Ransomware

Ransomware is malicious software that will block access to the computer or your files.

Types of ransomware

Scareware

A scareware will masquerade as security software. It will display an alert message telling you that malware has been detected. The only way to remove it is to pay for its removal. In reality, your files are safe but the scareware will want you to believe otherwise and will insist heavily :)

Screen lockers

A screen-locking ransomware will, as the name suggests, prevent you from accessing your computer. You will usually get a screen modeled after that of a government institution, such as the FBI or the Department of Justice, that informs you that illegal activity has been detected and that you need to pay a fine.

Ransomware encryptors

It gets more complicated if you're dealing with an encrypting ransomware. The concept is this: the ransomware author steals your files, encrypts them and demands a ransom. A dilemma arises, even if you pay the ransom, you have no guarantee of recovering all your files. Encrypting ransomware has become much more sophisticated and now seeks to spread across the network and infect backups. They are becoming more and more sophisticated.

Method of operation

A ransomware will have a similar modus operandi to a Trojan horse by executing a payload. To do this, the ransomware will be able to exploit one or more known vulnerabilities or go through a phishing campaign. It will also be able to hide in an application, which is often the case of ransomware on mobile.

Ryuk

In late 2018, the Ryuk ransomware gained traction with numerous attacks on U.S. daily newspapers. Its modus operandi:

• Phishing campaign
• Exploitation of the Zerologon flaw (CVE-2020-1472)
• Use of Emotet or TrickBot malware

More information :

• Zerologon (CVE-2020-1472) : https://kb.prohacktive.io/index.php?action=detail&id=CVE-2020-1472&lang=en
• Emotet : https://kb.prohacktive.io/index.php?action=malware&id=emotet&lang=en
• TrickBot : https://kb.prohacktive.io/index.php?action=malware&id=trickbot&lang=en

One of the largest ransomware attacks

It happened in the spring of 2017, WanaCry had about 200,000 victims from 150 countries. They were asked to pay a ransom in bitcoins.

More information about WanaCry : https://kb.prohacktive.io/index.php?action=ransomware&id=wannacry&lang=en

What to do in case of infection?

Should we pay the ransom? That is the question! The debate has just been reignited with the government reportedly allowing insurers to compensate ransomware victims. It's a dangerous game, if you play the game of paying ransom, it will encourage cybercriminals. And if we are not prepared for such a crisis, the company could go out of business.

Currently, a few decryptors exist that can recover data but they are not numerous. Here are the recommendations if you are a victim of ransomware:

• Disconnect the machine from the Internet or Computer Network (unplug the Ethernet cable or disable Wifi)
• In business, immediately alert your IT department or provider if you have one
• Don't pay the ransom
• Keep or have a professional keep the evidence
• File a complaint
• Professionals - Notify CNIL of this infection if there has been a personal data breach
• Identify the source of the infection and take steps to ensure that it cannot recur
• Perform a full antivirus scan of your device
• Try to decrypt the files if a solution exists (No More Ransom)
• Reinstall affected systems
• Get assistance from qualified professionals if needed

How to protect yourself from ransomware ?

Here are some ideas :

• Apply security updates regularly and consistently
• Keep antivirus up-to-date and configure your firewall
• Do not open emails, their attachments or click on links
• Do not install "pirated" applications or programs
• Avoid unsafe or illegal sites
• Make regular backups
• Do not use an account with "administrator" rights
• Use sufficiently complex passwords and change them regularly
• Turn off your machine when not in use

One can consider going further in prevention by using solutions against phishing (such as Mailinblack) or to prevent the risk of vulnerability exploitation (such as Sherlock®)