Know About The Ransomware Attacks And Protective measures and methods to remove It
Ransomware – data for ransom
Ransomware, an artificial word made up of the two words “ransom” (English for ransom) and “ware” (from software), are malicious programs that block access to affected systems or access to data.
With the first ransomware variants (e.g., “BKA Trojans”), only access to the system was blocked via a lock screen. Newer versions encrypt system data with secure encryption algorithms so that decryption is only possible using a unique digital code (key).
The attackers are asked to pay a ransom to hand over the code. The money transfer takes place almost anonymously using digital currencies such as bitcoins or prepaid money cards. The attacker also provides precise instructions on how to transfer money, which laypeople can also understand. The block remains active if you do not pay.
What does a possible ransomware infestation look like?
Ransomware spreads via email, drive-by download, or using server vulnerabilities: Spam emails attempt to use psychological tricks (social engineering) to trick users into executing an attachment or clicking on a particular link. They come, for example, as an Amazon order confirmation, T-Online invoice, DHL tracking, or, as in the case of “Goldeneye,” as an alleged application for a job.
Attackers prepare web pages so that a user can become infected while viewing the page (drive-by). To do this, they exploit weaknesses in the user’s web browser or viewer applications.
Ransomware attacks user systems and exploits weak points in server systems such as web servers or remote maintenance access to systems for infection.
How acute is the danger?
Very cute! Ransomware has been on the rise since 2014. The BSI reports large waves of spam in 2015 and 2016 with an upward trend. Client and server systems at the Ruhr University have also been successfully attacked
How is protection possible?
The best protection against ransomware lies in preventive measures: basic security of the workplace and server systems. This also includes keeping virus scanners and other software or technology products up to date. Since attackers repeatedly “adapted” malicious software, one cannot assume 100% protection by antivirus programs.
You should therefore generally be skeptical about e-mail attachments that may contain macro functions or executable code (e.g. Office file types, .pdf, .chm, .com, .exe, .pif, .vbs, .js, .bat,. reg, .scr, etc.). We would also like to send you the recommendations of the BSI for citizens on “surfing with common sense” recommend.
Regular backups of the data are the most important protective measure to ensure availability even after a ransomware incident. It is not enough to save data on a linked network drive because most ransomware variants encrypt data on file server systems or shadow copies.
This means that data on network drives should be integrated into a central data backup that is not directly accessible. Appropriate user administration and data structuring based on the “need-to-know” principle helps to limit the damage.
A spam filter becomes central activation (must be activated by the user) significantly reduces the occurrence of unwanted messages. Access to known ransomware Command & Control servers is also monitored centrally by comparing it with the blocklists of the ransomware tracker project (abuse.ch).
What to do in the event of damage?
We advise those affected to remain calm and act cautiously in the event of damage. Contact the Information Security Office to coordinate the next steps. To prevent the ransomware from spreading, the infected system must be isolated from other systems.
Disconnect the affected system from the RUB network or other devices, i.e., interrupt the network connections. If you don’t have a backup, everything may not be lost: Decryption solutions have been found over time for some ransomware variants. The ransom should NOT be paid.
In any case, there is no guarantee that a payment will lead to its goal. The first point of contact for those affected is the No More Ransom!. The project, initiated by the Dutch police, Europol, Intel Security, and Kaspersky, offers those affected by specific ransomware decryption tools for download. Further information, notes, and a detailed Q&A can also be found there.
Ransom demands through the back door.
The attack usually takes place via attachments in alleged application letters or contract offers. The user should download a file via Dropbox and install the malicious software in the process. It has it all: all local files and files in the network drive are immediately encrypted and thus made unusable.
After restarting the computer, the user usually receives a warning screen that asks him to transfer a sum of money in bitcoins within a specific time. Otherwise, the data remains permanently encrypted. In addition, threats are made that sensitive data will be published.
Once a system has gotten to this point, the data can no longer be saved. Even if an employee of the FBI recently recommended the opposite: it is urgently advisable not to comply with the ransom demands.
On the one hand, payments would be another incentive for other hackers to use ransomware as well. The more users get involved in this blackmail, the more attractive this model becomes for copycat criminals (particular websites already offer ransomware-as-a-service for everyone).
There is no guarantee that the data concerned will be decrypted again after the payment. None of our customers who responded to the claims had access to the data again – but less money in the account.
In an emergency, only the daily backup helps.
Chimera is a hybrid between screen locker and crypto-malware. Due to Chimera’s high level of encryption, it is currently not possible to decrypt the files.
If your system is affected, the only thing that will help is restarting the machine and restoring it using a decentralized backup. It should be noted that mutations of the ransomware are already in circulation, which encrypts permanently connected backups simultaneously. This means that in the worst-case scenario, these data backups are also lost.
Rely on a multi-layered security approach
It is currently more critical than ever for the security of corporate IT to use as many protective layers as possible.
- Endpoint security solutions
- Effective and constantly updated spam protection
- Firewall systems
- Suppression of malware communication
- Regular and decentralized backups
Ransomware: How to protect yourself from “blackmail trojans.”
The first word in the suitcase, “ransomware,” is a combination of the English terms “ransom” (German “ransom”) and “software.” There is also talk of blackmail, crypto, or encryption Trojans.
They all have the same function: the malware encrypts all files on a computer- or even an entire network – and instead of the standard user interface, displays instructions for releasing the files, often a ransom note or a similar “ransom note.”
When it comes to distribution, ransomware does not differ from the much better-known computer viruses: it mainly reaches the targeted computer via fake email attachments (such as alleged invoices, delivery notes, ZIP files, etc.), security holes in the web browser or file hosting services such as Dropbox.
This is how ransomware works.
The most common method, however, is to send mass emails with infected attachments via bot networks. Means spambots cybercriminals can send the prepared emails automatically. Finally, the fake extensions hide downloaders that deliver the actual encryption Trojan.
As a rule, the emails build up pressure, imitate existing senders such as well-known companies, or try to connect with users. These can be addressed directly and called up to open the attachment.
The method is well known, but the threat has become much more acute since the winter of 2015/16: The German Federal Office for Information Security (BSI) published an issue paper in the course of a veritable explosion of ransomware attacks: It says that in the In February 2016 ten times more ransomware was detected by antivirus programs than in October 2015.
At times in Germany alone, up to 5,000 newly infected computers were counted every hour by the crypto Trojan “Locky.” The malicious program caused millions of euros in damage worldwide.
It did not even stop at hospitals: in addition to a clinic in Los Angeles, numerous other hospitals, companies, and private computers worldwide were encrypted. Malware from the TeslaCrypt ransomware family is even more common.
Protective measures and methods to remove ransomware
The preventive measures against ransomware are diverse: First, the basic protective measures against fraudulent emails should be mentioned. That means:
- Be skeptical of unexpected emails.
- Do not click carelessly on dubious links and always question the plausibility of attachments.
- Only open them if the authenticity can be determined.
It is also recommended:
- to keep the operating system and effective antivirus software always up to date; this is the only way to identify new threats
- Create backups of the most critical files on an external storage medium regularly; In the event of loss, the data can be restored without significant damage.
- always activate the firewall of the operating system; it can also offer additional protection not to work permanently with administrator rights
- Stop using software with known security vulnerabilities; First of all, Adobe Flash Player is mentioned here, which is required less and less since the conversion of many websites to HTML5.
If it does come this far: What can you do in the event of encryption by ransomware? Whether the ransomware can be removed depends heavily on the encryption method used. Some can be detected and removed by popular antivirus software.
Others are more persistent: In any case, the computer should be disconnected from the network and switched off in the event of an attack. Rescue CDs can be used to avert several threats: These rescue discs are available from the manufacturers of standard antivirus software such as Kaspersky, AVG, or BitDefender.
Also, starting in Safe Mode can help. This ensures that only the most essential system functions startup. In this secure environment, the system can be reset to an earlier point in time under “Control Panel” in the “System and Security” menu – but only if a restore point has been set beforehand.
The system usually generates this automatically for updates or program installations. As a last resort, you can also use the command line to run special decryption tools designed against specific encryption trojans.