What is Ransomware?GRIDINSOFT TEAM
The short definition of ransomware is hidden in its name, just like in a big number of other viruses. “Ransom software” is a program which injects into your computer, encrypts your files and then asks you to pay the ransom to get your files back. Some examples of ransomware can threaten their victims that they will delete your files, or publish some of your sensitive data if you will not pay the ransom. While the first hazard is a 100% lie, the second thesis can be real, since ransomware is often spread together with spyware or stealers.
Various ransomware examples use different encryption methods. AES-256 and RSA-1024 encryption principles are used in the majority of cases, but you can sometimes meet the examples using RSA-2048. The number in the end primarily means the degree you need to bring two to get the amount of possible keys. Even with the case of AES-256, the number of keys is a 78-digit number. Can you brute force it? Maybe, if you have spare 2 million years. Or a quantum PC with much better performance than any of the currently existing ones. ~ Gridinsoft Team
For every victim, ransomware generates a unique online key. That key is stored on the server maintained by cybercriminals. If the virus is not able to connect to that server, it encrypts the files with the offline key, which is stored locally, on the encrypted machine. The amount of offline keys is limited, hence, you have a decryption key in common with several other victims.
Unfortunately, there is no 100% guarantee of getting your files back. If you are lucky enough, and ransomware used the offline key, you will be able to decrypt your data much faster. Nonetheless, the process of obtaining keys is quite long, and you may have to wait for several weeks. The decryption app, which is supposed to be used for file decryption, will receive the update with the key that fits you as soon as analysts find it.
Online keys are much harder to solve. Since every such key is unique, you may wait for months. Ransomware distributors will likely be caught, and forced to uncover all keys they have on the servers. Another case when all keys are released to the public is when ransomware creators decide to shutdown their malicious activity. Such a situation was only once - in 2018, when GandCrab developers claimed that they earned 2 billion dollars and suspended their activity.
Ransomware attack stagesMost of the analysts define six main stages of ransomware attack. They may happen during a single day, as well as within a month. However, the order as well as the sense of these steps always remains the same.
Compromise. It is also sometimes called an initial injection. At that point, attackers inject the malware into the network (or to the device, if it is an attack against the individual user). Compromising is usually done through RDP breaches, email spamming or unlicensed software usage.
Infection. At this stage, crooks use the initial presence in the network they gained to inject the malicious payload. They rarely use the direct downloads - it is very easy to detect and prevent with security solutions. That’s why the malware downloading process usually relies on exploiting the bugs in Windows and application software. However, when it strikes the unprotected network, or a sole user, it may even prefer the direct download.
Escalation. All malware relies on running with administrator privileges. This property, exactly, makes it possible to decrease the malware hazard by using the account with user privileges. However, even in that case cybercriminals can find the way through. Most of the escalation stages in corporate networks are done through vulnerability exploitation - particularly ones that escalate privileges.
Scan. That step supposes scanning the infected machine(s) in order to detect all the files ransomware can possibly cipher. Usually, ransomware takes the most sensitive data formats - ones that belong to MS Office files, pictures and music. However, some act differently, and cipher whatever they reach, despite the files that may harm the programs functionality.
Encrypt. Encryption may take minutes, or hours, depending on the amount of files on the attacked machines and the quality of ciphering software. LockBit group, for example, is known for having the fastest encryption - it takes only 5 minutes to cipher 100GB of data.
Pay Day. When the encryption is over, malware notifies the victim about the attack. It usually generates a ransom note file on the desktop and/or in each folder with ciphered files. Optionally, it can also change the desktop wallpaper to the ransom note. In the most harsh cases (like Petya ransomware) malware will infect the bootloader and show you the ransom note banner when you press the power button, instead of OS loading.
Types of ransomware
There are several types of ransomware existing currently. All users in the cybersecurity community are used to the type of ransomware, called crypto. That is, exactly, the virus you can read about above. Another kind of ransomware was active much earlier, before 2014. It was called locker ransomware. As you can understand from its name, this virus was locking your system, asking for a ransom for desktop unlocking. Let me show you the key difference between locker and crypto ransomware.
- Blocks your desktop;
- Covers the desktop with a ransom note banner;
- Modifies the registry keys that are responsible for Windows Explorer work;
- Suspends the explorer.exe process;
- Blocks the majority of system combinations (Ctrl+Alt+Del, Ctrl+Shift+Esc);
- Some versions can infect the BIOS, making it impossible to load the system;
- Sometimes, can be easily removed after tricky manipulations with system functions;
- Ask you to pay a ransom as a mobile number top-up, as well as through the online payment system (PayPal, WebMoney, Qiwi, etc.);
- Encrypts the files of the most popular extensions (.docx, .png, .jpeg, .gif, .xslx), and adds to it its specific extension;
- Changes registry keys that are responsible for networking and startup programs launch;
- Adds a .txt file that has the ransom payment instructions to each folder where encrypted files are located;
- Can block access to some of the websites;
- Prevents the launching of the installation files of anti-malware software;
- Can change your wallpapers on a ransom note;
- Ransom payment is about to be done only with the use of cryptocurrencies, primarily - Bitcoin;
Latest ransomware attacks
- Experts Analyzed the Activities of the PYSA Cyber-Extortion Group
- RuRansom Malware Destroys Data in Russian Systems
- Leaked Conti ransomware source codes were used to attack Russian authorities
- Researchers found a Hive ransomware master key via cryptographic vulnerability
- Decryption keys for Maze, Egregor and Sekhmet ransomware were posted on the Bleeping Computer forum
- Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups
- The FBI believes that the HelloKitty cryptor is controlled by operators from Ukraine
- US Cyber Command confirms cyberattacks against ransomware
List of ransomware families, actual for May, 2022:
- Avaddon ransomware showed up a short but pretty active life: its developers decided to shut down their activity in May 2021
- STOP Djvu ransomware is one of the most widespread ransomware families. First activity of that virus type was detected in 2018, and still its activity is very high. Being targeted mainly on simple users, this ransomware can be a perfect example of a "classic" ransomware
- Conti ransomware. This criminal group attacks organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services, and law enforcement agencies
- Matrix ransomware is an old-timer of the ransomware sector, appearing in December 2016
- MedusaLocker ransomware appeared in September, 2019, and took a very rapid start with attacks on companies from all over the world
- Snatch ransomware uses the trick with Windows Safe Mode and privileged service
- VoidCrypt ransomware uses several features that are more typical for corporate-oriented viruses
- Xorist ransomware uses crypto-constructor can change itself so much that it is hard to recognize it
- Dharma ransomware appeared around 2016, this ransomware family aims at a small business. Almost 77% of all Dharma cases are related to the exploitation of RDP vulnerabilities
- Egregor ransomware has attacked large companies from all over the world
- HiddenTear - Being initially created for educational purposes
- LockBit an extremely fast ransomware
- Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims
- Makop doesn’t stay on a single encryption algorithm
Is it a solution to pay the ransom?
The majority of income ransomware developers receive is used to fund various outlaw activities, such as terrorism, other malware distribution campaigns, drug dealership, and so on. Since all ransom payments are done in cryptocurrencies, there is no way to uncover the personality of crooks. However, email addresses can sometimes point that ransomware distributors are somewhere in the Middle East.
As you can already conclude, paying the ransom equals taking part in the outlaw activities. Of course, no one will blame you for terrorism funding. But there is nothing pleasant to understand that the money you get for the fair work is spent on terrorism or drugs. Often even large corporations that are blackmailed with the threats to publish some internal data are not paying a penny to those crooks.
Anti-Ransomware Protection Software
Protect yourself against ransomware with Gridinsoft Antimalware, the best Anti-Ransomware available. Regain control of your privacy with a ransomware scanner, detector, and remover that's ultra-fast and refreshingly lightweight — and 100% effective.
How can I protect my computer from ransomware?
Usually, anti-malware programs update their detection databases everyday. GridinSoft Anti-Malware can offer you hourly updates, which decreases the chance that a completely new ransomware sample will infiltrate your system. However, making use of anti-malware software is not a panacea. You need to be careful in all risky places. Those are:
- Email messages. The majority of ransomware cases, regardless of the family, are related to malicious email messages. People used to trust all messages sent through email, and don’t think that something malicious may be inside of the attached file. Meanwhile, cyber burglars use that weakness, and bait people to enable macros in Microsoft Office file. Macros is a specific application that allows to increase the interaction with the document. You can construct anything on Visual Basic and add it to the document as a macros. Crooks, without further thoughts, add ransomware code.
- Dubious utilities and untrustworthy programs. You may see various advices while browsing the Web. Online forums, social networks, seeding networks - all these places are known as sources for various specific tools. And there is nothing bad in such software - sometimes, people need the functions that are not demanded (or accepted) for corporate production. Such tools are so-called keygens for various apps, license key activators (KMS Activator is one of the most known) and utilities for system elements adjusting. The majority of anti-malware engines detect those applications as malicious, so you will likely disable the antivirus, or add the app to the whitelist. Meanwhile, this utility may be both clear or infected with trojans or ransomware.
Can ransomware spread through Wi-Fi?Fortunately, no. The cases when ransomware is spreading in the local network are related to malware circulation in the common directories. Simultaneously attackers get administrator privileges and execute this malware on all computers in the network. However, without letting the crooks connect to your device it is impossible to get infected.
Is ransomware a crime?For sure it is. Both creating the malicious code, spreading it and collecting the ransom payments fall under the cybercrime legislation in numerous countries. Even touching the process or the ransom money may be accounted as participation in this crime.
Do I have to report ransomware to the FBI?You are not obliged to report it exactly to the FBI - any other law enforcement will fit. Sure, it is best to report the ransomware attack to the organization that is created to specifically counter cybercrimes. However, they may not be represented in your city, or even county/state. Police may claim your report and transfer it to the qualified authorities, or consult you on whom you can report the case.
What can I do against ransomware?Individual users cannot do a lot against ransomware development and spreading. Even though the crooks may be your friends or even relatives, you will likely uncover it only in newsletters - after their capture. They have strict rules of information hygiene, since their main enemy - law enforcements - pose a much greater threat to them. The main things you can really do to counter the ransomware activity is make it unprofitable. Each user who pays the ransom stimulates the crooks to keep the activity going. But when they will not get a penny from most of the victims, they may just get dissatisfied, and possibly switch their skills in a more peaceful direction.
Is Windows 10 vulnerable to ransomware?All of the Windows versions are vulnerable to ransomware attacks. Some specific Windows versions may be harder to infect (in fact, ransomware will just struggle to complete the encryption), but it is still possible. Windows 11, the newest version of the operating system by Microsoft, has some serious security upgrades, including a reinforced Windows Defender and security mechanisms in the sensitive system components. It is considered less vulnerable, but ransomware developers are working as well.
A timeline of the biggest ransomware attacks:
- FEFG Ransomware (.fefg File Extension)
- FDCV Ransomware (.fdcv File Extension)
- DFWE Ransomware (.dfwe File Extension)
- HRUU Ransomware (.hruu File Extension)
- ERRZ Ransomware (.errz File Extension)
- IFLA Ransomware (.ifla File Extension)
- BYYA Ransomware (.byya File Extension)
- KRUU Ransomware (.kruu File Extension)
- MINE Ransomware (.mine File Extension)
- EGFG Ransomware (.egfg File Extension)