All about Ransomware and its control

Ransomware meaning / definition : Ransomware is basically a piece of harmful software code that encrypts files on a computer and demands money to get the decrypting code.

The encryption may be limited to files or the folder, drive or even the entire computer.

Ransomware examples: 

'Wannacry' is a popular ransomware affecting the computers massively in 2017. 

Other names : WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY


How does Ransomware spreads ?

It spreads like the viruses and malwares spread :

1. Through emails : Emails may contain infected attachments which when opened infects the vunerable computer.

2. Through removable medias like pendrive : when an infected pendrive is used in a system that is vunerable then the infection passes on the the host computer.

3. Through internet : When someone downloads infected file and opens it then the infection passes on to vunerable computer. Infection may pass on even by opening an infected website.

4. Through local area network. 

5. Through chat : when someone receives an infected file and opens it.


We now need to understand which computers are vunerable to ramsomware :

1. The popular operating system facing this challange is Windows
2. Microsoft had release an update in march 2017 to seal off this vunerability so those who have not applied that patch are vunerable
3. Old Windows OS which are no longer supported by Microsoft like Windows XP is still vunerable since Microsoft no longer support it and has not released a patch/update to protect it.

How to prevent ransomware ?

How to make your computer immune to the ransomware : 

1. Switch to a better operating system like Mac / Linux 
2. Apply updates to your operating system
3. Those using unsupported Windows operating system must upgrade their operating system to an uptodate Windows operating system
4. Use trusted antivirus with all updates installed.

We should understand that whatever infection may affect your system, your risk is your files so you need to protect them. 


Now the question is how do we protect the files? 


What should be the correct process of protecting the files ?

How to protect your files :

Since we keep updating our file regularly so if we generate backup regularly/automatically then the files may be secured to some extent. Note your files are still not safe unless you meet the below mentioned guidelines.

Suppose you backed up your file in a different location on your computer. Here, in case your harddrive fails then your file is lost. If a malware infects your computer then too the file will be lost.

Suppose you backed up your critical file by copying it to an external hard drive by overwriting the last backup. In this case you may have actually saved an infected file and have overwritten your uninfected file so you are left with only the infected file even in your backup.

So what should we do? 
We cannot keep every version of the file so we need to think some practical way out.
We may use software to backup our file. This software will keep say 10 versions of the file. It will backup only the changed files. The unchanged files are already in backup (along with versions).
We should use atleast one cloud backup since in case of any natuural disaster our local copy of the file may also get damaged.

Thus ideally a backup should meet these :
1. Backup must be taken quite often and regularly.
2. Backup must be done away from your computer like an external harddrive. 
3. Backup must have cloud based component / remote location to meet natural desaster - Preferably in a geographically different location like in a different continent.
4. Backups must have versions of your files.

The external harddrives of choice can be procured here :

Coming back to ransomware. 
How do we stop ransomware.
It seem to be having hard coded domain name. A guy identified that domain name and purchased that domain name. This checked the progress of ransomware. This may not be a long term solution.

We need to follow the steps given above to make our computers immune to ransomware.

How to decrypt the files encrypted by ransomware : 

There are lot of file decryption services working on this. We recommend you to send the encrypted as well as decrypted file (from your backup) to these decryptiong organisations to help them find out the suitable decrypting logic to help the world.


Ransomware attacks : 

Ransomware attacks started in 1989 and were uncommon until 2005.
Numerous varients of the code came to focus time and again.
In 2005 the attacks increased
2013 onwards the attack is increasing every year
2015 notes alarming levels of the infections
2016 and 2017 witnesses still increasing attacks.
In 2017 the attacks have increased so much that a proper strategy is needed to combat these.

How much ransom do they demand : 

Earlier they use to demand about 300 usd. Now they demand about 500 USD & more. They demand more money from larger companies.
They set a deadline failing which the ransom amount doubles up.
They even threaten that the files will be damaged or locked for ever.
There is history of ransomware who collected millions of dollars and yet did not decryppt the files.

Ransomware as a service :

2017 witnesses this, where the internet connected devices are the victims like smart televisions, smart refrigerators etc.


What can be the effect : 

The world is getting used to technology related devices day by day and these devices being part of our life when stops then we are paralysed. The medical systems, hospitals & banks are the crucial areas. Now we have started to face the disaster in these critical areas too.


We need to understand the terms related to Ransomware : 

Encryption : It is a process of converting a data to codes that is normally not recognizable. The data may be recovered later using decryption.
Encryption follows a set of predefined rules and logic to convert the data. This is backed by a key which is used to encrypt the data. some encryptions are two way process meaning they can be decrypted using the key.

Decryption : It is a process of converting encrypted codes to recognizable data using the decryption key.
Decryption follows a set of predefined rules and logic to convert the data back to original. This is supported by a key which is essential to decrypt the data. Some encrypted data may not be decryptable.

Algorithm : It is the set of predefined rules and logic followed to encrypt and decrypt a data

Bitcoin : It ia a digital currency. And can be procured online. It can be stored in the wallet too. Note PayPal also supports bitcoin. 


Question is why bit coin : 

The answer is obvious, bitcoin transactions are anonymous. To make a payment using bitcoin you use your wallet's 'private key' to generate 'address' which do not have your personal information.

Just like any currency bitcoin also has a valuation and its value is increasing gradually.

Ransomware Algorithm :

Algorithm used by ransomware is not limited a a single algorithm. They can use any type of algorithm, hte idea is to encrypt the file using a key. The encrypetd data can be decrypted using a key. This is the area where these people make money. They charge you for the key and the decryption software.

Ransomware detection :

Presence of unknown file extensions for your known files is a clear sign.
Lot of files getting renamed is a surer sign.
We now see lot of antivirus being able to detect them.

Wannacry tend to create a folder inside ProgramData. The forder name is just some random characters. It contains a file called 'tasksche.exe'  &/or 'mssecsvc.exe'. These files may be created in windows folder too.

Network connections to .onion domains may be present.


How can we come out with a solution:
Everything depends on the varient of the ransomware.
Master Decryption Key is possible only in some cases and is not possible in all cases.

What is the future : 

We dont see a quick end to ransomware. Insted it is believed that they will increase and engulf our mobile phones and smart devices very soon.
The only solution is backup your file, data, websites etc.
If no one pays them then they will have to stop.


Technical details : 

Ransomware uses ExternalBlue MS17-010 (= SMB exploit in Windows machines) to spread. Microsoft has released a patch for this. 

Older Windows operating systems do not have patch for this and are vunerable, like windows NT4, windows 2000, windows xp, windows 2003

The ports used to spread are  : 139, 445, 3389

SMB is enabled by default on Windows. Disable smb service on the machine by going to Settings > uncheck the settings > OK



Updated on 13-May-2017 :

Microsoft has released security update for most of its popular operating system under "KB4012598".




Popular searches :

ransomware, virus, malware, ransom demanding virus, ransomware removal tool, how to prevent ransomware, ransomware virus, ransomware examples, ransomware decrypt, ransomware definition, ransomware cerber, ransomware cryptolocker, how to prevent ransomware, ransomware meaning, ransomware attacks, ransomware file decryptor, ransomware file decryptor, ransomware ppt, ransomware 2016, ransomware 2017, ransomware attacks india, ransomware attacks 2017, ransomware analysis, ransomware awareness, ransomware algorithm, ransomware android, ransomware as a service, ransomware vunerabilities, ransomware data recovery, ransomware detection, ransomware process, ransomware pdf, ransomware protection software, ransomware prevention tips, ransomware protection tool

About the Author:

Narottam Agarwala

 Narottam Agarwala

About Author