When should organizations pay the attackers for ransomware removal?

September 13, 2018

We have discussed it several times that a ransomware target must not engage with the attackers or pay them for ransomware removal. Law enforcement entities also advise the same. Ransomware operators are essentially criminals. So, there is no way you can guarantee that they will provide you the decryption key upon the payment of ransom.

Nevertheless, even after knowing this, organizations pay extortion money to cryptovirological operators. In most of the cases, they get the right decrypter from the attackers after a ransom payment. Before we move to outline the instances when extortion money should be paid to the attacker, keep in mind that it must only be exercised as the last resort.

If ransomware activity has encrypted the data not significant to critical operations, then affected organizations should focus on doing ransomware removal on their own. However, if a critical set of data with no backup has been encrypted, then organizations can think of paying the attackers.
If ransomware removal measures are taking more than usual and resulting in insufferable downtime, then the organization can mull over the option of paying the attackers for quick decryption. However, if the organization can sustain the incurred downtime, then it is better to stick with professional ransomware removal and restoration.
If the organization is not certain about 100 percent recovery from backups and there is a risk of data loss in ransomware removal measures, then organizations are not left with any other option except to contact the attackers.
In case the attack surface is of enormous in size and the targeted company is suffering from a shortage of staff, then the option of ransom payment can be exercised.

With data backup maintenance and good cybersecurity measures in place, targeted users can avoid this undesirable option of dealing with ransomware.

A New Ransomware Surfaces: CreamPie Ransomware

September 12, 2018

Getting hit by a ransomware is one of the worst predicaments that could happen to netizens. With the world’s migration to the e-space, the realization that your personal or business data is locked can be haunting for many individuals and businesses. Recently, a ransomware removal researcher was able to detect a cyberthreat lurking around in the security circles. The ransomware is known as CreamPie Ransomware. Luckily, early analysis has identified it as an underdeveloped release. Despite the inexperience displayed by its creators, the ransomware can be dangerous for your PC.

Initial Analysis

CreamPie uses malware spam for its distribution mechanism. Malware spams are those e-mails that are corrupted with malicious components. The ransomware embedded in their files cling on to the victim’s PC after an action is performed by the victims.

As the ransomware uses the victim’s naivety to enter the PC, it will then tinker with the operating system. This means that if you are using Windows OS, then CreamPie will go on to create its own processes. These processes run in the background and will change the keys of the Windows Registry.

Since, Windows Registry can configure device drivers, services, kernel and other OS components, changing its data means getting the license to control the entire PC of the victims. As a result, escaping the ransomware by just restarting the PC or network for ransomware removal is not possible.

Ransomware removal experts have concluded that the ransomware uses Advanced Encryption Standard (AES) to encrypt and lock the files. An extension of ‘[[email protected]].CreamPie’ is added to the end of the affected files.

However, unlike other ransomware, CreamPie has failed to add the ransom note that holds the detail about the ransom amount and its delivery method. Some ransomware removal experts believe that it was a rookie mistake while there are also those who fear that this may be a testing release and a more updated version may appear in the future.

.lockymap : Another variant of PyLocky ransomware

September 11, 2018

A team of cybersecurity researchers has discovered a new cryptovirological strain from the family PyLocky ransomware. This ransomware strain delivers its payload through executable files attached in phishing emails. Developers of .lockymap ransomware have used encryption algorithm ABS-256 to lock down the files on affected computers. As per encryption experts, this algorithm entails complex encryption matrices and is usually used to protect military grade gadgets.

As soon as the malicious code of .lockymap completes its encryption activity, a ransomware note in the form of text file appears on the screen. Victims are instructed in the note to download Tor browser in order to purchase the decrypter for ransomware removal. The attackers also offer the restoration of one encrypted file for free to assure the victims that they have the decryption key. The operators also threaten to double the amount of ransom in case victims don’t contact them for ransomware removal within four days after the attack.

Initial investigation suggests that the newly discovered ransomware strain might also penetrate into the Windows Registry Editor. The sub-keys of Run and RunOnce are the actual target of the strain in the Editor in order to create values for the automatic execution of ransomware whenever the victim turns on the device.

The infiltration of .lockymap ransomware in the Windows Registry also means that the strain is going to delete all the data backed up on the device. Researchers have identified the commands executed by the ransomware to delete shadow volume copies. The ransomware strain is capable of encrypting more than two dozen file extensions. Apart from encrypting a lot of files in the targeted device, the executable file of the ransomware is also stored in several system directories including Temp, AppData, Local and Roaming. Digital security researchers are still trying to work out particular ransomware removal measures for the .lockymap strain.

WannaCry variant hits iPhone chipmakers

September 10, 2018

Last month, an iPhone chipmaker in Taiwan sustained a cyber attack. The company had to stop the manufacturing process following the attack. Their security team couldn’t find out the nature of the attack at first. However, after weeks of investigation, they have termed a WannaCry variant responsible for the shutting down of the manufacturing plant.

The ransomware attack on the official chipmakers for Apple is another indication that cryptovirology can be used as a really deadly weapon by cybercriminals. It is still unclear if Apple will continue to work with the affected company. The company has completed the ransomware removal works and its production is back on its full capacity. Nevertheless, the ransomware attack has damaged the company’s reputation beyond repair.

The company hasn’t issued any public statement regarding how the attack happened and what were the demands of the attackers for ransomware removal. So, security experts can’t comment which WannaCry variant infiltrated the networks of the chipmakers and how the attack transpired.

The second advent of WannaCry

We all know how WannaCry wrecked havoc in the digital world last year by simultaneously affecting hundreds and thousands of devices. But after that colossal cryptovirological activity, it seemed like WannaCry operators had gone into hibernation.

Nevertheless, ransomware family is welcoming a new WannaCry variant. A couple of months ago, the WannaCry operators targeted Boeing operational facility in the US. Both of these WannaCry attacks are somehow linked to two of the top Fortune 500 companies.

There is no reimbursement for reputation

Companies getting affected by ransomware attacks have to face irreversible damages to their brand reputation. For them, paying the attackers for ransomware removal or doing it on their own is not a problem by any means. However, they can’t afford to get the tag of a ‘victim of a cyber attack’.

Ransomware Named After Barack Obama is Discovered

September 7, 2018

It is normal for cybersecurity experts to discover strange things on the World Wide Web. If we particularly talk about the domain of cryptovirology, then a new strain is discovered every other day. Many times these cryptovirological strains have really odd and inexplicable bearings. For instance, a team of cyber malware hunters has recently discovered a cryptovirological strain named by the operators as ‘Barack Obama ’s Everlasting Blue Blackmail Virus’. Picture of the former president appears on the screen as soon as the ransomware completes its encryption activity.

Along with the picture of Obama, a body of text also appears on the screen containing the email ID of the attackers. The note, however, doesn’t mention the amount of money demanded by the operators for ransomware removal.

The Barack Obama Virus is not an amateur attempt

Even though the name and imagery of this ransomware give off the impression that it might be an act of some rooky cryptovirological developer; that is not the case. Security experts have come to that conclusion after assessing the activity of the strain. For instance, as soon as the strain infiltrates the device, it executes multiple commands to stop different security processes run by antivirus software applications.

Apart from that, the cryptovirological strain is particularly designed to only encrypt executable files. So, files with only ‘.exe’ extension get affected by this ransomware strain. The infiltration of this ransomware strain is so deep that even the executable files in Windows folder are not spared from its encryption activity. This feature of strain can also disrupt the regular functioning of the operating system.

It is still unclear whether the attackers have developed the decryption key for ransomware removal. On the other hand, security researchers are still examining the encryption algorithm of the ransomware. It will certainly take some time to come up with the effective ransomware removal measure for the given cryptovirological strain.

Riverside Ransomware Attack Was Severe Than Initial Estimates

September 6, 2018

This year, we have seen a growing trend of cryptovirological operators to target local governments and the departments operating in the public domain. In the same flutter, Riverside Police Department sustained a ransomware attack in April, resulting in the shutting down of the department’s record management system, which is used as a platform to devise and store investigation reports.

While cybersecurity experts were dealing with ransomware removal, the department started to use databases stored on the state’s law enforcement gateway on a temporary basis. The city police used the gateway for four days until the completion of ransomware removal.

A new investigation reveals startling details

According to the public statement issued by the Chief of City Police soon after the incident, the ransomware attack left the department unable in retrieving and printing the past reports. This hiccup resulted in delaying the progress on several ongoing investigations.

But a recent investigation scoop suggests that the damage of ransomware was not only limited to the unavailability of the past record. According to the recently surfaced information, the entire digital front of the department went offline after the attack. The law enforcement personnel couldn’t file real-time reports and incidents on the department’s digital platform.

Therefore, the police had to resort to handwritten reports when security researchers were busy in disinfecting the system through ransomware removal measures. It is, in fact, a shocking revelation that the entire city department went offline. Law enforcement services were not discontinued for a single minute, all thanks to the diligent officers of Riverside Police. However, the relegation to manual reporting badly hit the day-to-day performance of the department.

The key takeaway from the episode of the Riverside attack is rather simple i.e. a cryptovirological attack has the ability to disrupt public services to entire cities and municipalities.

A Spiraling Recovery Lost of Wasaga Beach Ransomware Attack

September 5, 2018

Municipal office of Wasaga Beach, a town situated at the southern end of Ontario, suffered a ransomware attack this April. The IT division of the town administration couldn’t pull off ransomware removal on their own. In the end, the town administration paid three Bitcoins to the attackers for the decryption after extensive negotiations, who initially asked for eleven Bitcoins as extortion money for ransomware removal.

The consultancy firm assessing the incident has reached to the conclusion that the town’s IT department was not equipped with the required expertise to deal with the complex cryptovirological foundation of the ransomware strain used by the attackers. Therefore, in hindsight, the decision to pay extortion money to the attackers for the restoration of locked down files was not outright wrong.

An extended delay and spiraling recovery cost

Following the Wasaga Beach attack, the digital arm of town’s municipal office remained non-operational for several weeks. Initially, the administration couldn’t take hold of what happened due to the unprecedented nature of the attack. Before this incident, the town municipal office hadn’t experienced any cyber attack, let alone a cryptovirological one.

After getting out of the initial shock, the administration couldn’t find what approach to take in dealing with the attack. IT expertise at the disposal of town officials couldn’t neutralize the attack. On the other hand, the route of ransom payment was also thorny. It took a lot of time to negotiate with the attackers on the ransom payment.

The town administration has estimated that incurred downtime, installation of new hardware, and third-party consultancy cost has topped $250,000. It is important to note money paid to the attackers for ransomware removal is not included in this amount. The IT department has also estimated an additional cost of $50,000-60,000 to get the digital system of the town fully on track.

Ransomware-detecting data backup appliance is launched

September 5, 2018

A few years ago when ransomware attacks made their entry into the cyber landscape, digital security experts couldn’t immediately come up with an effective preventive measure to neutralize these attacks. In the beginning, ransomware removal through decoding the encryption algorithm of cryptovirological strain was not that common.

At that time, backups were considered as the only viable option to protect your data from the shenanigans of ransomware operators. With time, ransomware operators have also understood that users can neutralize their attacks by maintaining a copy of data in the form of backups.

Online cloud services have also made it really convenient to back up all the important data in real time. The prevalence of backup practices and prompt ransomware removal techniques have significantly affected the commerce of ransomware attacks. Affected users are now less inclined to pay the attackers for ransomware.

Nevertheless, cybercriminals also keep up with the changing times. In order to make backups ineffective, they have begun to launch dormant ransomware strains. These malware codes infiltrate the system without demonstrating any anomaly. Since they are not detected by any digital security software, therefore dormant ransomware strains are also backed up in routine to the cloud data centers. And when users retrieve this data, the dormant ransomware starts its malevolent activity.

In order to deal with this new trick of ransomware operators, Asigra, a famous cloud backup platform, has introduced an appliance that can detect dormant malevolent codes in the backup streams. Upon detection, the appliance doesn’t back up the infected piece of data and inform the user. This preventive action can help the users to commence ransomware removal activities before any encryption activity begins. There is no doubt that the modernization of data backup practices is essential to deal with the menace of ransomware attacks, apart from streamlining ransomware removal measures.

Ryuk Ransomware Collects $640,000 in Ransomware Attacks

August 31, 2018

Ransomware removal experts have found a new enemy circling the security space. The ransomware has been identified as the Ryuk Ransomware. The cybercriminal team behind Ryuk has so far extorted $640,000 from its victims. The ransomware was first found in mid-August. Due to its newness, analysis and investigations are carried out to find its modus operandi as well as any link to other cyber threats.

The general viewpoint shared by ransomware removal experts is that cybercriminals associated with ransomware distributed through proper planning set their eyes on a single target. The targeted company then faces malicious phishing campaigns. Other infection strategies include exploitation of weak Remote Desktop Protocol in the victims’ systems.

A ransomware removal expert Mark Lechtik agreed with this analysis and gave his opinion on the ransomware. He explained that the ransomware requires administrator’s privileges to get the complete control of the affected systems. However, the ransomware itself is not capable to do it. Hence, it needs a tool that can help in the exploitation of the privilege. However, Mr. Lechtik has not been able to pinpoint this tool that has helped the team behind Ryuk Ransomware to succeed in their nefarious plans.

It is also reported that the ransomware terminates various services and processes of the infected systems. A ransomware removal expert from Check Point said that the ransomware closes down about 180 services and 40 processes.

Unfortunately, ransomware removal experts have not been able to devise a counter-attack tool to decrypt files affected by ransomware. The ransomware utilizes the cryptographic algorithms RSA (Rivest, Shamir, & Adleman) and AES (Advanced Encryption Standard) and combines them to form a formidable combination that cannot be decrypted. Security experts are continuously trying to find a flaw in the code and design of the ransomware in order to create decryption software.

How Data Management Can Help Deal with a Ransomware Attack

August 30, 2018

No matter how good the ransomware removal and recovery measures that are employed by the company affected by a cryptovirological infiltration, there is no way to avoid downtime. This is particularly true when important data gets encrypted in the attack with no backup available. This is why backups and data management applications have become an essential toolkit for organizations to deal with ransomware attacks. While ransomware removal measures are getting more streamlined with time, developers are also working on making effective data management applications to neutralize the threat of ransomware and other cyber attacks.

Recently a cloud data management company has developed an application that provides a holistic response plan against any instance of a ransomware attack. The application is called Radar and contains several layers of defense mechanisms against cyber mischief.

Constant Monitoring of the Digital Environment

The application constantly monitors the digital environment of your organization to pick up anomalies. The machine learning ability of this application makes this monitoring more effective. It enables the application to detect the activity of a ransomware variant if it has stumbled upon a strain built on a similar encryption platform earlier.

Quick Analysis of the Threat

As soon as the application detects an anomaly, it is quick to run an analysis of the nature and impact of the possible threat. It will help the businesses to devise the pertinent ransomware recovery and removal measures.

Also Offers Recovery Options

Radar also offers data recovery options that can avert complete business disruption for the affected entities.

As demonstrated, this data management application provides a comprehensive mechanism to deal with malicious cyber infiltrations. With this application and professional ransomware removal measures in place, companies can devise a winning plan against any cyber threat.