First steps to take after being infected with a Ransomware

Reading Time: 6 Minutes

Early days, the first ransomware attack

In 1989., an AIDS researcher initiated the first attack, which became known as the AIDS Trojan.
Joseph L. Popp, an evolutionary biologist Joseph, sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes”. The diskettes reached as many as 90 countries, and they contained a program that analyzed an individual’s risk of acquiring the disease by completing a questionnaire. The diskette was also containing a trojan that was activated after the computer was rebooted 90 times, then the malware encrypted file names and directories. Subsequently, the malware displayed a message demanding a payment of $189 and another $378 to regain access.

Virus vs. Ransomware

They are both programs designed with malicious intent. The difference is that a virus can infect a system and replicate itself causing devices to crash, send spam emails, delete files on a system, etc., while ransomware will encrypt the data In the system.

How ransomware is spread?

A lot of methods of deception are used to distribute this kind of malware.
Attackers use social engineering techniques and a compelling reason to open the disguised ransomware. It can be disguised as an urgent email attachment, that could be an invoice, and once opened, by gaining access to the infected device, the ransomware can also encrypt data on networks that are connected to the particular device.
A great “platform” for spreading ransomware is often social media.
Using the attachment feature that most social media have in their chat-messenger service, the malicious attachment is spread just like email. Pop-ups also have been the reason for ransomware infections, by mimicking software updates like Adobe, or prompting for fake scans, offers, usually deliver the ransomware successfully.

Types of encryption

Symmetric key Cipher:

A symmetric key is a singular method of decoding the data, it uses one key to both encode and decode the information.

Asymmetric key Cipher:

Also known as public-key cryptography, uses two different keys, one public, and one private. Both keys can be used to encrypt the data, and the opposite key from the one that is used to encrypt the data is then used to decrypt them.

Ransomware encryption techniques

Symmetric encryption ransomware.

With this technique, the ransomware will encrypt all the user files with the AES algorithm and store on disk the keys used to encrypt each file. When the victim pays the ransom, the decryptor will open this file with the keys, and start decrypting the files. This method can be bypassed if the file with the keys is found, and since

Client Asymmetric encryption.

By generating the RSA key pair, the ransomware encrypts all files with the public key and then, stores the private key to a remote server. The limitation of this technique is that in order for the private key to be sent to the server, first the infected machine must be connected to the internet, and the server should be online as well. If any of those scenarios occurred, the ransomware will either stop its execution or it’ll continue encrypting all files with no possibility of decryption or even storing the private key on disk for late decryption.

Server Asymmetric encryption.

In this technique the server will generate a key pair, where the public key will be hardcoded on the ransomware itself, and for each file, it‘ll encrypt the file with the server’s public key, and only with the server’s private key, it’ll be able to recover the files. By paying the ransom, and getting the private key, you can also decrypt other infected machines that got infected with the same ransomware in the first place.

Server and Client asymmetric encryption + symmetric encryption.

This is the most used ransomware technique nowadays because uses both methods of encryption and no need for an internet connection for encryption, but only in decryption. Both the ransomware and server will generate their RSA key pair.
The ransomware will generate the Client public key and the Client private key for each infection and, also have the Server public key hardcoded. Then, It’ll encrypt the Client priv. key with the Server pub. key, and then the files will encrypt using AES, and when finished, all AES keys will be encrypted with the Client pub. key.
In order to decrypt the files, the victim should get the AES keys which are encrypted with the Client pub. key.
To decrypt the AES keys, the Client priv. key Is necessary, but the Client priv. key is also encrypted with the Server pub. key. Thus in order to decrypt the Client priv. key, the decryptor needs the Server priv. key, which is located in the server, and is sent when the victim pays the ransom.

Post-Ransomware Infection – Effective Steps for Recovery

Facing a ransomware infection can be a daunting experience for any organization. However, following a systematic approach to recovery can help minimize the damage and restore normalcy efficiently. This high-level write-up outlines the crucial steps to undertake after a ransomware attack, empowering businesses to recover swiftly and effectively.

Disregard Ransom Demands

It is essential to understand that ransom demands are not reliable guarantees for decryption. Paying the demanded amount does not ensure that the attacker will provide the necessary decryption key. Therefore, it is advisable to disregard the ransom demands and focus on other recovery measures.

Identify and Isolate Infected Systems: Minimize Further Damage

Determining the extent of the infection is a critical step. Identify the number of computers, drives, and servers that have been compromised and isolate them from the rest of the network. This isolation helps prevent the further spread of the ransomware within the organization.
Implement network access control (NAC) procedures to disconnect infected hosts from the network promptly. By isolating the infected systems, you contain the impact and reduce the risk of additional infections across multiple devices.

Determine Patient Zero

To effectively mitigate the spread of the attack, it is vital to identify the initial source of the infection, often referred to as “patient zero.” Examine the properties of an infected file and trace back to the end-user terminal. This information enables swift action and targeted measures to prevent further propagation of the ransomware.

Disconnect Affected Users

Isolate users who have reported issues with opening files or encountering suspicious file names. By disconnecting these users from the network, you prevent the ransomware from spreading further and potentially compromising additional systems.

Identify Ransomware Family, Leveraging Existing Knowledge

Conduct a simple search using the file extension associated with the ransomware to identify its family. Resources such as VirusTotal offer general overviews of known ransomware families. ID Ransomware provides quick identification by analyzing encrypted files, ransom notes, or addresses. CAPE’s sandbox scan and TrendMicro’s malware encyclopedia offer more detailed analysis and possible solutions for documented ransomware families.

Explore Free Decryption Tools, Restoring Files Where Possible

If a free decryption tool is available for your specific ransomware variant, download and deploy it to attempt file recovery. Vendors like TrendMicro offer such tools. In cases where a free decryption tool is not available, the best option is to restore files from a secure backup.

Thoroughly Clean Infected Systems

When reconnecting systems to the network, it is crucial to perform a thorough clean-up. Instead of merely removing known infected files, opt for wiping the systems completely and restoring from a master image. This approach ensures the elimination of any lingering malicious code and provides a more reliable clean-up process.

By following these high-level steps, organizations can effectively navigate the aftermath of a ransomware attack. Promptly isolating infected systems, identifying the source, utilizing available tools, and performing comprehensive clean-ups are integral to a successful recovery. With a well-executed recovery strategy, businesses can minimize disruption, safeguard their data, and strengthen their defenses against future ransomware threats.

Prevention is always the best defense

Ransomware Defense Strategies

By implementing high-level security measures and fostering a proactive cybersecurity culture, businesses can fortify their defenses against ransomware and mitigate the potentially devastating consequences. This write-up explores the key strategies to bolster your organization’s resilience and minimize the impact of ransomware attacks.

Robust Backup Strategies, Safeguarding Business Continuity

An essential preventive measure is the implementation of regular offline and cloud backups. By creating frequent backups on external systems, such as weekly or daily intervals, your organization ensures the safety of critical data. In the event of a ransomware infection, these backups serve as a fail-safe, allowing for swift recovery without succumbing to the attackers’ demands.

Patching and Updates

Mitigating the risk of ransomware infections necessitates the timely application of necessary updates and patches to operating systems and software utilized within your organization. By proactively addressing vulnerabilities and ensuring the latest security measures are in place, you significantly reduce the likelihood of successful attacks.

Comprehensive Cybersecurity Framework

Establishing a comprehensive cybersecurity framework is vital to avert ransomware threats. This framework encompasses strong cybersecurity policies, delineating expected employee behaviors and protocols, robust processes that outline how these policies should be implemented to achieve objectives, and stringent standards that dictate the specific technologies and configurations deployed within your systems.

Collaboration between offensive and defensive security teams is pivotal. Regular testing by offensive security teams, working alongside their defensive counterparts, allows for the identification and remediation of vulnerabilities. By continuously “breaking” and “fixing” systems and updating security measures, your organization enhances its adaptability and resilience.

Employee Training and Education, Building a Security-Aware Culture

Investing in employee training is crucial to building a human firewall against ransomware attacks. Educating your workforce on identifying potentially malicious email attachments, suspicious website URLs, and other common attack vectors is paramount. Regular training sessions, including phishing simulation exercises and informative tutorials, promote cybersecurity awareness and empower employees to play an active role in defending against ransomware threats.

Having cybersecurity-aware employees serves as a robust defense, significantly reducing the likelihood of a successful ransomware attack. By preventing such attacks from occurring in the first place, organizations can avoid the significant financial and reputational damage associated with these incidents.

Last Thoughts

While the steps outlined above contribute to a proactive prevention strategy, it is essential to acknowledge that a ransomware attack may still occur. Thus, investing in your infrastructure beforehand becomes imperative. By taking proactive measures to minimize downtime and restore business operations efficiently in the event of an attack, organizations can mitigate the disruptive impact of ransomware and swiftly resume normal operations.

By adopting a multi-faceted approach that combines prevention, education, and preparedness, organizations can bolster their defenses against ransomware threats. With a high-level understanding of the strategies outlined above, businesses are better equipped to navigate the evolving threat landscape and safeguard their critical assets from malicious actors seeking to exploit vulnerabilities.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

We hope that this article has taught you something new. If you enjoyed it, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedIn, Twitter, YouTube.