Ransomware restricts access to data by encrypting files
or locking computer screens. It then attempts to extort money from victims by
asking for "ransom", usually in form of cryptocurrencies like
Bitcoin, in exchange for access to data.
The trend towards increasingly sophisticated malware
behavior, highlighted by the use of exploits and other attack vectors, makes
older platforms so much more susceptible to ransomware attacks. From June to
November 2017, Windows 7 devices were 3.4 times more likely to encounter
ransomware compared to Windows 10 devices. Read our latest comprehensive
ransomware report:
prevention capabilities. One of its features, Controlled
folder access, stops ransomware in its tracks by preventing unauthorized
access to your important files. Controlled folder access locks down folders,
allowing only authorized apps to access files. Unauthorized apps, including
ransomware and other malicious executable files, DLLs, and scripts are denied
access to folders.
What does ransomware do?
Most ransomware today encrypt files using known
encryption algorithms like RSA or RC4, or custom encryption.
Ransomware like Cerber and Locky search
for and encrypt target file types, which are usually document and media files.
When the encryption is complete, the malware leaves a ransom note, which can be
a text, image, or HTML file with instructions to pay a ransom in order to
recover files.
More sophisticated ransomware like Spora, WannaCrypt (also
known as WannaCry), and Petya (also
referred to as NotPetya) include other capabilities, such as spreading to other
computers via network shares or exploits.
On October 24, 2017 a new ransomware called Ransom:Win32/Tibbar.A (also
known as Bad Rabbit) was discovered attempting to spread across networks using
hardcoded usernames and passwords in brute force attacks.
Older ransomware like Reveton don't
encrypt files but instead lock screens. They do this by displaying an image
full screen and then disabling Task Manager. Files are safe, but they are
effectively inaccessible. The image usually contains a supposed message from
law enforcement that the computer has been used in illegal cybercriminal
activities and that a fine needs to be paid. Because of this, Reveton is
nicknamed "Police Trojan" or "Police ransomware".
How does a ransomware infection occur?
A typical ransomware infection can begin with any of the
following vectors:
Email messages that carry downloader trojans, which
attempt to install ransomware
Websites hosting exploit kits that attempt use
vulnerabilities in web browsers and other software to install ransomware
More recent ransomware have worm-like capabilities that
enable them to spread to other computers in the network. For instance, Spora
drops ransomware copies in network shares. WannaCrypt exploits the Server
Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue)
to infect other computers. A Petya variant exploits the same vulnerability, in
addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen
credentials to move laterally across affected networks.
How big is the ransomware problem?
Over the last few years, ransomware has rapidly evolved
into one of the most lucrative revenue channels for cybercriminals.
Cybercriminals can launch ransomware attacks using ransomware-as-a-service
(RaaS). RaaS is a cybercriminal business model in which malware creators
sell their ransomware and other services to cybercriminals, who then operate
the ransomware attacks. The business model also defines profit sharing between
the malware creators, ransomware operators, and other parties that may be involved.
For cybercriminals, ransomware is a lucrative business, at the expense of
individuals and businesses.
We observed a downward
trend towards the end of 2016, but the number of ransomware in the wild
started to pick up again in February 2017. In addition, we’re still seeing
significant amounts of email that carry ransomware downloaders. A total of 500M
of these emails are being sent out every quarter, but a lot of them are blocked
from downloading and executing ransomware.
Monthly ransomware and ransomware downloader encounters,
July 2016 to June 2017
Ransomware is a global problem. The US, China, Russia,
Republic of Korea, and Italy saw the most ransomware encounters in the first
six months of 2017.
Geographic distribution of ransomware encounters, January to
June 2017
LockScreen (which is a detection for ransomware that run on
Android) and Cerber are two of the most widespread ransomware families in the
first half of 2017. WannaCrypt, which caused an outbreak affecting out-of-date
computers in May 2017, was the third most prominent overall. Spora, a family
that emerged in January 2017, immediately became one of the most widespread
ransomware families.
Top ransomware families
Latest notable ransomware families
To know more about the latest ransomware, read the following
posts on the Windows
Security blog:
Details for enterprises and IT professionals
Multiple high-profile incidents have demonstrated that
ransomware can affect enterprise networks. Organizations can be targeted specifically by
attackers, or they can be caught in the wide net cast by cybercriminal
operations. In any case, the impact of ransomware infections in organizations
is higher because the value of files is higher. Attackers can take advantage of
this and can demand for bigger ransom when they hit high profile targets.
Additionally, malware authors have been innovating their
malware code to include behavior that are impacting organizations. For
instance, some ransomware can encrypt files found in enterprise environments,
including those found in servers and mapped drives. Newer ransomware also
include capabilities to spread using network drives or by exploiting vulnerabilities.
How do I protect my network from ransomware?
We suggest enterprises take an "assume breach"
mindset. Protect, contain, and isolate your high value assets.
Back up your most important files regularly. Use the
3-2-1 rule. Use OneDrive for Business to back up files daily. You can use your
backup to restore files in the event of an infection. Learn
how.
Use Device
Guard to lock down devices and provide kernel-level
virtualization-based security, allowing only trusted applications to run. This can
effectively prevent ransomware and other dangerous software from executing.
Ransomware infections can begin with email messages that
carry downloader trojans. Office
365 Advanced Threat Protection has machine learning capability that
blocks dangerous email, including the millions of emails carrying ransomware
downloaders.
Additionally, educate your employees so they can identify
social engineering and spear-phishing attacks.
Some ransomware arrive via exploit kits. Keep your
operating system and software up-to-date. Use Microsoft Edge,
which can protect against ransomware by preventing exploit kits from running
and executing ransomware. Using Microsoft
SmartScreen, Microsoft Edge blocks access to malicious websites, such as
those hosting exploit kits.
Harden your endpoints with Windows Defender Antivirus,
which can detect and block ransomware as well as downloader trojans and exploit
kits. To understand how Windows Defender Antivirus can protect your
organization, read about how our
artificial intelligence infrastructure dynamically stopped the Bad Rabbit
ransomware within 14 minutes of the first customer encounter.
Additionally, protect internet-facing servers to prevent infection in this
attack vector.
How do I detect ransomware in my network?
Enable Windows
Defender Antivirus to detect ransomware as well as the exploit kits
and trojan downloaders that install them. It uses cloud-based protection,
helping to protect you from the latest threats.
Windows Defender Antivirus is built into Windows 10 and,
when enabled,
provides real-time protection against threats. Keep Windows Defender Antivirus
and other software up-to-date to
get the latest protection.
How do I respond to ransomware attacks?
Use Windows
Defender Advanced Threat Protection (Windows Defender ATP) to rapidly
respond to ransomware attacks. Windows Defender ATP alerts security operations
teams about suspicious activities. These include alerts for PowerShell command
execution, TOR website connection, launching of self-replicated copies, and
deletion of volume shadow copies. These are behaviors
exhibited by some ransomware families, such as Cerber, and will likely be
exhibited by future ransomware. Evaluate Windows
Defender ATP free of charge.
Details for home users: Frequently asked questions
Ransomware can prevent you from accessing your documents,
photos, and other important files. Ransomware can employ pesky social
engineering tactics to pressure you to pay the ransom. Some ransomware, for
instance, display a countdown showing the time you have left to pay the ransom.
Some ransomware even play an audio file, informing you about the infection and
what to do to get access to files.
How did ransomware get in my PC?
Here are ways in which ransomware can infect your
computer:
Via email: Ransomware may be installed by downloader
trojans attached to spam emails. These email messages employ various social
engineering techniques to get you to open the attachment. They can pretend to
be credit card bills, job applications, or documents from someone important. If
you open the attachment, it installs ransomware on your computer.
From the web: Ransomware may also be downloaded
automatically when you visit certain sites. These sites contain malicious code
known as exploit kits, which take advantage of outdated software to install
ransomware on your computer.
If you suspect that you have ransomware on your PC, you
can submit files
for analysis.
How do I protect my computer against ransomware?
As with all threats, prevention is key. This is
especially true for threats as damaging as ransomware.
You should:
Back up your important files regularly. Consider using
the 3-2-1 rule: Make three backup copies, store in at least two locations, with
at least one offline copy. Use a cloud storage service, like OneDrive, which is fully integrated into
Windows 10, to store an archive of your files. You can try to restore your
files from backup in the event of a ransomware infection.
Install and use an up-to-date antivirus solution. In
Windows 10, Windows Defender Antivirus is built-in and need only to be
enabled. Learn how.
Don’t click links or open attachments on emails from
people you don’t know or companies you don’t do business with.
Make sure your software is up-to-date to
avoid exploits.
When browsing the Internet, use Microsoft
Edge, which stops exploit kits, blocks pop-ups, and uses Microsoft
SmartScreen to block malicious URLs.
For more tips, see: Help prevent
malware infection on your PC.
How do I remove ransomware from my PC?
Method 1: Use the Microsoft Safety Scanner in safe mode
Download a copy of the Microsoft Safety
Scanner using a clean, non-infected PC. Copy the downloaded file to a
blank USB drive or CD, and then insert it into the infected PC.
Try to restart your PC in safe mode:
When you're in safe mode, run the Microsoft Safety
Scanner.
Method 2: Use Windows Defender Offline
If you are unable to download or run Microsoft Safety
Scanner, use the free standalone tool Windows
Defender Offline. Download a copy of Windows Defender Offline using a
clean, non-infected PC. Insert a blank USB flash drive or CD into the PC. When
you run Windows Defender Offline, you will be prompted to install the tool on
the USB flash drive or CD.
Once Windows Defender Online is installed on the
removable media, insert it into the infected PC, then restart. You will then be
prompted to run the Windows Defender Online tool.
Should I pay the ransom? How do I get my files back?
Paying the ransom does not guarantee that you will be
able to decrypt your files. In some cases, paying the ransom can make you a
target for more malware attacks.
Restore from an offline backup
Before you try to restore files, make sure you have
removed all ransomware infections from your PC. Use Windows Defender Antivirus
to do a full scan of your computer.
You can then try to restore your files from an offline
backup.
Restore from OneDrive
If you’re using OneDrive, you can try to restore older
versions of your files.
As part of its security
features, OneDrive creates an online backup of Microsoft Office files when
you save or change the file.
To see if there are older versions of your file, go
to OneDrive on the web.
Right-click on a file you want to restore and click Version history.
Restore using File History
If you have File History (or System Protection in older
Windows versions) enabled,
you can try to restore files.
Note, however, that some ransomware also encrypt or
delete backups of your files. This means that even if you have File History
enabled, but you have configured it to back up files on a local drive, your
backups might be encrypted. If you have backups on a removable drive or a
network drive that wasn’t connected when your PC was infected, try to restore
from those backups instead.
What should I do if I’ve already paid?
You should contact your bank and your local authorities,
such as the police. If you paid with a credit card, your bank may be able to
block the transaction and return your money.
The following government-initiated fraud and scam
reporting websites may also help:
In Australia, go to the SCAMwatch website
In Canada, go to the Canadian Anti-Fraud
Centre
In France, go to the Agence nationale de la sécurité des systèmes
d'information website
In Germany, go to the Bundesamt für Sicherheit
in der Informationstechnik website
In Ireland, go to the An
Garda Síochána website
In New Zealand, go to the Consumer
Affairs Scams website
In the United Kingdom, go to the Action Fraud website
In the United States, go to the On
Guard Online website
If your country or region isn't listed here, we encourage
you to contact your country's federal police or communications authority.
Comments
Post a Comment