest known ransomware appeared in 1989, named "AIDS Information Trojan Horse" (Trojan/DOS.AidsInfo, also known as "PC Cyborg Trojan Horse"), and its author was Joseph Popp. Early ransomware was mainly spread through phishing emails, hanging horses, social networks, and using money transfers to pay ransoms. Its attack scope and continuous attack capabilities are relatively limited, and it is relatively easy to trace. The Redplus ransomware (Trojan/Win32.Pluder) that appeared in 2006 was the first ransomware in China. The second half of 2013 is the period when the modern ransomware virus officially took shape. The ransomware uses AES and RSA to encrypt certain file types, making it nearly impossible to crack. At the same time, users are required to pay with virtual currency to prevent their transaction process from being tracked. Typical ransomware in this period include CryptoLocker, CTBLocker, etc. Since 2016, the WannaCry ransomware worm has exploded, and its purpose is not to extort money, but to create large-scale destructive actions that affect the world.
Dramatically, at this stage, the ransomware has shown a state of industrialization and family-oriented continuous operation.
Since 2018, the ransomware Trojan technology has become increasingly mature, and the attack target has shifted from the initial large-scale indiscriminate attack to precise attack on high-value targets. For example, direct attacks on the medical industry, servers of enterprises, institutions, and government agencies, and traditional enterprises including the manufacturing industry are facing an increasingly severe security situation.
How ransomware works
Once the ransomware file enters the victim's local area, it will run automatically and delete the ransomware parent to avoid killing, analysis and tracking (the mutation speed is fast and it is immune to conventional antivirus software). Next, use the authority to connect to the hacker's server, upload the local information and download the encrypted private key and public key, and use the private key and public key to encrypt the file (first use the AES-128 encryption algorithm to encrypt important files on the computer to get a key; then use the RSA-2048 encryption algorithm to asymmetrically encrypt this key.). Except for the virus developer himself, it is almost impossible for others to decrypt. If you want to use computer brute force to crack, according to the current computing power, it will not be calculated for decades. If it can be calculated, it is only a file that has been unlocked. (Of course, in theory, you can also try to crack the total key encrypted by the RSA-2048 algorithm. As for the time required for cracking, I am afraid that the earth will not last until then.) After the encryption is completed, the screen will be locked, the wallpaper will be changed, Generate a ransom note file in a conspicuous place such as the desktop to guide users to pay the ransom.
It is worth mentioning that some extortion methods ask for ransom in bitcoins. If you don’t know the transaction process, you may be ridiculed by the blackmailer for the second time: check online yourself! ( Ĭ ^ Ĭ )
The following are the main behaviors of the ransomware sample carrier analyzed by the APT sandbox:
1. Call the encryption algorithm library;
2. Make Http requests through script files;
3. Download files through script files;
4. Read the remote server file;
5. Execute the file through wscript;
6. Collect computer information;
7. Traversing files.
The main feature of this sample is to decrypt the connection server address through its own decryption function, access the encrypted data through HTTP GET request, save the encrypted data to the TEMP directory, and then use the decryption function to decrypt the data and save it as a DLL, and then run the DLL (that is, the blackmailer main body). This DLL sample is the key subject that leads to data encryption, and the subject generates a key by calling a system file, and then realizes encryption of a specified type of file, that is, the file can be encrypted without downloading the key online. At the same time, during the sandbox analysis process, a large number of anti-debugging behaviors of this sample were found, which were used to resist the analysis of the debugger, increasing the difficulty of debugging and analysis.
How to prevent ransomware?
Bronze rank
Do not open emails from strangers or unknown sources to prevent ransomware attacks through emails;
The required software is downloaded from the regular (official website);
Upgrade the anti-virus software to the latest version to prevent attacks from existing virus samples;
Win7, Win 8.1, Win 10 users, install the official patch of Microsoft MS17-010 as soon as possible;
Regularly back up important data and files in the computer in different places, so that they can be restored in case of a virus;
Regular security training, daily security management can refer to the "three nos and three musts" (three nos: do not take the bait, do not open, and do not click. Three dos: backup, confirm, and update).
Diamond rank
1. Physical and network isolation of infected machines;
2. For other non-poisoned computers on the intranet, check the system security risks:
a) Are there any vulnerabilities in the system and software?
b) Whether sharing and risk services or ports are enabled, such as 135, 137, 139, 445, 3389
c) Only office computers are allowed to access dedicated file servers. Use FTP, an alternative to folder sharing.
d) Check whether the machine ipc empty connection and the default sharing are enabled
e) Check whether a unified login password or a weak password is used
3. Try not to click the office macro running prompt to avoid virus infection from office components;
4. Try not to double-click to open files with extensions such as .js and .vbs;
5. Post processing
In situations where direct support from security professionals is not available, the following measures may be considered:
Search through the housekeeper ransomware search engine to obtain virus-related information. Search engine address (ransomware virus interception | file recovery_Document Guardian protects document security- Tencent Computer Manager
If decryption is supported, you can directly click the download tool to decrypt the file
king rank
On the topic of how to prevent ransomware, people's conventional defensive thinking is summarized above. Although there is nothing wrong with it, no matter how you look at it, it looks like "sit and wait" and be beaten passively. But there is nothing wrong with it, after all, it is inertial thinking to see a trick and dismantle it.
The correct anti-ransomware means must be constant to respond to changes.
Take a chestnut:
The farmer has raised a flock of sheep, the hair is shiny, fat and strong, and the appearance is very good, the farmer is very pleased.
One day the farmer found that a few sheep were missing, and he also found the trace of the wolf, so he knew that there was a wolf stealing the sheep.
The farmer followed the wolves, set traps, supervised day and night, exhausted physically and mentally, but still failed to catch wolves, and the number of sheep was still decreasing.
In the end, the farmer replaced the thatched sheep pen with a granite sheep pen, and there were no shortage of sheep, and the farmer no longer had to look for wolves.
This is the concept of host hardening.
So how to prevent ransomware, the idea of host reinforcement is a good idea.
The core points of host hardening:
System Hardening
Lock the debugged system and turn it into a trusted system.
Under a trusted system, illegal programs and scripts cannot run. And it will not affect the data in and out.
This trusted system is safe even if the system has loopholes or even administrator privileges are lost.
program hardening
Real-time hash value verification of executable programs and scripts is performed using trusted signatures, and the verification fails
Deny startup, and trusted programs cannot be masqueraded.
file hardening
Protect files of the specified type from tampering.
disk encryption
Create a security sandbox that is isolated from the outside world and encrypts data in the sandbox to ensure that data can only be decrypted under the premise of effective authorization management. Without authorization, even administrators cannot copy and use these data, and even system cloning is invalid.
Database Hardening
The first layer: the database file prohibits access and tampering by unfamiliar programs. Ensure database file-level security.
The second layer: trusted filtering of database port access, only allowing business programs to communicate with the database port.
Add process identification to the IP+port+account password connected to the character string.
The third layer: database connection SQL text for intelligent filtering, preventing key data from being retrieved and accessed, preventing database
The internal data is illegally accessed, and the dangerous operation behavior of the database form is prevented.
Many problems may be solved with a different way of thinking. How to prevent ransomware, it is obviously better to use the strategy of host reinforcement. As for how to choose the mainframe reinforcement product, everyone has a different opinion. Personally recommend MCK host reinforcement. The company to which this product belongs is an old-timer in the field of data security, and their other product, SDC Sandbox, is very capable in the field of source code security.