A brief research on Ransomware

Ransomware is malicious software that cyber criminals use to encrypt your computer or computer files using asymmetric encryption for ransom, demanding payment from you to get them back.

They can:

?Prevent you from accessing Windows.

?Encrypt files so you can't use them.

?Stop certain apps from running (like your web browser).

They will demand that you do something to get access to your PC or files. We have seen them:

?Demand you pay money.

?Make you complete surveys.

There is no guarantee that paying the fine or doing what the Ransomware tells you will give access to your PC or files again. Locky and Cerber are two of the most prevalent and dangerous Ransomware currently active. FakeBsod has emerged as a new prevalent Ransomware family since it was first detected in September 2015, and is the second most detected malware in the top ten list of prevalent Ransomware, with 21 percent of detections. Other notable Ransomware are:

?Ransom:HTML/Crowti.A

?Ransom:Win32/Crowti

?Ransom:HTML/Tescrypt.A

?Ransom:Win32/Crowti.A

?Ransom:Win32/Nymaim

?Ransom:Win32/Nymaim.F

?Ransom:Win32/Tescrypt.A

?Ransom:Win32/Troldesh.A

?Ransom:Win32/Reveton.V

?Ransom:Win32/Reveton

Ransomware is becoming an increasingly popular way for malware authors to extort money from companies and consumers alike. There is a variety of Ransomware can get onto a person's machine, but as always, those techniques either boil down to social engineering tactics or using software vulnerabilities to silently install on a victim's machine. One specific Ransomware threat that has been in the news a lot lately is Cryptolocker (detected by ESET as Win32/Filecoder). The perpetrators of Cryptolocker have been emailing it to huge numbers of people, targeting particularly the US and UK. Like a notorious criminal, this malware has been associated with a variety of other bad actors – backdoor Trojans, downloaders, spammers, password-stealers, ad-clickers and the like. Ransomware may come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component.

Those people that have been affected have had a large number of their files encrypted. These files are primarily popular data formats, files you would open with a program (like Microsoft Office, Adobe programs, iTunes or other music players, or photo viewers). The malware authors use two types of encryption: The files themselves are protected with 256-bit AES encryption. The keys generated by this first encryption process are then protected with 2048-bit RSA encryption, and the malware author keeps the private key that would allow both the keys on the user's machine and the files they protect, to be decrypted. The decryption key cannot be brute-forced, or gathered from the affected computer's memory. The criminals are the only ones who ostensibly have the private key. On the one hand, Ransomware can be very scary – the encrypted files can essentially be considered damaged beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you keep Ransomware from wrecking your day:

First and foremost, be sure to back up your most important files on a regular basis, if possible in real time so that in case of any infection previous clean copy of files / folders can be restored. Ideally, backup activity should be diversified, so that the failure of any single point won't lead to the irreversible loss of data. Store one copy in the cloud, resorting to services like Dropbox, and the other on offline physical media, such as a portable HDD.

Show hidden file-extensions as Ransomware frequently arrives in a file that is named with the extension ".PDF.EXE", counting on Window's default behavior of hiding known file-extensions. If you re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.

Most Ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. It's a great idea to configure your webmail server to block dubious attachments with extensions like .exe, .vbs, or .scr. If your gateway mail scanner has the ability to filter files by extension, you may wish to deny mails sent with ".EXE" files, or to deny mails sent with files that have two file extensions, the last one being executable ("*.*.EXE" files, cute-dog.avi.exe, in filter-speak)

Refrain from opening attachments that look suspicious. Not only does this apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution.

Disable files running from AppData/LocalAppData folders by creating rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders.

Use the Cryptolocker Prevention Kit created by Third Tier that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities.

Disable all kind of Drive sharing as Ransomware encrypt Files / Folders on Share Drives. Also disable RDP as this malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. Limit end users privilege by enforcing 'Least Privilege' or 'Need To Know' policies.

Patch or Update your software on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often "out-of-band" or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor's website, as malware authors like to disguise their creations as software update notifications too.

Think of disabling vssaexe. This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy tool that can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service.

Keep the Windows Firewall turned on and properly configured at all times. Enhance your protection more by setting up additional Firewall protection. There are security suites out there that accommodate several Firewalls in their feature set, which can become a great addition to the stock defense against a trespass. Adjust your security software to scan compressed or archived files, if this feature is available.

Disabling Windows Script Host and Windows PowerShell, which is a task automation framewor, can be an efficient preventive measure, as well.

It is always a good idea to have both anti-malware software and a software firewall to help you identify threats or suspicious behavior. Malware authors frequently send out new variants, to try to avoid detection, so this is why it is important to have both layers of protection.

Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.). In particular, disable macros and ActiveX. Additionally, blocking external content is a dependable technique to keep malicious code from being executed on the PC.

Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.

Use strong passwords that cannot be brute-forced by remote criminals.

Set unique passwords for different accounts to reduce the potential risk.

Deactivate AutoPlay. This way, harmful processes won't be automatically launched from external media, such as USB memory sticks or other drives.

Make sure you disable any kind of USB access to machine. If there is urgent need of using USB drive, consider scanning the USB drive using latest AV Signature before using on the machine.

This way, if you happen to get hit, the Ransomware infection will stay isolated to your machine only.

Switch off unused wireless connections, such as Bluetooth or infrared ports. There are cases when Bluetooth get exploited for stealthily compromising the machine.

Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system. The directories most heavily used for hosting malicious processes include ProgramData, AppData, Temp and Windows\SysWow.

Block known-malicious Tor IP addresses. Tor (The Onion Router) gateways are the primary means for Ransomware threats to communicate with their C&C servers. Therefore, blocking those may impede the critical malicious processes from getting through. Since, Ransomware is definitely today's number one cyber peril due to the damage it causes and the prevalence factors; the countermeasures above are a must. Otherwise, your most important files could be completely lost.

Dealing with the aftermath of Ransomware attacks is like Russian roulette, where submitting the ransom might be the sole option for recovering locked data. This is precisely why focusing on prevention is a judicious approach to adopt. However, in case of any Ransomware incident, following technique can be adopted.

Use System Restore to get back to a known-clean state or restore files / folders from backup. Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.

Remove the impacted system from the network and remove the threat. With a multitude of variants it is unrealistic to list the exact steps, but most security vendors have detailed write-ups for the threats that include removal instructions. Removal is best done with the system off the networks to prevent any potential spread of the threat.

If you run a file that you suspect may be Ransomware, but you have not yet seen the characteristic Ransomware screen, if you act very quickly to disconnect your machine from Internet (via LAN / Wi-Fi, Hotspot etc), you might be able to stop communication with the C&C server before it finish encrypting your files.

Ransomware has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. You can "beat the clock" somewhat, by setting the BIOS clock back to a time before the 72 hour window is up.

However, it is strongly advised that you do not pay the ransom. Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.