This article covers the ins and outs of file-encrypting ransomware circulating on a large scale for the past 5 years. It also advises on what to do in case of infection, how to fix a contaminated computer and whether it’s possible altogether, while additionally providing effective prevention tips.
Encrypt it all!
Crypto ransomware, also referred to as ransom Trojan, is a type of malicious code that encrypts a victim’s data and then demands money for the decryption tool. The size of the ransom ranges from about $200 to tens or even hundreds of thousands of dollars.
A few years ago, Windows-based computers were the only ones targeted by these threats. As time went by, ransomware extended its reach to operating systems that seem well protected, including Linux, Mac, and Android. Furthermore, this underground industry is becoming increasingly versatile, constantly spawning new strains that stand out from the rest.
More and more ransom Trojans, especially ones that splashed onto the scene over the past 3-5 years, use strong cryptographic algorithms that cannot be cracked by brute-forcing the decryption key or via any other existing technique. The only way to restore the hostage information is to use the original key being sold by the attackers. However, sending the ransom doesn’t guarantee that the criminals will provide the key. They are reluctant to reveal their secrets and lose potential profit. Besides, why would they carry through with their promises if they already have the money?
Ransomware distribution methods
The main vector of attacks against end users and organizations comes down to email – specifically, the attached files and embedded links. The following techniques are often used to spread ransomware as well:
- Social networks (phishing messages received from one’s contacts or strangers).
- Malicious or compromised websites.
- Banner ads.
- Messenger spam via hacked accounts.
- Warez sites and resources offering software cracks and keygens.
- Adult websites.
- App stores.
Other viruses can also be used to install ransomware, such as adware and backdoors. The latter take advantage of operating system and software vulnerabilities to allow an attacker to access the plagued device remotely. In this case, the execution of the ransomware code doesn’t necessarily co-occur with the user’s potentially inconsiderate actions. As long as the backdoor is inside the system, the malefactor can access it at any time and trigger the malicious encryption process behind the scenes.
To contaminate enterprise networks, which are juicier targets than home users, cybercriminals can leverage particularly intricate tactics. For example, the notorious Petya ransomware infiltrated computers via an update module of the MEDoc accounting software.
Ransom Trojans with network worm characteristics make the rounds across networks and over the Internet by harnessing protocol weaknesses. The infection can take place without any user involvement. Given that updates include patches for known security loopholes, people who use infrequently updated Windows OS versions are the most susceptible to such attacks.
Some strains, such as the WannaCry ransomware, use 0-day vulnerabilities system developers don’t know about. Unfortunately, it’s impossible to ensure reliable protection against this infection vector, but the likelihood of your falling victim for it is less than 1%. Why? Because malicious code cannot possibly pollute all vulnerable machines in one shot. The developers usually get a chance to roll out a rescue patch while the malware is looking for new victims.
How does ransomware behave on a contaminated computer?
The encryption process typically starts silently, and by the time the symptoms become obvious, it’s too late to save the data as the pest has already encrypted everything it could find. Sometimes the user might notice files in some open folder get a different extension.
Here are examples of the extensions appended to hostage files: .enc, .eth, .xtbl, .ryk, .phobos, .gdcb, .djvu, .no_more_ransom, etc. There are numerous other strings and new ones are appearing all the time, so it doesn’t make much sense to continue the list. In order to identify the sample, it suffices to look up the extension on a search engine.
How to fix a ransomware-stricken machine?
It’s not hard to remove the malicious code from a compromised system. Most antivirus tools can easily do the trick. However, it’s naive to suppose that deleting the culprit will solve the problem. Whether you get rid of it or not, the files will remain encrypted. Moreover, in some scenarios, ransomware eradication may tangle further decryption, if it’s possible at all.
How to act if the encryption has started?
- As soon as you notice the signs of the encryption process, power down your computer immediately by long-pressing the Power button. This will at least save some of your data.
- Use another computer to create a boot disk or add an antivirus suite to a thumb drive (e.g. Dr.Web LiveDisk or ESET NOD32 LiveCD).
- Boot the infected machine from this disk and scan the system. Move the detected malware to quarantine, in case you may need it for decryption. It’s not until you follow these steps that you can boot the computer from the hard drive.
- Try to restore the encrypted files from their Shadow Copies using the system’s built-in tools, or install third-party data recovery software.
What to do if data has been encrypted?
- Don’t lose hope. The sites of some security software vendors, including Avast, Bitdefender, Emsisoft, Trend Micro, and AVG, contain free decryption tools supporting different ransomware families.
- Having identified the specific strain that attacked your system, install the appropriate utility, be sure to back up the damaged files, and try to decrypt some of them. If you succeed, go ahead and decrypt the rest.
Share
Contributors
