Protect your computer! Let’s talk about Ransomware…

Zenis, WannaCry, Bitman, Sombra, Spora, Jigsaw, Cerber, Microp, Crysis, CryLocker, Stampado, and Cryptodef are by no means all the ransomware families trying to extort money in exchange for your data.

One early example of ransomware occurred in 1989. Attackers circulated the ransomware via a floppy disk using snail mail, and it affected operating systems.

It’s remarkable that over the years,  different types of ransomware have evolved. Ransomware spreads like many other types of malware via phishing and spear phishing attacks or other methods to get the victim to click on a link. Early ransomware initially targeted home users, but now ransomware has become popular because it's so profitable and is infiltrating into corporations, holding data hostage until a hefty ransom is paid. If the ransom is not paid, the consequences could be grave, as the attacker may unleash malware that can destroy all the files on the system.

Ransomware can block you from accessing your system, encrypt files so that you can't use them, and stop applications such as your browser from running. Let's walk through the process of how encrypting ransomware works.

Reference on malware from Wikipedia: https://en.wikipedia.org/wiki/Malware

Reference on phishing from Wikipedia: https://en.wikipedia.org/wiki/Phishing

With Phase One, we usually get this type of malware via phishing. We can be infected either by clicking on an untrusted email link, or by accessing malicious (or infected) websites, as well as by pen drives that can connect to computers that are infected with this malware.

With Phase Two, the ransomware begins working by attempting to execute and spawn child processes, deleting shadow copies on the victim's machine along with generating files that ransomware uses to conceal its existence. The ransomware encrypts files and then begins communicating with the command and control server to send the encryption key and other host-specific information back to the command and control server, and it awaits further instructions.

With Phase Three, The command and control server then sends a message, alerting the victim of the encryption and displaying a full message demanding payment. Many times, it includes a timer with a deadline to pay the ransom, or else the bad guys will destroy the decryption key. If the victim arranges to pay the fine, there is no guarantee that the files will be released. In addition, the attacker may have made copies of all the files, further complicating the attack.

The animated map linked below shows us an idea of how this software, "Ransomware," spreads over the Internet.

https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html

Nowadays Ransomware can be largely any type of system and any type of organization.

In the field of research, one thing that caught my attention, and I try to make sure that this is a big corporation of evil, was analyzing commercialized tools of ransomware as a service.

Dedicated websites with well-developed interfaces illustrate some of the most popular features that entice possible buyers. They sell invisibility; the ransomware is stealth and quiet until a predefined launch time. Speed quickly encrypts the targeted drive, most of the time in under a minute. As businessmen, they have customer service that even includes forums and a ticketing system. In some cases, they'll post a YouTube video that showcases their advanced skills and ways to customize your attack. They may even offer a discount if you provide a ready-made email list.

Included with customer service is the last change option in that if after the attack, the victim is unwilling or unable to pay for the service, ransomware developers will offer to cut the price to decrypt the data. Ransomware as a service is big business “Evil Corp.”

https://imgur.com/2yI6eEk

https://imgur.com/Frnhflh

Some ransomware are virtually impossible to detect until the NSA says otherwise. They use the entire TOR structure to ensure their anonymity on the internet. TOR is an open framework that encrypts traffic and allows participants to move freely without fear of their locations being identified.

Categorized as Onion Ransomware, they use algorithms that make use of the structure of TOR. Monitoring TOR's activities for a few weeks, I noticed many activities occurring on the Dark Web, centralized in some regions of the U.S. and Europe. Follow news covering the activities of TOR to get an idea of how it's used for good and evil.

https://imgur.com/7I9FmB1

About Best Practices

 The 2017 global WannaCry ransomware attack infected and held hostage more than 300,000 computers worldwide. Ransomware is a form of malware. In some cases it can be life threatening, as in a hospital. Therefore, to avoid ransomware, good security practices are very important at home or in an organization.

Ransomware is a serious problem and can affect anyone. Everyone is at risk, but there are ways to avoid becoming a victim.

Best practices to protect against ransomware include thinking before you click, using strong spam filters, using anti-malware protection, restricting access to non-business websites, blocking advertising sites and links using DNS services like OpenDNS, and enforcing email scanning and quarantining. Don't befriend strangers or open suspicious emails. Use a browser-based firewall.

Use caution when downloading software from a website.

For more information, read this file from the Department of Justice on how to protect your network from ransomware. We can see that this document provides an aggregation of already existing federal government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.

Get up to date information on best practices to keep you and your organization safe from threats that exist in today's complex environment.

https://www.justice.gov/criminal-ccips/file/872771/download

Report Ransomware

A ransomware attack can be a disturbing experience. However, the FBI strongly encourages victims to come forward and report ransomware attacks.

If you have been a victim of ransomware, report it. By sharing your experience, you may help another ransomware victim.

https://www.ic3.gov/media/2016/160915.aspx

Lastly, for best practices:

1. Stay away from risky websites.
2. Keep your browser and operating systems up to date.
3. Use a safe search tool that warns you when you're going to a malicious website.
4. Think before clicking a link or opening an e-mail attachment.
5. Backup =-)

I want to contribute more in my free time. I hope you find something that brings value to you. 

If you are new to this topic, tell me your difficulties. If you act, we will be able to share knowledge and techniques.

Do not hesitate to contact me!