We want to present a short article about ransomware cyber attack cycle, so that you could be better prepared to protect your computer against this fast evolving type of malware.
Phase 1. Exploitation and Infection
In order to infect your PC by ransomware, the attackers need to infiltrate and execute the malicious ransomware file on your computer. This is typically done through a phishing email that contains a malicious download link or an attached fake credit report, DHL or USPS delivery notification, fake billing document, debt collection invoice or other catchy information. Ransomware virus can also infect your computer through an exploit kit that is often spreaded via compromised websites, freeware and adware applications, or using spam Facebook messages with attached images or videos. It can also arrive as a payload downloaded by other malware.
Sources of ransomware infections
Phase 2. Delivery and Execution
During this phase, the ransomware virus executable files are delivered and installed to your system. Often the victims aren’t able to detect malicious files on their computers, because ransomware may visually mimic some legal software. Upon execution, persistense mechanisms will be put into place.
A sample of ransomware infiltration and execution process
Phase 3. Backup Elimination
A few seconds after infiltration, the ransomware virus targets the restore and backup files on your system and removes them immediately to prevent restoring files from local backups. However, if you back up and store your valuable data on any Cloud storage or on external hard drive, you will be able to easily recover encrypted files. Having a regularly updated backup is the single really effective way to protect yourself against any even most dangerous ransomware.
Statistics: How often users make backups
Phase 4. File Encryption
Once victim’s backups are completely removed, the ransomware will perform a secure RSA key exchange with its command and control (C&C) server, getting those encryption keys that will be used on the infected local system.
A sample of files encrypted by .Aesir ransomware
Phase 5. User Notification
With the restore files removed and the encryption process done, the user will be presented demand instructions for extortion and ransom payment. Quite often, the victim is given just a few days to pay a ransom using Bitcoin network. Some of the advanced and professional ransomware creators even has included 24/7 online tech support that helps victims to set up a Bitcoin wallet, to make a payment or with other issues.
A sample of Sage ransomware notification
Phase 6. To Pay or Not To Pay?
Unfortunately, most recent file-encrypting ransomware don’t have a working decryption solution. Loosely speaking, if you don’t pay attackers for a copy of the decryption key, you can get stuck with blocked important files forever.
On the other hand, ransomware creators don’t steal your files and don’t have copies of them. They only have a private key to unlock the encrypted files on your own PC. So, first of all you must decide how much are these decrypted files worth to you or your business? Imagine if you don’t have backups and you lose or break your laptop, you’re in the same bad situation. You should understand that if the encrypted files are extremely valuable and important to you, it’s OK to make a risk decision and to pay the ransomware demand, but it’s much better not to pay those crookers.
In many cases, even after paying large sum of ransom victims still don’t receive the key to unblock their files. According to Kaspersky Lab statistics, one in five victims who paid the ransom never got their files back. Remember: if you pay the ransom, you directly contribute to the financial success of cyber criminality.