(Last Updated On: March 25, 2022)

SCARSSCARS SCARS - Society of Citizens Against Relationship Scams Inc. A government registered crime victims' assistance & crime prevention nonprofit organization based in Miami, Florida, U.S.A. SCARS supports the victims of scams worldwide and through its partners in more than 60 countries around the world. Incorporated in 2015, its team has 30 years of continuous experience educating and supporting scam victims. Visit www.AgainstScams.org to learn more about SCARS.™ CYBER BASICS: RansomwareRansomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan virus disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.

Ransomware Is A Multi-Billion Dolar Industry

This document is written for more technical readers.

Ransomware is malwareMalware Short for "malicious software," this term means computer viruses and other types of programs that cybercriminals use to disrupt or access your computer, typically with the aim of gathering sensitive files and accounts. that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransomRansom A ransom is an amount of money or other assets of value that is paid for blackmail, extortion, or under other threats or coercion. The ransom is usually paid in cash or now in cryptocurrency. Online blackmail, sextortion, and ransomware all demand ransoms to avoid negative outcomes..

HOWEVER, THIS IS NOT GUARANTEED AND YOU SHOULD NEVER PAY!

What Is Ransomware?

Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted, or encrypted. Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.

Normally you’re asked to make a payment (often demanded in a cryptocurrency such as Bitcoin), in order to unlock your computer (or to access your data). However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files. Occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted. This is known as wiper malware. For these reasons, it’s essential that you always have a recent offline backup of your most important files and data.

Should I Pay The Ransom?

Most entities generally advise not to pay the ransom, as there is no guarantee that you will get access to your device (or data).

Using A Defense In-Depth Strategy

Since there’s no way to completely protect your organization against malware infection, you should adopt a ‘defense-in-depth’ approach. This means using layers of defense with several mitigations at each layer. You’ll have more opportunities to detect malware, and then stop it before it causes real harm to your organization. You should assume that some malware will infiltrate your organization, so you can take steps to limit the impact this would cause, and speed up your response.

Getting Help – Helping Yourself

Interpol has collaborated on the creation of a central repository website for unlocking Ransomware at: www.nomoreransom.org

DECRYPTED RANSOMWARE

• GOGOOGLE
• MAGNIBER
• SIMPLELOCKER 
• KOKOKRYPT
• OUROBOROS
• MAPO
• RANSOMWARED
• CHERNOLOCKER
• TURKSTATIC
• HAKBIT
• NEMTY
• PARADISE

The battle is over for these ransomware threats. If you have been infected with one of these types of ransomware click on the link under its name and it will lead you to a decryption tool.

AVOIDING RANSOMWARE

Tip 1: Make Regular Backups

The key action to take to mitigate ransomware is to ensure that you have up-to-date backups of important files; if so, you will be able to recover your data without having to pay a ransom.

Make regular backups of your most important files – it will be different for every organization – and check that you know how to restore the files from the backup.

Ensure that a backup is kept separate from your network (‘offline’), or in a cloud service designed for this purpose – our blog on offline backups in an online world provides useful additional advice for organizations.

Cloud syncing services (like Dropbox, OneDrive and SharePoint, or Google Drive) should not be used as your only backup. This is because they may automatically synchronize immediately after your files have been ‘ransomwared’, and then you’ll lose your synchronized copies as well.

Make sure the device containing your backup (such as an external hard drive or a USB stick) is not permanently connected to your network and that you ideally have multiple copies. An attacker may choose to launch a ransomware attack when they know that the storage containing the backups is connected.

Tip 2: Prevent Malware From Being Delivered To Devices

You can reduce the likelihood of malicious content reaching your network through a combination of:

• filtering to only allow file types you would expect to receive
• blockingBlocking Blocking is a technical action usually on social media or messaging platforms that restricts or bans another profile from seeing or communicating with your profile. To block someone on social media, you can usually go to their profile and select it from a list of options - often labeled or identified with three dots ••• websites that are known to be malicious
• actively inspecting content
• using signatures to blockBlock Blocking is a technical action usually on social media or messaging platforms that restricts or bans another profile from seeing or communicating with your profile. To block someone on social media, you can usually go to their profile and select it from a list of options - often labeled or identified with three dots ••• known malicious code

These are typically done by network services rather than users’ devices. Examples include:

• mail filtering (in combination with spam filtering) which can block malicious emails and remove executable attachments
• intercepting proxiesProxies A VPN (also known as a proxy) is an app or connection method that keeps your internet connection private, whether you're connecting to unsafe public Wi-Fi or your network at home. Having a layer of security that blocks people from watching you browse helps keep you safe online, no matter where you connect from. Virtual private networks protect you by creating an encrypted "tunnel" that all of your device's data travels through on its way to the internet via a proxy server or service. Encryption turns words and data, like text files, into a secret code. If someone tries to read encrypted data without the password, they'll see random gibberish., which block known-malicious websites
• internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware
• safe browsing lists within your web browsers which can prevent access to sites known to be hosting malicious content

Public sector organizations are encouraged to subscribe to the NCSC Protective DNS or similar services; this will prevent users from reaching known malicious sites.

Some ransomware attacks are deployed by attackers who have gained access to networks through remote access software like RDP. You should prevent attackers from being able to brute-forceBrute-force attack Brute-force attack: A hacking method to find passwords or encryption keys by trying every possible combination of characters until the correct one is found. access to your networks through this (or similar) software by either:

• authenticating using Multi-Factor Authentication (MFA)
• ensuring users have first connected through a VPNVPN A VPN (also known as a proxy) is an app or connection method that keeps your internet connection private, whether you're connecting to unsafe public Wi-Fi or your network at home. Having a layer of security that blocks people from watching you browse helps keep you safe online, no matter where you connect from. Virtual private networks protect you by creating an encrypted "tunnel" that all of your device's data travels through on its way to the internet via a proxy server or service. Encryption turns words and data, like text files, into a secret code. If someone tries to read encrypted data without the password, they'll see random gibberish. that meets our recommendations.

Tip 3: Prevent Malware From Running On Devices

A ‘defense in depth’ approach assumes that malware will reach your devices. You should, therefore, take steps to prevent malware from running. The steps required will vary for each device type and OS, but in general, you should look to use device-level security features such as:

Centrally manage enterprise devices in order to either:

• only permit applicationsApplications Applications or Apps An application (software), commonly referred to as an ‘app’ is a program on a computer, tablet, mobile phone or device. Apps are designed for specific tasks, including checking the weather, accessing the internet, looking at photos, playing media, mobile banking, etc. Many apps can access the internet if needed and can be downloaded (used) either for a price or for free. Apps are a major point of vulnerability on all devices. Some are designed to be malicious, such as logging keystrokes or activity, and others can even transport malware. Always be careful about any app you are thinking about installing. trusted by the enterprise to run on devices using technologies including AppLocker, or
• only permit the running of applications from trusted app stores (or other trusted locations)

Consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date.

Provide security education and awareness training to your people.

Disable or constrain macros in productivity suites, which means:

• disabling (or constraining) other scripting environments (e.g. PowerShell)
• disabling autorun for mounted media (prevent the use of removable media if it is not needed)
• protect your systems from malicious Microsoft Office macros

In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up to date. We recommend that you:

• install security updates as soon as they become available in order to fix exploitable bugs in your products.
• enable automatic updates for operating systems, applications, and firmware if you can
• use the latest versions of operating systems and applications to take advantage of the latest security features
• configure host-based and network firewalls, disallowing inbound connections by default

Tip 4: Limit The Impact Of Infection And Enable Rapid Response

If put in place, the following steps will ensure your incident responders can help your organization to recover quickly.

• Help prevent malware from spreading across your organization by preventing lateral movement. This will help because attackers aim to move across machines on the network. This might include targeting authentication credentials or perhaps abusing built-in tools.
• Use two-factor authentication (also known as 2FA) to authenticate users so that if malware steals credentials they can’t be reused.
• Ensure obsolete platforms (OS and appsApps Applications or Apps An application (software), commonly referred to as an ‘app’ is a program on a computer, tablet, mobile phone or device. Apps are designed for specific tasks, including checking the weather, accessing the internet, looking at photos, playing media, mobile banking, etc. Many apps can access the internet if needed and can be downloaded (used) either for a price or for free. Apps are a major point of vulnerability on all devices. Some are designed to be malicious, such as logging keystrokes or activity, and others can even transport malware. Always be careful about any app you are thinking about installing.) are properly segregated from the rest of the network.
• Regularly review and remove user permissions that are no longer required, to limit malware’s ability to spread. Malware can only spread to places on your network that infected users’ accounts have access to.
• System Administrators should avoid using their administrator accounts for email and web browsing, to avoid malware being able to run with their high levels of system privilege.
• Architect your network so that management interfaces are minimally exposed (our blog post on protecting management interfaces may help).
• Practice good asset management, including keeping track of which versions of the software are installed on your devices so that you can target security updates quickly if you need to.
• Keep your infrastructure patched, just as you keep your devices patched and prioritize devices performing a security-related function on your network (such as firewalls), and anything on your network boundary.
• Develop an incident response plan and exercise it.

Steps to take if your organization is already infected

If your organization has already been infected with malware, these steps may help limit the impact of the infection.

• Immediately disconnect the infected computers, laptops, or tablets from all network connections, whether wired, wireless or mobile phone-based.
• Consider whether turning off your Wi-Fi and disabling any core network connections (including switches) might be necessary in a very serious case.
• Reset credentials including passwords (especially for administrators) – but verify that you are not locking yourself out of systems that are needed for recovery.
• Safely wipe the infected devices and reinstall the operating system.
• Before you restore from a backup, verify that it is free from malware and ransomware. You should only restore from a backup if you are very confident that the backup is clean.
• Connect devices to a clean network in order to download, install, and update the operating system and all other software.
• Install, update, and run antivirus software.
• Reconnect to your network.
• Monitor network traffic and run antivirus scans to identify if any infection remains.

Note: Files encrypted by most ransomware have no way of being decrypted by anyone other than the attacker. Don’t waste your time or money on services that promise to do it. In some cases, security professionals have produced tools that can decrypt files due to weaknesses in the malware (which may be able to recover some data), but you should take precautions before running unknown tools on your devices.

Further Advice

IN THE UNITED KINGDOM

• The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at https://www.actionfraud.police.uk.
• The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organizations.
• The Cyber Security Information Sharing Partnership (CiSP) offers organizations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK’s cyber resilienceResilience Is the capacity to recover quickly from difficulties; toughness. Psychological resilience is the ability to mentally or emotionally cope with a crisis or to return to pre-crisis status quickly. Resilience exists when the person uses "mental processes and behaviors in promoting personal assets and protecting self from the potential negative effects of stressors". In simpler terms, psychological resilience exists in people who develop psychological and behavioral capabilities that allow them to remain calm during crises/chaos and to move on from the incident without long-term negative consequences. In popular accounts, psychological resilience is sometimes likened to a "psychological immune system".. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced.
• You may also wish to consider the Cyber Essentials certification scheme (which covers a number of these mitigations) so your customers and partners can see that you have addressed these risks. Many of these mitigations also work well against other types of attacks, such as phishing.
• Consider following the NCSC guidance on protecting your organization from phishing attacks.
• Learn more here: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

IN THE UNITED STATES

• Contact your local FBIFBI FBI - Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, the FBI is also a member of the U.S. Intelligence Community and reports to both the Attorney General and the Director of National Intelligence. A leading U.S. counter-terrorism, counterintelligence, and criminal investigative organization, the FBI has jurisdiction over violations of more than 200 categories of federal crimes, including financial fraud. office immediately to report the ransomware attack and follow their guidance.
• If you are able to recover be sure to report the ransomware attack on the FBI’s www.IC3.gov

 

 

TAGS: SCARS, Important Article, Information About Scams, Anti-Scam, Scams, Scammers, Fraudsters, Cybercrime, Crybercriminals, Ransomeware, Scam Victims, Malware, Ransomware Attack, Infection

 

 

 

 

 

The Latest SCARS Posts: