What is Ransomware? GRIDINSOFT TEAM
The short definition of ransomware is hidden in its name, just like in a big number of other viruses. “Ransom software” is a program which injects into your computer, encrypts your files and then asks you to pay the ransom to get your files back. Some examples of ransomware can threaten their victims that they will delete your files, or publish some of your sensitive data if you will not pay the ransom. While the first hazard is a 100% lie, the second thesis can be real, since ransomware is often spread together with spyware or stealers.
Various ransomware examples use different encryption methods. AES-256 and RSA-1024 encryption principles are used in the majority of cases, but you can sometimes meet the examples using RSA-2048. The number in the end primarily means the degree you need to bring two to get the amount of possible keys. Even with the case of AES-256, the number of keys is a 78-digit number. Can you brute force it? Maybe, if you have spare 2 million years. Or a quantum PC with much better performance than any of the currently existing ones. ~ Gridinsoft Team
For every victim, ransomware generates a unique online key. That key is stored on the server maintained by cybercriminals. If the virus is not able to connect to that server, it encrypts the files with the offline key, which is stored locally, on the encrypted machine. The amount of offline keys is limited, hence, you have a decryption key in common with several other victims.
Unfortunately, there is no 100% guarantee of getting your files back. If you are lucky enough, and ransomware used the offline key, you will be able to decrypt your data much faster. Nonetheless, the process of obtaining keys is quite long, and you may have to wait for several weeks. The decryption app, which is supposed to be used for file decryption, will receive the update with the key that fits you as soon as analysts find it.
Online keys are much harder to solve. Since every such key is unique, you may wait for months. Ransomware distributors will likely be caught, and forced to uncover all keys they have on the servers. Another case when all keys are released to the public is when ransomware creators decide to shutdown their malicious activity. Such a situation was only once - in 2018, when GandCrab developers claimed that they earned 2 billion dollars and suspended their activity.
Types of ransomware
There are several types of ransomware existing currently. All users in the cybersecurity community are used to the type of ransomware, called crypto. That is, exactly, the virus you can read about above. Another kind of ransomware was active much earlier, before 2014. It was called locker ransomware. As you can understand from its name, this virus was locking your system, asking for a ransom for desktop unlocking. Let me show you the key difference between locker and crypto ransomware.
- Blocks your desktop;
- Covers the desktop with a ransom note banner;
- Modifies the registry keys that are responsible for Windows Explorer work;
- Suspends the explorer.exe process;
- Blocks the majority of system combinations (Ctrl+Alt+Del, Ctrl+Shift+Esc);
- Some versions can infect the BIOS, making it impossible to load the system;
- Sometimes, can be easily removed after tricky manipulations with system functions;
- Ask you to pay a ransom as a mobile number top-up, as well as through the online payment system (PayPal, WebMoney, Qiwi, etc.);
- Encrypts the files of the most popular extensions (.docx, .png, .jpeg, .gif, .xslx), and adds to it its specific extension;
- Changes registry keys that are responsible for networking and startup programs launch;
- Adds a .txt file that has the ransom payment instructions to each folder where encrypted files are located;
- Can block access to some of the websites;
- Prevents the launching of the installation files of anti-malware software;
- Can change your wallpapers on a ransom note;
- Ransom payment is about to be done only with the use of cryptocurrencies, primarily - Bitcoin;
Latest ransomware attacks
- The FBI believes that the HelloKitty cryptor is controlled by operators from Ukraine
- US Cyber Command confirms cyberattacks against ransomware
- Clop ransomware exploits vulnerability in SolarWinds Serv-U
- US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab
- Operators of the BlackMatter ransomware announced the termination of activity
- After REvil shut down, members of the hack group DarkSide hastily moved $7 million
- Media said that the REvil sites were hacked by law enforcement agencies
- VirusTotal said that almost 95% of ransomware target Windows
List of ransomware families, actual for January, 2022:
- Avaddon ransomware showed up a short but pretty active life: its developers decided to shut down their activity in May 2021
- STOP Djvu ransomware is one of the most widespread ransomware families. First activity of that virus type was detected in 2018, and still its activity is very high. Being targeted mainly on simple users, this ransomware can be a perfect example of a "classic" ransomware
- Conti ransomware. This criminal group attacks organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services, and law enforcement agencies
- Matrix ransomware is an old-timer of the ransomware sector, appearing in December 2016
- MedusaLocker ransomware appeared in September, 2019, and took a very rapid start with attacks on companies from all over the world
- Snatch ransomware uses the trick with Windows Safe Mode and privileged service
- VoidCrypt ransomware uses several features that are more typical for corporate-oriented viruses
- Xorist ransomware uses crypto-constructor can change itself so much that it is hard to recognize it
- Dharma ransomware appeared around 2016, this ransomware family aims at a small business. Almost 77% of all Dharma cases are related to the exploitation of RDP vulnerabilities
- Egregor ransomware has attacked large companies from all over the world
- HiddenTear - Being initially created for educational purposes
- LockBit an extremely fast ransomware
- Makop doesn’t stay on a single encryption algorithm
Is it a solution to pay the ransom?
The majority of income ransomware developers receive is used to fund various outlaw activities, such as terrorism, other malware distribution campaigns, drug dealership, and so on. Since all ransom payments are done in cryptocurrencies, there is no way to uncover the personality of crooks. However, email addresses can sometimes point that ransomware distributors are somewhere in the Middle East.
As you can already conclude, paying the ransom equals taking part in the outlaw activities. Of course, no one will blame you for terrorism funding. But there is nothing pleasant to understand that the money you get for the fair work is spent on terrorism or drugs. Often even large corporations that are blackmailed with the threats to publish some internal data are not paying a penny to those crooks.
How can I protect my computer from ransomware?
Usually, anti-malware programs update their detection databases everyday. GridinSoft Anti-Malware can offer you hourly updates, which decreases the chance that a completely new ransomware sample will infiltrate your system. However, making use of anti-malware software is not a panacea. You need to be careful in all risky places. Those are:
- Email messages. The majority of ransomware cases, regardless of the family, are related to malicious email messages. People used to trust all messages sent through email, and don’t think that something malicious may be inside of the attached file. Meanwhile, cyber burglars use that weakness, and bait people to enable macros in Microsoft Office file. Macros is a specific application that allows to increase the interaction with the document. You can construct anything on Visual Basic and add it to the document as a macros. Crooks, without further thoughts, add ransomware code.
- Dubious utilities and untrustworthy programs. You may see various advices while browsing the Web. Online forums, social networks, seeding networks - all these places are known as sources for various specific tools. And there is nothing bad in such software - sometimes, people need the functions that are not demanded (or accepted) for corporate production. Such tools are so-called keygens for various apps, license key activators (KMS Activator is one of the most known) and utilities for system elements adjusting. The majority of anti-malware engines detect those applications as malicious, so you will likely disable the antivirus, or add the app to the whitelist. Meanwhile, this utility may be both clear or infected with trojans or ransomware.
A timeline of the biggest ransomware attacks:
- FHKF Ransomware (.fhkf File Extension)
- VFGJ Ransomware (.vfgj File Extension)
- ZAQI Ransomware (.zaqi File Extension)
- NQHD Ransomware (.nqhd File Extension)
- VGKF Ransomware (.vgkf File Extension)
- DEHD Ransomware (.dehd File Extension)
- LOOV Ransomware (.loov File Extension)
- MIIA Ransomware (.miia File Extension)
- SBPG Ransomware (.sbpg File Extension)
- XCMB Ransomware (.xcmb File Extension)