Quote:

Did you know what ransomware can do besides encrypting your data?

May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS).  A ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe.

WannaCry leveraged a vulnerability in Windows OS, first discovered by the NSA, and then publicly revealed to the world by the Shadow Brokers. In the first few hours, 200,000 machines were infected. Big organizations such as Renault or the NHS were struck and crippled by the attack. But this massive wave wasn’t the only one. A few weeks later, a ransomware strain resembling Petya started spreading around Europe, affecting companies, Ukrainian institutions and banks, and even the even the radiation monitoring system at Chernobyl. Ransomware has been a growing trend for the past two years, and this is just a culmination, a grand reveal to the wider world of just how big of a threat it is. But we’ve been writing about this for a while now. Some time ago, a delivery guy walked into our office. While we signed for the package, he realized that we work in cyber security and asked: My entire music collection from the past 11 years got encrypted by ransomware.
 

Quote:Is there anything I can do about it? They’re asking for $500 for the decryption key.

My first thought was: I hope he has a data backup. So I had to ask: Do you have a backup?
 

Quote:He looked down and said a bitter „no”.

This scenario is unfolding right now somewhere in the world. Maybe even in your city or neighborhood. In this very moment, someone is clicking a link in a spam email or activating macros in a malicious document without having proper security software in place. In a few seconds, all their data will be encrypted and they’ll have just a few days to pay hundreds of dollars to get it back. Unless they have a backup, which most people don’t. Ransomware creators and other cyber criminals involved in the malware economy are remorseless. They’ve automated their attacks to the point of targeting anyone and everyone. Take this story from the New York Times:
 

Quote:MY mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever. Sincerely, CryptoWall.

I hope you’re reading this post to be prepared for a malware attack. Prevention is absolutely the best security strategy in this case. This guide is packed with concrete information on:

1. What ransomware is
   
2. How it evolved
   
3. Who ransomware creators target most frequently
   
4. How ransomware spreads via the web
   
5. How ransomware infections happen
   
6. Why ransomware often goes undetected by antivirus
   
7. The most notorious ransomware families
   
8. How to set up the best protection against ransomware
   
9. How to decrypt your data without paying the ransom
   

But there is no reason for you to feel helpless. There are a lot of practical provisions you can take to block or limit the impact of cyber attacks on your data. And I’m about to show you just what to do.

What is ransomware?

Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files, and the only way to regain access to the files is to pay a ransom.

There are two types of ransomware in circulation:

1. Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the  blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
   
2. Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
   

Some locker versions can even infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families. Crypto-ransomware, as encryptors are usually known, is the most widespread ones, and also the subject of this article. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment (and it’s been so for the past few years).

Ransomware has some key characteristics that set it apart from other malware:

• It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
  
• It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
  
• It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
  
• It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
  
• It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
  
• It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
  
• Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
  
• It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
  
• It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
  
• It can spread to other PCs connected to a local network, creating further damage;
  
• It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals; encrypting files isn’t always the endgame.
  
• It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.
  

Their feature list keeps growing every day, with each new security alert broadcasted by our team or other malware researchers.
...