Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Since my first article on Ransomware topic, I have noticed that there are more of such questions on Experts Exchange. The common questions, in general are mostly asking how to contain Ransomware from doing further harm and damage, how do prevent it from future recurrence, and how to get back the original files from the encrypted copies etc. Therefore, I hope this article can help as a FAQ for those who want a "crash course" into Ransomware. There are also other great EE articles (just do an EE search on "Ransomware" topic).
This FAQ is not meant to be exhaustive so feel free to share your comments and contribute further. In fact, I also recommend that you also reference both the FBI
articleand HIPPA factsheet (
pdf) on Ransomware advisory to guide the executives in the legislative obligations and advise the technical folks on recommended preventive measures. This (
link) is also a nice primer into handling Ransomware sharing mitigation and tools to detect them.
Most significant Ransomware outbreak
(A) WannaCry Ransomware (aka WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY) rampage which started to be surfaced in public on 12 May 2017 which get global attention on the serious damage affecting 75,000 machines in 100 countries. The number of infected machine are on rapid increase trend and the ransomware spreads via SMB. In view of the severity, Microsoft has even concurred to release emergency patchesfor legacy end of life/support OS like Windows XP and 2003. If you have yet to patch the vulnerability, pls do so ASAP espicially on those connected to internet. The patches are available in MS17-010. There are further advisories to reduce attack footprint and read on the FAQ to find out more. You can check out US-CERT advisory or Factsheet (GitHub) as well. Since its appearance, variants or similar ones have been reported.
- "CRY128" - Part of Crypton ransomware family, starts running in the memory and encrypts all the documents;
- "Adylkuzz" - Cryptocurrency-mining malware that was also using Windows SMB vulnerability;
- "UIWIX" - Similar virus but does not come with a kill-switch and uses a different Bitcoin address for each victim;
- ETERNALROCKS (aka BlueDoom) - Exploits same vulnerability as WannaCry but is not ransomware though more of virus.
(B) Petya Ransomware (aka NotPetya, Petrwrap, GoldenEye, and Nyetya) was discovered originally in 2016 (refer to the FAQ#1 and #7) and in 26 June 2017, variant of it (e.g. NotPetya) came into public news as it rampaged the world bring it chaos with the shutting down of critical machines in Enterprises, power supply plants, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe. It has close resemblance to WannaCry as both depends on exploiting SMB vulnerability to spread the infection. In particular to there are two major SMB exploits (below) used. Not only does it encrypt file, it encrypts master boot records to make the machine unusable. The ransom note is displayed upon reboot as a boot message. Note that Original Petya ransomware is not NotPetya. Decrypter (See Annex #2) is available for the former. You can find out more details from the US-CERT advisory and it is also known as Wiper Malware (not ransomware).
- ETERNALBLUE - Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
- ETERNALROMANCE - Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
Despite both are discovered in just close to a month time, there are speculation the developers may still be different but are leveraging on their wins to further hit on more unpatched machines globally. Regardless if they are the same or gotten the same interest through hacker's underground service, Petya and WannaCry can be a lethal force. The spreading in Petya case use three off-the-shelf tools including Mimikatz, PSExec, and WMIC. These are more commonly used as penetration or attack tools that capture login hashes and authentication token, and execute remote commands. In this case, they are used aptly to instrument the infection processes to connected patched and unpatched machines.
Start counting down as we wait to hear more variants emerged and hear out the next ransomware to make big time. Before that comes, the FAQ serves to provide a quick but yet comprehensive information one-stop fact sheet.
** TIPS - This article may be lengthy and probably if you are interested in one particular Ransomware, you can then do a quick word search. It will jump start the reading and hopefully help in addressing your immediate concern.
1) What is Ransomware and Crypto Ransomware? Do they differ in the ransom?
Short answer - Ransomware is a malware holding victim to ransom. It started off as locking Ransomware that denies the victim machine access while the more aggressive and often seen are the Crypto ransomware that scramble (encrypt) your files making them unreadable. The common trait of both is they ultimately still demand a ransom sum most of the time.
"Tell me more" - Ransomware infects your machine such that you can no longer access the machine unless you agree to the terms demanded in the ransom note. Crypto ransomware starts to encrypt your files instead of just denying access. You only get the decryption key to your locked files after paying the ransom. They make up majority the of the Ransomware family. There is also another smaller group known as Locker Ransomware in which they lock and deny access to the victim's notebook and servers. Though they differ in the denial techniques, they still have one common objective which is the ransom. In the past, the ransom amount was $300 maximum. Since then, it has increased to around $900 to $1000 as observed in one recent Petya & Mischa ransomware. The ransom currency rate is dependent on the payment type. The most common type is virtual currency such as Bitcoin (BC).
2) How do I know if I am infected by Ransomware?
Short answer - You will see the wallpaper or screensaver presenting the ransom note and you are denied from accessing your machine.
"Tell me more" - Check for any anti-virus alerts (remember to use latest signature) and confirm using another (different from existing) anti-malware scanner such as Malwarebytes Anti-Malware (MBAM). If there are no ransom notice, or alerts from the scan, look out for anomalous activities and indicator of compromises. For example, all (or most) of your files in "My Document," and Temp folders can no longer be opened for reading/editing. The filename is normally appended with a new file extension such as .XXX, .CRYPT etc. Look out for a ransom note such as below or similar - very often you will see keywords like "Encrypted" and "Recover instructions" in the file name).
- _H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].txt, and
There may also be a list of encrypted files stated in a listing located at:
Ransomware attacks can have uniqueness of being "geolocation savvy" or leaving an email account instead of a ransom note. Check out the Annex #1 on some other unique Ransomware traits that is subsequent reuse by other of their variants.
More commonly now, Ransomware variants not only scavenge your infected machine to wipe out the local backup, it also encrypts files stored in mapped or shared network drives. Known Ransomware e.g. Locky and CryptoFortress can lock the files even if drives are not mapped. You can actually also use online scan service such as IDRansom (uses sample ransom note and encrypted files) or Crypto Sheriff(sample of encrypted files) to identify the Ransomware variant (from its origin family).
3) Should we pay the Ransomware and any complications doing that?
Short answer - NO. Instead, reportto the authorities because you are considered a victim of this crime committed.
"Tell me more" - Supposedly after paying the ransom, the criminal should send back a key to unlock your machine as expected and once the unlocking is completed, your machine is safe for use again - no new malware and no more files will be locked. That is not necessary true and it happened to one affected organisation e.g. Kansas Heart Hospital in Witchita and another instance, in which the Ransomware (i.e UltraDecrytor) also failed to give the key after ransom is paid. The criminal did not fulfill the promise. There may even be demands for second ransom despite the initial payment as stated in ransom notes.
There is no assurance that the criminal will fulfill the promise. I recommend that you seek advice from the authorities and your reporting will help them to catch the cybercriminal instead of "funding" their wrong doings. This also prevents others from being infected.
As the Ransomware business has flourished, the criminals behind the scene have taken actions below to encourage ransom payment. Ransomware as a Service now exists. Cybercriminals easily can get the Ransomware kit to start their infection scams. There are some which will spend effort to stay "customer friendly" such that the paying of ransom is more convenient and guided through. See some examples.
- For Cryptolocker and CryptoWall, there exist newly added support pages on decryption sites to victims.
- From businessinsider.com, one Ransomware developer even shared, “I tried to be as [much of] a gentleman thief as my position allowed me to be.”
- For CTB locker/Citron (one of the "popular" Ransomware), it offers free tries of unlocking 5 files
- For Locker, it offers a "cheaper" rate at 0.1 Bitcoin (around 45 USD). The 0.1 BTC is by far the lowest amount reported in public.
- For JIGSAW variant, its provides chat support service e.g. using onWebChat, a publicly available chat platform to standby to advice any questions.
- For Stampado, it is another JIGSAW variant offers the cheapest ransom at only US$39 for a “lifetime license”. To note that it only gave victims 6 hours to pay otherwise it will wipe off all the victim files. This is unlike JIGSAW giving a 24 hours.
- For Crypt888 (or known as MIRCOP), they leave no message for victims on instructions (a step-by-step ) on how to pay the ransom. It assumes that victims already know how to pay them back. It assumes the victim is familiar with making Bitcoin transactions.
- For Popcorn Time, besides the victim paying ransom, infecting another two people via the victim's "referral" link" and having them to pay the ransom, the victim will then get a free key.
- For Fatboy Ransomware, ransom is determined by the Big Mac Index created by The Economist. The automatic rate adjustment and direct partnership is what differentiate this type from others.
As mentioned, the ransom payment is not a guarantee that you can get your files back. One example of such scam infection by "CryptoFinancial". It pretends to be a Ransomware that do not encrypts your files, but instead deletes your files without providing any means of recovery for the files. However, though there is risk in payment, some victims are still willing to pay the ransom. For example, in the case of a professional car racing team which falls victim, they have paid the ransom within 48 hours as the worth of work and millions of dollars invested on the encrypted files far outweigh the ransom amount.
There are also instance if users wanted to pay, they would not even know the amount of Bitcoin they need to send, since the Unlock26 ransomware (in this case) payment site does not list the decryption price, and instead shows a math function instead: 6.e-002 BTC. Even if user wanted to pay, the figure makes no sense and deter people from paying the ransom. This just shows it is undergoing development.
Having said all these, there are known cases that still pay the ransom to the attacker to get their business running and get back their critical information. You have to make a risk measured decision on whether to pay the ransom. The criminal behind the scene will be finding ways to cash out the ransom in BTC (or Ethereum) via a Russian cryptocurrency exchange (as one example, and called BTC-e) to feed their next exploit plan. Overall, cyber-thieves have made at least $25 Million in the last two years (since 2014).
4) If paying the ransom is not recommended, how can I still get back my files that are locked?
Short answer - Recover file from your existing backup.
"Tell me more" - Do not go straight into paying the ransom. That should be your last resort. Check if you have any working backup of those locked files. Assess how much you can get back from the backup.
•Are there any off-site backups available? What is the most recent backups from the off-site?
- Consider backup services which include Carbonite, CrashPlan and Mozy. They store your data in the cloud, so as to facilitate fast recovery.
- Check out the Office 365 (“How to deal with Ransomware”) blog, it shares backup and recovery options in which you might be able to recover from the attack using File History in Windows 10 and System Restore in Windows 7.
• Can the local backups still be accessible, or is the backup tape library or SAN been erased and not made nonviable?
- Check on ShadowExplorer for the "shadow" files. All local backup after encryption of the files will be wiped. You stand a slim chance to try to restore your files using this method. You may alternatively use System Restore to try to recover the locked files.
- Leverage file recovery software like R-Studio, PhotoRec, GetDataBack, EaseUS Data Recovery Wizard Free. The infection makes a copy of the files and inadvertently leave traces which these recovery software may possibly be able to recover.
- Check with IT support as Ransomware will have wiped those local backup too. Recommend to keep backup off the machine.
If the above are not successful, you will also have slim chances of recovery on your backup files stored in the network file shares accessible by the infected machines. Time to rethink your backup practice. Adopt a 3-2-1 backup rule whereby you will keep 3 copies of each backup in 2 different media and store one (1) copy offsite. In fact, there is a useful article that talks about offline storage as one of the availability strategy, leveraging different file systems' authentication for backup storage and using and extra "1" in the 3-2-1 backup rule. The latter is advocating that the additional “1” to the rule is to have one of the media is offline.
Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered.
The encrypted files do not contain malicious code so they are safe. A decryption tool is not necessary always able to work correctly so keeping a backup of the original encrypted files and related information is a good practice. This minimally safeguards chance of recovery if such tool is verified successful in future.
Another good tip is to check out this comprehensive NIST guidance (NIST SP 1800-11). It is a detailed, standards-based guide comprising of three main volumes that can help you develop recovery strategies to deal with such situation and establish best practices to minimize the damage caused and ensure a speedy recovery. The first two volumes are lot of background information and forward planning, architecture design and strategy making. So if you are looking at solution to implement, go straight for the third volume - How-To Guides – instructions for building the example solution.
5) Can we "break" the encryption to get back or decrypt the locked files?
Short answer - No unless you are one of those lucky ones - Ransomware left traces of the encryption (private) key on the infected machine.
"Tell me more" - Ransomware like RSA-4096 Virus is already using strong AES-256-bit and RSA 4096 cryptography. For example, given a bunch of RSA 512-bit keys, with support of a cluster of EC2 virtual server doing heavy intense calculations, each key is "cracked" in estimate of 7.5 hours for $104 in EC2 time. This is not just about the very steep cost and resources, it's simply not possible and impractical to even crack the 4096 bits. Likewise for AES 256 which it is sharedthat it requires 9.1732631e50 years to break it. However, there can still be hope to decrypt if the Ransomware developers commit implementation errors that left behind decryption key in the infected machine.
Some developer may even use their own (non-standard) encryption procedure. All these allow security companies and researchers to reverse engineer and discover the "flaw". There are online decryption tools published. One instance is from the "No More Ransom" portal which has make available decryption tools for Ransomware and their variants. Another is from security company, Emsisoft which has a comprehensive list of Decryptors. In fact, there are more security companies (e.g. Kaspersky, AVG, Avast, Trend Micro, and McAfee) that compiled their list of free decryptors here. By far, Emisoft still has the most decryptors. I have compiled a common list (see Annex #2) for those publicly shared tools as a snapshot below (I will keep a lookout and update it as more new variant can be expected). This site provides a good list to search a decryptor based on file extension which is easier since that is more straightforward since that is what you know first instead of the ransomware name.
Having said that, Ransomware developers update new variants (e.g. TeslaCrypt and Cryptolocker) to negate those decryption attempts. It is not foolproof though it still has slim chance to recover from some locked files.
6) Using non-Windows (like Mac OSX or Linux) or Mobile smartphone can keep me safe from Ransomware?
Short answer - No.
"Tell me more" - This myth is busted. Multiple platforms targeted, including Android and OS X. See below.
- There is the KeRanger Ransomware which locks data on Macs so users cannot access it. It is from a rogue application called Transmission installed on Macs. It is a popular program for transferring data through the BitTorrent peer-to-peer file sharing network. In fact, KeRanger is rewrite of Linux.Encoder.1 which the latter is the first Linux Ransomware reported in public. This dubbed Filecoder (OSX/Filecoder.E) is only the second ransomware family known to have ever hit MacOSX but this instance it is poorly coded as it destroys encryption keys before sending them to the attacker, whom is apparently an inexperienced developer.
- There is also proof of concept called BashCrypt or Simple Bash cryptoware that is modeled after CryptoWall 3.0/4.0. Not only that more of such Linux based Ransomware has emerged, such as one named FairWare that target Linux-based web server only.
- Two pieces of Mac malware – MacRansom and MacSpy were also observed as being offered for sale through two separate dark web portals. MacRansom which is of interest is only encrypts a maximum of 128 files. Even more challenging is the encryption key is stored in the memory only hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files.
For Mobile platform,
- Simplocker is the first mobile Ransomware published in news. It exists even earlier to the first MacOSX Ransomware. At that point of its first appearance, it is just a scare tactic with source codes shared to public as it did not actually encrypt any files - more of proof of concept. However, these open source codes are exploited to evolve Simplocker into a functional Ransomware. They are used in eBanking malware like Reveton.
- There are further variation of mobile ransomware which one instance known as Android Lockscreen Ransomware. It creates random passcode and screen locks the device till victim get the code only after paying the ransom. Furthermore, Mobile Ransomware has extended modus operandi that includes sending/forwarding/deleting SMS messages from the infected device without victim noticing it, encrypting/decrypting specific files which include all files on the SD card.
- More recently, the epic WannaCry ransomware (see "significant ransomware" earlier) also spawned off copycat to target mobile platform. It is refer to as “WannaLocker” and targeting Chinese Android users (for now). Also it encrypts files on the infected device’s external storage, something new from Simplocker mentioned earlier. This will not be its end but beginning to getting more interest in this platform for expanding to a greater victim pool.
For Internet of Things (IoT),
- It is also largely based on Android and is not spared from Ransomware attacks. FLocker ransomware targets both Android-powered mobile devices and smart TVs. It spreads to targets via spam SMS or malicious links. However, an attacker would typically need physical access, or the owner would be tricked into infecting their own IoT devices.
- Recently, infected or compromised IoTs has been the cybercriminals to aggregate them into a botnet that can launch tremendous waves of DDoS attacks. For targeted IoT, one example is demonstrated in security conference (Blackhat Aug 2016) infecting a Wi-Fi enabled thermostat. User is locked out from further access with a Ransom Note on LCD display. It would easily do more with these compromised IoT.
7) What are other further impact/damages besides Ransomware locking the files found in my infected machine?
Short answer - Not only is your reputation at stake, you are denied access and no longer able to use your infected machine.
"Tell me more" - The infection will spread beyond your machine. The below (not limited to these) will inconvenience you with further denial.
Greater Infection damages
- Files stored in network mapped drives are encrypted on top of the local files in the infected machine;
- Infection spread to other computers running Remote Desktop or Terminal Services exploiting user accounts with weak passwords (one instance is CrySiS)
- Infection through the encrypted files that is sync or shared across cloud apps and collaborative apps' storages. The files are embedded with actual malicious codes and becomes a viral file (one instance is Virlock, and its variants i.e. VirRansom, VirLocker)
- Infection spread via removable storage drives such as USB thumbdrives (observed in ZCryptor Ransomware).
- Infestation of other malware including backdoor that allow criminal to remotely control and take over machine.
- Infected machine planted with DDoS bot (e.g. bundled with Cerber Ransomware variant) to launch attack against other systems.
- Infection spread wildly (Samas instance) by infecting one computer, scavenge for more machines, and continue infecting more possibly interconnected machines. It does all this by stealing domain credentials, identify targets and then move laterally.
- Infection at firmware level. For example, UEFI ransomware stored in the firmware of a Gigabyte BRIX. This is proof of concept exploit demonstrated by researcher in Cylance. In this case, an attacker can exploit firmware (like UEFI) flaws to execute code in critical firmware component known as System Management Mode (SMM) and plant malicious code in the firmware itself. CERT/CC has issued an official Vulnerability note (VU#507496) for identified flaws.
Target (besides victims' files)
- Web pages hosted in server are encrypted and denied access. In the case of Linux.Encoder.1, it encrypts directories for home, root, MySQL, NGINX, and APACHE. It even encrypt files for web apps, backups, Git projects and numerous other files. However, for FairWare case, this ransomware though also target Linux-based web servers but it is the first to delete files after it's encryption processes, leaving no trace of even the encrypted files.
- New files are constantly being encrypted rendering the machine unusable (observed in Exotic Ransomware).
- Machine booting sequence intercepted presenting the ransom note at BIOS boot up period (observed in Petya, Petrwrap which wrapped around Petya and Mamba Ransomware).
- Databasesare not spared e.g. MongoDB, Redis, ElasticSearch, Hadoop, Cassandra have fallen to ransomware attacks.
- More files are wiped out selectively based on countdown interval. This serves as a warning to the victim to pay up faster.
Data Theft and leakage
- Social website profile information from Facebook, Skype and LinkedIn profile information can be stolen and they can scan through searches of torrent sites on files downloads. One instance (DynA-Crypt) not only encrypt but lso tries to steal a ton of information from a victim's computer, e.g. screenshots, Skype, Steam, Chrome, Thunderbird, Minecraft, TeamSpeak, Firefox, recordings of system audio and log commands you type on the keyboard.
- Extort money through showing a warning which included the victim's social media data and past browsing history (Like RanSoc)
- Personal data or files leaked through backdoor install on the infected machine if ransom is not paid.
Counterattack (negate existing defence)
- Attempts to study the Ransomware faces more obstacles as protective software is used to deter researcher from findings means to sift out any of its weakness (observed in ApocalypseVM using protective software VMProtect).
- Defensive measures like antivirus may not always be effective as variants occurred as codes of ransomware becomes available to public. There is also case of bypass of native OS defences like the case of Erebus use of a UAC bypass that allows this ransomware to run at elevated privileges without displaying a UAC prompt.
- Blocking callback to Ransomware command & control may not work as file still encrypted in offline without internet (observed in Bart and Locky Ransomware that went "Autopilot")
- Having to register a sink-hole as a form of kill switch as some Ransomware has such codes. An example is the WannaCry Ransomware with a hardcoded URL (first version - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, second version - ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) sinkholed by law enforcement to a server in California.
- Having to run application that can create a mutex as another form of kill switch. An example is the WannaCry Ransomware with hardcoded Mutext "Global\\MsWinZonesCacheCounterMutexA"
8) Can I still use back the same machine after the Ransomware is removed or after paying the ransom since repeated anti-virus scans did not surface any findings?
Short answer - Yes and that is the ideal case. To avoid false sense of security, it is strongly recommend to use a clean refurnished machine.
"Tell me more" - We cannot totally be sure all Ransomware's footprints are cleaned by just the host AV and other tools. There is also Ransomware such as Cerber that changes its "code footprint" every 15 seconds in attempt to bypass AV checks that rely heavily on signature tags. In this case, it is not as effectiveand unlike the Virlock ransomware which employs true polymorphic scheme to deter AV detection. Regardless, infection case should still be treated with extra care. We cannot be fully certain there is no remains of the malware even after AV's cleaning, hence it is highly recommended to use a fresh clean build machine image. If that is not possible for whatsoever reasons, like example of live production servers as bringing it down to rebuild will incur substantial business cost.
We should consider having to run checks to surface any malware or anomalous artifacts with alternate scanner like MalwareBytes Anti-malware and Hitmanpro. Remove any Potentially Unwanted Program using Junk Removal tool and remove unnecessary plug-ins in browser using AdwCleaner.
9) What can I do to prevent future infection recurrence and stay immune from Ransomware?
Short answer - Use a secure machine that is hardened. Practise cyber hygiene to reduce risk online exposure.
"Tell me more" - Adopt Secure by default principle in hardening the host machine. Consider adopting below recommended practices.
- Practice least privileges for all users on the "need-to" basis - No Administrator (or "Superuser") right to user
- Adopt application white-listing - Allow only authorised software to execute. Check out Windows Applocker, WinPatrol AntiRansom, Cryptoprevent (free version available) or SecureAPlus (free first 12 months).
- Patch all security hot fixes and updates - Make sure ALL application especially Java, Adobe, and all browsers used are patched. Uninstall any of them that are not required. Do not forget to update host AV signatures regularly and thereafter perform full host scan. This include patches for firmware as the ransomware can planted through its vulnerabilities. (Note: that patching need not necessary block a gap like the WannaCry patch for MS17-010 does not block SMB which is recommended if it is not used)
- Block unnecessary network access such as SMB which Ransomware (such as WannaCry) normally exploit on it to spread to other machine. Monitor on the TCP port 137, 139 and 445 and UDP 137, 138 which are associated with SMB. Where possible, disable SMBv1 and also these port at Network Firewall & NIPS and Host Firewall.
- Block the Ransomware (or related) callback to its command center by having up to date blacklist. One example is Ransomware Tracker that offers various types of blocklists that allows you to block Ransomware botnet C&C traffic. (Note: In the case of the WannaCry Ransomware, its has "kill switch" call back which should NOT be blocked as when the it cannot reach the call back, it is a signal for it to proceed to start the file encryption. Also in the case of proxied environment the ransomware will not succeed and start encryption too)
- Disable the loading of macros in your Office programs and Remote Desktop feature whenever possible.
- Verify Backups are working and run through recovery exercises - Adopt the 3-2-1 backup rule (see Qns 4)
- Educate user to stay vigilant and look out for Red flags - Look out for anomalous events like pop up or security warning. For example, in Microsoft Edge you can get SmartScreen protection that warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
- Educate user on incident reporting protocol - Upon infection, immediately report to superior or help-desk for any further actions. Stay calm. Do not fall for malware's fear mongering due to asset held hostage.
Security control enhancement
- Adopt behavioral detection program e.g. MalwareBytes Anti-Ransomware or Kaspersky Lab System Watcher (part of its Endpoint Security suite) where it detects for anomalous activities for continuous and aggressive encryption of files by a program within a folder and repeated attempts in many other folders etc. Another similar new kid on the block is CyberReason RansomFree which can now detect and block ransomware on removable media such as USB sticks and portable hard drives.
- Consider endpoint protection suite like Sophos InterceptX and enSilio Cryptoguard that detect and block before encryption start. For MacOSX based Ransomware, you can look at RansomWhere. For Windows file servers, you can check out the File System Resource Manager that is a role that can be added for free to any Windows Server 2008 and above instance.
- Look into a Self-healing, Ransomware-aware Filesystem, called ShieldFS to fight ransomware attacks. It stated to look for the way ransomware interacts with the low-level file system and compares the differences to how benign systems interact with the filesystem, discerning benign from malicious processes in the operating system along with detecting the usage of crypto primitives for encrypting of files. It could be a good complement to backups.
- Put up deception trap to allow time for security teams to start be alerted on anomalous activities. E.g. TrapX’s Deception Tokens concept is to put "traps" to quickly identify compromised endpoints before attackers can obtain a persistent foothold into your asset. In the case of trapping ransomware, its CryptoTrap will appear to ransomware as standard SMB network shares with fake data populated.
- Enhance Email scan engine to detect ransomware like deploying rules to search for keywords and scan for macro laden attachment. There can be further risk based scanning intelligence (like Trend Micro ScanMail for Exchange) on the suspected emails and links.
- Enable file history or system protection - For example, in Windows 10 and 8.1, you can set up a drive for file history.
10) Anything else I need to know?
Short answer - Prevention is better than Cure. Reminder to stay vigilance. Trust but verify to watch out for red flags.
"Tell me more" - Recap the above FAQs. Check out EE on related topic and articles. Remember cyber online hygiene tips.
- Do install a reliable mobile security app to keep your device and data secure
- Do keep machine OS security hotfixes/patches and AV signature up-to-date to latest version
- Do not click on suspicious link in an unsolicited email like phishing emails and spams
- Do not open any attachments if doubtful on the email sender and her intent.
- Do not make payment transaction to unknown party based on phone call for help or official confirmation
- Do not allow any form of remote connection request from unknown tech support for troubleshooting or patch works
- Do not connect to an open unsecured WiFi hot spots or smart device or bot like droid
- Do not connect to any file shares (or unsolicited cloud based file sharing services) especially when they are not needed for use so as to reduce infection exposure.
- Do not visit poor reputed websites (e.g. illegal music or software downloads) as they can be "breeding" malware
- Do not make payment transacted insecurely website i.e. without any or expired SSL/TLS certificate.
- Do not visit spoofed website that claims unnecessary need for password reset or change due to password expiry
- Do not click on unknown online advert that pop up asking to install Adobe reader, Adobe Flash, Java Runtime, etc.
- Do not plug in any unknown USB drive and disable any auto-run to mitigate infection attempt in your machine.
- Do watch out for release of update firmware to the machine. For example for Gigabyte UEFI, one can monitor the product page or contact the vendor for update availability. Consider for upgrade if machine (and its underlying hardware or OS) goes end of life for a cleaner migration.
Annex #1 - Unique traits for Ransomware
Annex #2 - List of Decryptor tools
- Cryptolocker - FireEye in collaboration with Fox-IT hosted "DecryptCryptoLocker.com" website that stored the recovered decryption keys in their take down operation on CryptoLocker and the Gameover malware distribution network.
- Hidden Tear Offline - A backdoor exists to recover encrypted files. The time stamp of an encrypted file is used as part of the crypto key.
- Findzip (aka Filecoder) - There is still a chance to recover but through a series of manual steps in here. The steps are done in Mac OSX though the tools will need further to recompile for other platform. Avast came up with a decryption tool to simplify the process. As the toolreleased by Avast is Windows application, Mac users (and Linux users) need to install an emulation layer for the Windows application. The decryptor was tested with CrossOver and Wine, other emulation programs might work as well though. Do scan those tools before used.
- Linux.Encoder.1 - Bitdefender discovered a flaw in Ransomware crypto implementation. It is similar to Hidden Tear case. The company provides a script and step by step walk through to recover the key to decrypt the locked files. Dr Web also offer such tool for a price.
- Petya (Original not NotPetya) - A researcher ("Leo Stones"), in Apr 2017 looked into this Ransomware that targets infected machine’s master boot records, and created a decryption tool to download and generate decryption keys in less than 10 seconds. It is straightforward as the data is not encrypted. However, Petya's author (Janus) updated the ransomware preventing the tool from working. It was till recent Jul 2017, the author released the master keyfor the ransomware. But the tool will not work for PetrWrap ransomware that is opportunistic as it wraps Petya and modified itself from the latter code to avoid being similar.
- Mamba (or known as HDDCryptor) - Similar to Petya, it also encrypt the MBR but it differs by encrypting the whole disk. It uses a full disk encryption open source tool called DiskCryptor to encrypt all the data.
- Satana - MalwareBytes shared it encrypts your files using a standard file crypter and then also install a bootlocker to prevent you from logging into Windows.
- CryptXXX - Kaspersky released a decryption utility (i,e, RannohDecryptor) which previously also used for Rannoh Ransomware. There is also variants from this family that decryption (Ultradecryptor) with free keys are offered for those variants that add the .Crypz and .Cryp1 extensions to encrypted files - not for all other variants.
- CrySiS - It spreads through the network by brute force attack on the Windows Remote Desktop Protocol. There is the actual master decryption keys and information on how to utilize them revealed in open. Kaspersky Labs to update their utility (i.e. RakhniDecryptor) program so that it can be used to decrypt victim's files. ESET also developed its tool, (i.e ESET CrysisDecryptor) for the same purpose.
- Dharma first noticed in November 2016 is the descendent of Crysis. Files affected will have extension. [email_address].Dharma. The decryption tools for Crysis can be used as they are updated as well on the leaked decryption keys.
- Wallet Ransomware - It is close sibling to Dharma and CrySiS. Files being encrypted by it will be renamed to the format of [filename].[email].wallet. A decryptor in Avast is available
- Crypren - A working decryption tool is released in Github by author named pekeinfo.
- BadBlock - Poorly coded that even encrypt your executable and system files, it is kinda of self sabotage. Machine cannot boot up properly after restart. Emsisoft shared a tool decrypt_badblock that brute force to identify key for file recovery
- AVG published six different decryption tools for files encrypted by Apocalypse, BadBlock, Crypt888, Legion, SZFLocker, and TeslaCrypt. Note that there is no guarantee this tool will work too. It added a decryptor tool for Bart Ransomware which puts files into individual archives, password protects them and deletes the originals.
- Apocalypse - There is a new decryptor that handle its new variants that add the .bleepYourFiles extensions to encrypted files
- Microcop - It encrypts the files using a weak cipher called DES and there is a decryptor make available for use. It actually worthwhile in this case as this Ransomware demands 32 Bitcoins which is around 32k USD.
- PoshCoder (or PowerWare) - A variant that like to mimicks closely to famed Ransomware like Locky, CryptoWall and TeslaCrypt. Specifically, for the variant that imitate Locky, it is found to has very poor encryption scheme in which Palo Alto Networks’ researchers managed to create a decrypter for this variant.
- Philadelphia - It is from the same author of the Ransomware kit called Stampado (offered within various hacking communities). It uses the *.locked file extension, same as Stampedo and note this is different from the Locky ransomware (it appends .locky extension). The decryptor is available from Emsisoft and you will require a file pair containing both an encrypted file and its non-encrypted original version.
- NoobCrypt - It is a "lazy" Ransomware as it uses the same encryption key for every victim. A researcher (Jakub) retrieve the password and posted to Twitter for victims to use.
- Virlock - It is a dangerous Ransomware as it not only "encrypts" the files but also infects them with malicious codes to spread to more machines. Those files needs to be disinfected first. The encryption used is not sophisticated and just need a process to reverse its XOR/XOR-ROL obfuscation and recover the original files. ESET shared an disinfector tool.
- VirLocker - It is a variant of VirLock. It wraps each targeted item in an .exe package. This operation consists of two processes. The virus first encrypts the file and then it packs it in an executable. However, there is flaw in it. The ransom note of the virus has a field for entering the decryption key. It is situated beneath the “Transfer ID” sign. You can make the program believe you have paid the ransom by entering 64 zeroes in the field.This would allow access to those files. Go through each executable, extract the containing file from it, and delete the binary. Remember, every malicious executable contains the payload of the virus.
- DXXD - it display the ransom note differently by modifying a Windows registry key so that it displays a ransom note before a user logs into Windows. Luckily a decryptor is available by a researcher named Michael Gillespie.
- DeriaLock (screenlocker type) and PHP Ransomware (PHP script based) are discovered by Checkpoint during the end of 2016. They have found waysto exploit flaws in these two ransomware implementation and created two separate decryption tools for recovering encrypted files.
- OpenToYou is a new ransomware that appends the .-firstname.lastname@example.org extension to the encrypted files and that is for victim to contact the attacker for ransom payment. Emsisoft make available OpenToYou Decrypter tool for this discovered sample which is still in development.
- DynA-Crypt encrypts a file it will append the .crypt extension to the encrypted file's name. On top of encrypting your files, it will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs. A decryptor is available on request to bleedingcomputer author.
- CryptON Ransomware has a free decryptor from researcher Fabian Wosar. This is a Russian originated and its variant include X3M and Nemesis which appear from December 2016. They used the same builder to generate the malware executable.
- BitKangaroo Ransomware - Security researcher released free decryption tool, called BitKangarooDecrypter. It decrypts encrypted files that have the .bitkangoroo extension appended to them. The ransomware looks pre-matured and unlikely from works of skilled developer.
- WannaCry Ransomware - WannaKeywas developed by the public which exploit the weakness CryptoAPI used in its code - issue is the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.
- WannaKit - Another WannaCry decryptorwhich simplified the process for ease of use.