Topic: RANSOMWARE

[abelapolo]

1986: The first known ransomware, the 1989 AIDS Trojan (also known as «PC Cyborg»), is written by Joseph Popp

2005: In May, extortion ransomware appears

2006: By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive start using more sophisticated RSA encryption schemes, with ever-increasing key-sizes

2011: A ransomware worm imitating the Windows Product Activation notice appears

2013: A ransomware worm based on the Stamp.EK exploit kit surfaces and a Mac OS X-specific ransomware worm arrives on the scene. CryptoLocker rakes in around $5 million in the last four months of the year

2015: Multiple variants on multiple platforms are causing major damage


Encryption Ransomware
It encrypts personal files and folders (documents, spread sheets, pictures, and videos).

The affected files are deleted once they have been encrypted, and users generally encounter a text file with instructions for payment in the same folder as the now-inaccessible files.

You may discover the problem only when you attempt to open one of these files.

Some, but not all types of encryption software show a ‘lock screen’:

Maktub1 Ctblocker2.10 Bitman_040 Bitman_025

Lock Screen Ransomware — WinLocker
It locks the computer’s screen and demands payment.

It presents a full screen image that blocks all other windows.

No personal files are encrypted.

Polyransom2

Master Boot Record (MBR) Ransomware
The Master Boot Record (MBR) is the part of the computer’s hard drive that allows the operating system to boot up.

MBR ransomware changes the computer’s MBR so that the normal boot process is interrupted.

Instead, a ransom demand is displayed on the screen.

Master-Boot.jpg

Ransomware encrypting web servers
It targets webservers and encrypts a number of the files on it.

Known vulnerabilities in the Content Management Systems are often used to deploy ransomware on web services.

Ransomware encrypting web servers

Mobile device ransomware (Android)
Mobile devices (mostly Android) can be infected via “drive-by downloads”.

They can also get infected through fake apps that masquerade as popular services such as Adobe Flash or an anti-virus product.

If attacked, should I pay the ransom?
Paying the ransom is never recommended, mainly because it does not guarantee a solution to the problem. There are also a number of issues that can go wrong accidentally. For example, there could be bugs in the malware that makes the encrypted data unrecoverable even with the right key.

In addition, if the ransom is paid, it proves to the cybercriminals that ransomware is effective. As a result, cybercriminals will continue their activity and look for new ways to exploit systems that result in more infections and more money on their accounts.

How to prevent a ransomware attack?

Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.
Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.
Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.
Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.

[Samker]

Very informative, thanks!