Skip to main content

Let's fight ransomware



1. Ransomware Basic


1.1 What is Ransomware?

Crypto ransomware is a type of malware that attacks by encrypting the victim’s files to hold data as hostage. The ransomware encrypts files, or sometimes the whole harddisk located in the affected machines, as well as the files on connected external devices or network drives. The victim is denied of access to the data until the attacker provides the decryption key. The attacker demands ransom payment in return for a decryption key to recover the data.


Wanncry ransomware screen shot   CryproLocker ransomware screen shot


(Figures above) Wannacry and CryptoLocker demanding ransom payment.



1.2 Infection Vector

Crypto ransomware typically infects computers via the following ways:



1. Spam email

Some victims were infected by opening attachments in spam emails. Known file types of malicious attachments include compressed file (.zip) containing executable files (.exe) or javascript files (.js), and macro enabled Microsoft office files. The spam email campaign was usually generated by botnets.



2. Compromised websites


Some victims were infected by visiting compromised websites. Those websites target computers with unpatched system or applications, including browsers and plugins.



3. Malvertising


Malvertising is the short form of malicious advertising. Some victims were infected by visiting legitimate websites that display malicious banner ads.



4. Remote access

Some ransomware tries to use password brute force attack on remote access service, e.g. remote desktop or Team Viewer to penetrate into the data repository to launch attack.



5. Self-propagation


While most Crypto ransomwares are Trojan that do not spread by itself, some evolved to have propagation ability. Once a ransomware infected a computer, it will try to infect other devices through networks and USB drives etc.



1.3 Malware’s Operation


Ransomware encrypts the local and network shared files with strong encryption. Targeted file types includes documents, images, videos, editable drawing files, database files, digital certificates, game profiles, etc.


After the encryption, the malware will send the encryption key back to the control and command server (C2 server), and leaves an extortion message on the infected computer. It demands a specified amount of ransom in bitcoins to exchange for the decryption key, otherwise, the unique decryption key will be deleted.


Due to the use of strong encryption algorithms in ransomware, the encrypted files cannot be recovered in the absence of the decryption key.


CryptoWall screen shot    CTB-Locker screen shot


(Figures above) CryptoWall and CTB-Locker demanding a ransom payment




1.4 Incident handling of crypto ransomware infection


  1. Isolate and disconnect infected machine immediately to avoid further impacts the malware may cause.
  2. Download legitimate cleanup tool, and run a full scan to remove the malware.
  3. Restore the files and data from the backup, if backup files are available.
  4. If no backup was done previously, we suggest not restoring the system to avoid losing information required for decryptions.
  5. Report the incident to HKCERT



1.5 Prevention and Mitigation


  1. Beware of suspicious email. Do not open the attachment, especially compressed files (zip) or executable files (exe).
  2. Install security software and update to the latest signature.
  3. Update the system and software, such as Microsoft Windows, Office, Adobe reader, Flash player, etc., with the latest security patch.
  4. Minimize the number of users who have domain administrative rights to confine the scope and impacts of attacks, and use normal privilege account in daily operation;
  5. Backup the important documents instantly and regularly. Keep an offline copy of the backup to avoid being affected by the malware.
  6. If you are using cloud backup service, make sure that the cloud service provider has a version history function. It can help to recover the files from previous version, even though the affected files are synchronized to the cloud.





2. Tools


Useful tools to defend ransomware attack can be found here.






3. Resources


3.1 Video Resources



* Some videos were in Cantonese and Chinese subtitles only.



10-May-2017網絡犯罪包辦服務猖獗 防範勒索軟件及電郵騙案    
28-Jun-2017Petwrap Petya全球爆發 防範加密勒索軟件 自保五招