What is Ransomware?

With the advancement in technology of internet, criminal activities also got the pace. Most of the times attackers are one step ahead of Security Researchers. There are large number of platforms available for attackers to attack including Web Applications, Networks etc. Creating backdoors using malwares and getting remote access is one of the traditional techniques of attacking. With the advancement in technology attackers also devise new techniques. Somewhere or the other, motive of the attackers is to generate revenue whether directly or indirectly. Using ransomwares is one of the techniques of direct revenue generation. In this technique, access to files or system is denied by encrypting the data or locking the computer. Ransomwares are categorised into two categories that are Locker Ransomware and Crypto Ransomware.

In Locker Ransomware the user interface is generally blocked or the access is denied to computer resources. If the malware is removed it won’t affect the files or data stored in the computer as this ransomware is just blocking the interface not manipulating the files. Because of this it is less common. In this, attackers use social engineering techniques which forces the victim to pay.

In Crypto Ransomware technique, the valuable data is encrypted by the malware. This type of malwares do not warns until the valuable data is encrypted. The moment the task of encryption is completed it pops up asking victim to pay ransom to get the data back.

How Crypto Ransomware works?

The first step of the ransomware is to get executed in the victim’s machine. This can be done in number of ways. Once it got executed in the victim’s machine then its action starts.

After execution of malware, it conserves its space in registry so that when the user logs in or the system boots up it performs its operations. It also disables the restore operations of the Operating System.

it conserves its space in registry so that when the user logs in or the system boots up it performs its operations. It also disables the restore operations of the Then ransomware tries to connect to C&C server f or its further operations. This server is located in the Tor network so that its detection becomes nearly impossible.

tries to connect to or its further operations. This server is located in the Tor network so that its detection becomes nearly impossible. After successful connection it uploads a small file which can be thought of as a unique victim ID.

Ransomwares designed by professionals work on public key cryptography . Server then generates the public-private key pair which is unique to victim ID.

designed by professionals work on public key . Server then generates the public-private key pair which is unique to victim ID. Server then sends the public key to victim’s computer which is then used to encrypt the data.

After the completion of encryption it pops up asking the victim to pay ransom within specified time otherwise the server will delete the private key.

This is the common mechanism used by ransomwares. Its overall working includes much more like how it got executed in victim’s computer, how strong the encryption algorithm is, how the transactions are carried out in an untraceable manner. Any weakness in this whole operation will not just lead to failure of operation but can lead to heavy legal action against all those who are involved.

How ransomware spreads?

Methods adopted by ransomware attackers to spread ransomwares are very common and almost same as that of normal malwares. The malicious file came with the extension .pdf as windows by default hides actual extension of the file. So trapping users in these kind of techniques attackers are able to execute the malware into the system. Some of the popular adopted methods to spread ransomware are:

Social Engineering Techniques: These techniques are very large in number. Moreover these techniques got smarter over the previous years. Unawareness of the individuals is exploited in these kind of techniques. Some of these techniques include fake emails with malicious attachments, phishing and much more.

These techniques are very large in number. Moreover these techniques got smarter over the previous years. Unawareness of the individuals is exploited in these kind of techniques. Some of these techniques include fake emails with malicious attachments, phishing and much more. Direct Drive-by-Downloads: In this the malware is downloaded and executed without the user’s knowledge or consent. Most of the times legitimate websites are compromised which redirects to malicious website. After that exploiting vulnerabilities in browser and operating system it got executed in the system.

In this the malware is downloaded and executed without the user’s knowledge or consent. Most of the times legitimate websites are compromised which redirects to malicious website. After that exploiting vulnerabilities in browser and operating system it got executed in the system. Downloaders: When user download any piece of software, most of the time websites first provide downloader or installer to download that particular software. In such type of cases that downloader or installer can be any type of malware.

When user download any piece of software, most of the time websites first provide downloader or installer to download that particular software. In such type of cases that downloader or installer can be any type of malware. By exploiting vulnerabilities in already installed software.

In case the system is already affected by some piece of code then it becomes easy task to provide upgrade to that malware and affect that system with ransomware.

Ransom Amount in Untraceable Manner

This is very important part of the whole operation that how the transaction is carried out in an untraceable manner. There are number of ways to achieve this but a little mistake can take down everything. Techniques include usage of digital wallets which provide anonymity to the parties involved in the transactions. But with the evolution in the ransomwares, most of them have shifted to bitcoin. Bitcoin is a decentralized digital currency which is currently providing anonymity to attackers. It’s different from normal currency, its digital and the most important point is that the payment once done cannot be reversed. Bitcoin technology carry out transactions in form of addresses which are just random numbers. Being a decentralized currency all the transactions carried out on each address is public. But the identity of the person or group behind that address is anonymous until and unless identity related to that particular address is posted or revealed somewhere else on the internet. Attackers don’t use a single address instead they use large number of addresses. Moreover the transactions are carried out over the Tor network to provide further anonymity and their C&C servers are also located on the Tor network. So the ransomware operators use this technology to carry out transactions and hence not revealing their identity.

How to Prevent system from Ransomware?

It’s always better to prevent rather to cure. Moreover in case of ransomwares once the encryption is done after that removing ransomware Trojan will not decrypt the files.

Keep your system up-to-date as this will patch the latest vulnerabilities discovered.

Make use of latest AV tools and schedule regular scans as this will help in protecting from unwanted software. Do remove the unwanted packages installed in the system.

Enable UAC (User Account Control) and hence minimizing the privileges because most of the ransomware requires admin privilege.

Regular backup your data by isolating the system, in case if the system is infected with ransomware the impact will not be much.

The most important one is to keep your mind open while surfing internet as internet is the main source of execution of ransomware in the system.

In case the trojan is executed by mistake and victim came to know that something wrong has been happened with the sytem, the first task is to disconnect system from the internet and local network and then remove the Trojan as soon as possible. This will terminate the connection with C&C server and the transfer of encyrption keys will not take place and hence saving the data.