Happy week community I hope this week is quite productive for everyone, in the last 2 articles that I wrote I had talked about the measures to combat the massive attack of ransomwares for windows 7 and windows 10 and also against banks as it is usually a subject that should be taken with great delicacy, good to enter a little more fully here I leave another contribution to the community I want to talk to more depth from the base with respect to ransomwares, what are they? what kind of ransomwares? all this will be organized in an alphabetical way to know a little more and know how to identify the problem in time.
Ransomware
It is known as a software of a malicious and toxic nature that has the ability to attack a system once the system is infected the hacker or cyber aggressor can cause a device to crash and at the same time is ready to encrypt the files that are in the system completely, now when the hacker accomplishes its mission sends a kind of popup window asking for a sum of money for the rescue of the archives, there the problem begins if it is really a guarantee to return the information once the sum demanded by the hacker is paid, in many cases it is recommended not to pay for the rescue since the cyber-aggressor mostly uses this as a trap and never returns the information, daily there is an endless number of cyber-aggressions where they demand high sums of money for the information, now the types of ransomwares and to which sector is responsible for attacking each one of them below:
Cerber: Derivative (Cerberus) the dog of 3 heads of the underworld, It is known as a virus or malicious ransomware that uses algorithms and encryptions type AES and thus be able to block user files is commonly found or can be downloaded into the spam mail area, once downloaded it runs on the next system start after installed and thus start encrypting the information the most common symptom to recognize is when you send random error messages.
Crytpo locker: It is well known to expand as an email file or by connecting the remote port 3389 to then be encrypted with local files and on network drives using RSA public key cryptography, the way in which this ransomware is propagated is through a file that goes underneath rope with appearances of being a file of some legally established company.
DMA Locker: It is considered a ransomware of cryptographic origin which enters silently and once inside the system after having achieved its purpose it will send a message to the user or to the affected company demanding an immediate rescue of the information and the procedure that should be comply to the letter so that the person has to pay a costly sum of money for the ransom there is no estimated value for the ransom, usually the cyber aggressor grants a certain period of time for the rescue of the information once made the payment the aggressor delivers a unique key that would be used to decrypt the information of not accepting the offer the information will lose an important data usually these cyber aggressors are of Polish, Russian or Czech Republic origin.
Jigsaw: With the same name as the well-known horror movie SAW or the fear games, its attack form is silent once it performs the attack it scans the files using AES encryption once it blocks the system it is necessary that the affected user has to pay the sum demanded by the cyber aggressor or hacker, this ransomware grants a period of 1 or 2 hours to pay for the rescue otherwise the information will be deleted and as the time passes, the fact that the hacker is added increases the sum of the ransom 3 or 4 times but try to eliminate the Jigsaw from the first moment leads to eliminate thousands of files which is greater problem.
Kimcilware: It is based on the attack to a certain target of online stores its way of attacking is singular since it adds the extension with the same name adding its own file index the sum for the rescue is usually of smaller amounts but you can only pay for Bitcoin.
Maktub: This ransomware has the same name as the book of a writer of Brazilian origin named Paulo Coelho. His way of attacking is based on 256-bit AES encrypted algorithms, this ransomware is known for encrypting files that are hard to decipher with ease the rescue usually varies by increase of interests for sure its origin has not been verified but it is estimated that there is a wide team in the development of one or more elements of this ransomware.
Mamba: Known for having made attacks on companies in Brazil and Saudi Arabia and even in the city of San Francisco in the United States, the malicious way in which Mamba acts is by installing DiskCryptor on the servers and then running a manager. MBR boot proceeds to partition the disk with decodings and passwords for each command line.
Petya: This ransomware is known for its constant attacks on banks to companies and financial institutions in different countries of Europe such as UK, Ukraine, Russia, its way of operating is similar to the previous ones, encrypting certain files and then blocking the boot sector committed to the system to then prevent access and proceed to request a low-cost rescue.
Reveton: It is usually known under the guise of a warning or threat by the authorities of a country such as the police, military forces keeping the system blocked.
Teslacrypt: Unlike the previous ransomwares this specializes in making the infection of files in games, user accounts and saved games, at the moment has not been recorded again attacks of greater relevance by this ransomware.
Tox: Unlike other Tox ransomware initially started as a kit to create viruses responsible for this ransomware decided to expand the kit for free to the public through an affiliate system, Tox has the peculiarity that is encrypted in files
PDF, JPG, TXT, DOC, among others its encryption is through AES.
Wannacry: One of the most famous for being a constant threat to many companies and banks due to its great impact its target especially is for Windows operating system affecting networks to restrict access, currently it is one of the most important ransomware. dangerous that keeps stalking, Wannacry starts its attack through SMBv1 that serves to communicate the protocols of printers and equipment connected to a network.
Now that we have defined what a ransomware is, let's see how the cyber aggressor or hacker works in the following way:
- Invasion to the system or target: When the attack of a selected ransomware is started to begin infecting the system or the networks, it is estimated that it will be less than 1 hour for a greater effectiveness
- Installation of files in the background: Proceed to install files that block the system to extract the data and encrypt them in turn
- Data encryption: Once the data has been selected by the cyber aggressor or hacker, the process is finished by encrypting all the data with a key that can be acquired once the user feels obliged to pay for the rescue.
- Message to the affected user: In this part a negotiation between the cyber aggressor and the user or users affected by a certain period of time comes into play, if not fulfilled, the amount of the rescue or total loss of information will be tripled
- Ask for a ransom: In general the sums to rescue the information are highly expensive and can even change due to interests, generally it is required that the payments be made by cryptocurrencies or by other little known purses as it is a method to keep protected the identity of the cyber aggressor
- Delivery of data: In this last phase a lot of controversy is generated because it is not a guarantee that the cyber aggressor or hacker will return all the data, there is no complete security to restore all the files that were in the system before having suffered the attack
Now that you talk about what is a Ransomware and the most known or most dangerous types of ransomware it is important to take action on the matter and apply the following measures to reduce the attack in a significant way:
- Perform constant updates on Windows servers as a maximum of 4 times per week and additionally security patches additionally antimalware solutions and firewall lines configured for just and necessary access
- Install anti-ransom tools as this will allow to detect in time the encryption code with which the attack is accompanied and thus block the process by 80%
- Activating the anti-spam filters and javascript blockers this allows to reduce the infection in a considerable percentage
- Make a copy of all the data as a regular activity, with this it is possible to maintain a backup in case the equipment or server suffers a considerable infection
With these measures you can avoid damage to the system or the server, as I emphasized in my previous article applying Symantec Endpoint you get a reinforced protection in any situation, cyber aggressors choose the hours of midnight to perform their attacks since many times it is the hour where some servers are vulnerable due to lack of updates in Windows.