ransomware
1. Definition
Ransomware, also known as ransomware, is a special type of malware. The special thing about ransomware is that it uses encryption and other technical means to restrict the victim from accessing the system or data within the system (such as documents, emails, databases, source code, etc.). The victim needs to pay a certain amount of ransom before it is possible to re-enter the system. Gain control of data to achieve blackmail. This attack method is called a denial-of-access attack.
Ransomware is generally spread in the form of a Trojan virus, which masks itself as a seemingly harmless file. It usually uses social engineering methods such as pretending to be an ordinary email to trick the victim into clicking a link to download, but it may also exploit software like many other worms. The vulnerability spreads among computers on the Internet.
Any organization or individual can be the target of a ransomware attack. Cybercriminals may attack indiscriminately, or they may target more valuable organizations, such as government agencies, hospitals, and other organizations that are more willing to pay ransom, and organizations that hold sensitive data. Ransomware not only affects the normal operation of an organization, causing business stagnation or interruption, but may also leak trade secrets and affect the corporate image. There is also a direct financial impact as companies pay ransoms to get their operations back up and running. Victimized businesses may suffer severe setbacks or shut down entirely.
Cybercriminals use technical means to hold user data hostage to extort money from individuals or organizations, which is highly efficient and makes quick profits. Therefore, it can be said that ransomware is not only a kind of malware, but also a very "successful" cybercrime business model.
2. Types of ransomware
(1) Encrypted ransomware
After ransomware enters the user's system, it usually searches for data files in the system, such as text files, spreadsheets, pictures, PDF files, etc., and encrypts them using complex encryption algorithms (such as AES, RSA). Cybercriminals will ask the victim to pay a certain amount of ransom in the form of Bitcoin within a specified time, otherwise the data files may lose the possibility of being decrypted. WannaCry and its variant WanaCrypt0r 2.0, which broke out in May 2017, are typical encryption ransomware. Crypto-ransomware does not affect system operation. Because the encryption algorithm selected by ransomware cannot be cracked and electronic currency transactions cannot be traced, encryption ransomware has developed into the most popular ransomware today.
(2) Lock screen ransomware
Lock screen ransomware does not encrypt files, but locks the operating system, browser or keyboard so that the victim cannot use it normally. Typical lock screen ransomware, such as WinLock, uses pornographic images to cover the victim's screen and requires the victim to pay $10 via text message in exchange for an unlock password. Lock screen ransomware is often deceptive and intimidating in nature. Cybercriminals usually pretend to be law enforcement agencies, claiming to have discovered that users have downloaded or spread illegal content (mostly in the name of child pornography), and require the victim to pay a ransom, otherwise they will be imprisoned. "arrest".
(3) Doxware type ransomware
In recent years, with the continuous development of ransomware, Doxware-type ransomware has begun to appear. Cybercriminals claim to have the victim's personal data or private behavior, and if the victim does not pay the ransom on time, they will disclose it to social media or send it to contacts in the victim's address book. Some cybercriminals also sell this data on the dark web. This type of crime, which threatens the victim's personal reputation, causes particularly serious harm.
3. How ransomware works
(1) Network shared files
Some small-scale extortion viruses will be spread by sharing files. Hackers will upload the viruses to network shared spaces, cloud disks, QQ groups, BBS forums, etc., and send them to specific groups in the form of sharing, thereby tricking them into downloading. Install.
In addition, unscrupulous hackers often make up excuses such as "anti-virus software will generate false alarms and you need to exit the anti-virus software before running it" to trick victims into closing the anti-virus software and then running it.
Typical representatives include: currently mainly domestic ransomware viruses assisted by plug-ins and carried by "green" software tools.
(2) Bundled communication
Ransomware is bundled with normal legal software and published on major download websites or forums. Users will be infected when they download the software.
(3) Spam
This is the most widespread form of ransomware attack. Use social engineering methods to send fake emails, mask malicious scripts/programs as ordinary files, and trick victims into downloading and running them. The use of some botnets can increase the probability of deception. For example, the GameOverZeus botnet uses MITB technology to steal bank credentials and distribute phishing emails through the botnet, which is very easy for victims to believe. This botnet is used by ransomware such as CrytoLocker to distribute phishing emails.
Typical representatives include: Locky, Cerber, GlobeImposter, CrytoLocker, etc.
(4) Watering hole attack
The blackmailer uses the flaws of valuable, authoritative or
highly visited websites to implant malicious code. Victims will be infected when they visit this website or download related files.
Typical representatives include: Cerber, GandCrab, etc.
(5) Software supply chain communication
Ransomware producers invade software development, distribution, upgrade services, etc. During the software development process, they will mix viruses into product components. By invading and hijacking software download sites and upgrade servers, when users install or upgrade software normally, The ransomware virus took advantage of the situation during service. This communication method takes advantage of the trust relationship between users and software vendors, successfully bypassing the pursuit and interception of traditional security products. The communication method is more covert and the harm is more serious. The Petya ransomware that previously invaded the world was spread by hijacking the Medoc software update service.
Typical representatives include: Petya etc.
(6) Brute force cracking (directed attack)
For servers, individual users or specific targets, obtain corresponding permissions through the use of weak passwords, penetration, vulnerabilities, etc. For example, NotPetya will brute force password cracking and then spread it within the local area network.
Typical representatives include: NotPetya, Crysis, GlobeImposter, etc.
(7) Attack using known vulnerabilities
Exploit vulnerabilities in the system or third-party software to carry out attacks. For example, WannaCry exploits a set of vulnerabilities in SMBV1 to attack and spread.
Typical representatives include: WannaCry, Satan, etc.
(8) Using high-risk ports to attack
Use the business mechanism of some ports to find the vulnerabilities of the ports and carry out attacks. For example, WannaCry exploits the vulnerability in port 445 of the Windows operating system to propagate, and has the characteristics of self-replication and active propagation. Common high-risk ports include 135, 139, 445, 3389, 5800/5900, etc. It is recommended to close such ports as much as possible.
Typical representatives include: WannaCry, etc.
4. How to deal with ransomware
If you are unfortunately blackmailed, please follow the suggestions below.
- Don’t rush to pay ransom for ransomware. Paying a ransom encourages cybercrime and does not guarantee the recovery of encrypted files.
- Strictly speaking, crypto-ransomware is unbreakable. There is a certain possibility of decryption due to problems with the design of the ransomware itself, or the decryption key (such as Shade) released by hacker groups.
- If the encrypted data is important or extremely sensitive and there is no decryption solution for the ransomware, please make sure that the cybercriminals can indeed decrypt it before deciding whether to pay the ransom.
Common ransomware disposal suggestions include but are not limited to:
- Quarantine ransomware devices
- Unplug the network cable or modify the network connection settings to isolate all ransomware devices from the network to prevent further spread of ransomware and control the scope of impact. At the same time, check the number of affected hosts and record the problem symptoms.
- Close high-risk ports on other uninfected hosts. On other uninfected devices in the LAN, close common high-risk ports (including 135, 139, 445, 3389, etc.), or set up users/computers that can access this port.
- Ransomware removal**: Try using antivirus software to scan and remove ransomware. Please restart the operating system, enter safe mode, install/anti-virus software and perform a full scan.
It takes a certain amount of time for ransomware to search for files and encrypt them. Cleaning up ransomware early can reduce its harm and prevent it from repeatedly locking the system or encrypting files.
Decryption
Protect the scene. Do not directly reinstall the operating system. If the encrypted and locked data is important, it is recommended to back up the encrypted files and protect the environment to prevent inability to decrypt due to environmental damage.
Visit the "No More Ransom" website, use Crypto Sheriff to determine the type of ransomware and check if there is an available decryption solution to potentially crack and recover the files.
Investigation and evidence collection
Ask professional technicians to conduct evidence collection in order to analyze the attack path of the ransomware and trace the source of the attack path.
In the operating system's Event Viewer, review the security log, focusing on failed login events. Check security logs and session logs on network devices, focusing on major vulnerability attacks such as brute force cracking and SMB.
Determine the cause of the poisoning, thoroughly repair the security issues in the system, and avoid falling victim to it again.
Reinstall the system
Finally, if the ransomware cannot be removed and the encrypted data cannot be recovered, please back up the encrypted data (it may be possible to restore it in the future), and then format Freeze the hard drive, wipe all data (including infected data), and reinstall the operating system and applications.