What you should know about ransomware

A huge number of new viruses appear every year in the world, some of which cause notable harm not only to ordinary people, but also to large firms. About 90 million new viruses were created in the world in 2017, and about 300,000 are created daily.

Antiviruses are getting better and better every year, but this does not mean 100 percent guaranteed protection for users of personal computers and smartphones from various viruses. The virus creators do not sleep.

In this article we will get acquainted with the TOP 5 malware of 2017, and we will look at means of protection.

Perhaps the most extensive malicious program created in the last year was the worm virus WannaCry. This virus encrypts all information on the computer, and money is demanded for decryption. After three days of inaction on the part of the victim, the required amount of money increases. A week later, the files become encrypted forever. In total, this virus has harmed about 500,000 computers in 74 countries, and it took him only two hours to distribute.

Bad Rabbit is a cryptographic virus. A malicious program infects a computer by encrypting files on it. The virus suggests making a payment on the specified site in a darknet (this requires a Tor browser) to access the files. For the unlocking of each computer, victims are required to pay 0.05 bitokoya, that is, about 16,000 rubles or $280. After 48 hours, the amount increases.

According to experts from several companies that have been attacked by the “rabbit,” it is a modified version of the NotPetya virus. The source code of these two programs, as a result of the check, coincided by 13 percent. NotPetya, incidentally, also was established in 2017 and attacked computers in 65 countries.

The Petya virus is also known by other names: Petya.A, PetrWrap, NotPetya, ExPetr. When it hits the computer, it downloads an encryptor from the internet and tries to hit part of the hard disk with the data necessary to boot the computer. If it succeeds, the system issues a “blue screen of death.”  After the reboot, a hard drive check message appears asking you not to turn off the power. Thus, the virus-encryptor poses itself as a system program for checking the disk, while encrypting files with certain extensions. At the end of the process, you receive a message about the computer locking and information on how to get the digital key for decrypting the data. The Petya virus requires ransom, as a rule, in bitcoins.

Both viruses differ in that they do not destroy information on the computer, but only encrypt it.

Among the new viruses of 2017, you can also note Black Hat Europe. This virus can hit any version of Windows, while remaining invisible to antivirus because its code is in RAM, leaving no traces on the hard drive.

Malware analysts detected a virus called Slingshot, which proved to be capable of infecting routers with multi-level attacks. The new program is aimed at routers. Thus, information that is dangerous for the system spreads faster and spreads immediately to several devices. The virus replaces the library with a specially crafted copy, loads the infected components and then launches the attack process. The program is able to steal any information stored in digital form, including network traffic, screenshots and passwords. It also carefully monitors its own security and smooth operation: for example, to distract any suspicions from itself, the virus initiates computer security checks on its own.

What can you do to protect yourself?

Unfortunately, it is impossible to provide complete protection from viruses. For that, it is necessary that new viruses cease to appear, and that is a naive hope. There are some things you can do, however.

One of the main ways to combat viruses is timely prevention. Some recommendations should be followed to prevent infection by viruses:

1. Do not run programs received from the internet or as an attachment to an e-mail message without checking for a virus.
2. It is necessary to check all external disks for viruses before copying or opening the files contained on them, or downloading from such disks.
3. It is necessary to install the antivirus program and regularly use it. Rapidly update the antivirus program database with a set of virus signature files as soon as new signatures appear.
4. You should regularly scan hard disks in search of viruses. Scanning is usually performed automatically each time the PC is turned on and when an external disk is placed in the reader. When scanning, the antivirus program looks for the virus by comparing the code of the programs with the codes of the known viruses stored in the database.
5. Create strong passwords so that viruses can not easily pick up a password and get administrator permissions. Regular archiving of files will minimize the damage from a virus attack.
6. The main means of protecting information is the backup of valuable data that is stored on hard disks.

Antivirus protection software

There is quite a lot of antivirus protection software available. Modern antivirus programs consist of modules:

1. Heuristic module – to detect unknown viruses.
2. Monitor – a program that is constantly in the PC’s RAM
3. Control device that runs antivirus software and updates the virus database and components.
4. Mail program (check email).
5. The program scanner – checks, detects and removes a fixed set of known viruses in memory, files and system areas of disks.
6. Firewall – protection against hacker attacks.

Decrypting files

Is it possible to decrypt such files without resorting to criminals? Yes, it is. This is due to programming errors, which lead to the fact that:

1. The files of the owner of the computer are partially encrypted.
   2. The crypto key is not deleted from the computer. Having this key, forensics analysts at Digital Forensics Corp. can decrypt the encrypted files.

In addition, it is possible that when recovering deleted files (which were not encrypted), important files will be restored.

As the practice of Digital Forensics Corp. shows, a large number of ransomware attacks are associated with attempts by hackers to remove forensics artifacts from a compromised computer. Therefore, before the files on the computer are encrypted, hackers steal financial information or private data from a compromised computer and only after that launch a piece of ransomware. Forensics analysts at Digital Forensics Corp. can determine what files and data have been stolen from a compromised computer. Our analysts strongly recommend conducting studies of compromised computers so that their owners know for sure whether their private data has been stolen or not.