The dirty tricks ransomware uses to fool us

[[167210]]

Finding ransomware...

Today, ransomware has become one of the most important threats faced by enterprises. A large amount of valuable data is locked by it, and the ransom paid for it is also very considerable. Cyphort has summarized a series of ransomware behavior characteristics, hoping to help everyone take the initiative in the fight against ransomware.

[[167211]]

Jigsaw

Deleting files regularly creates a sense of urgency to urge victims to pay the ransom faster. Jigsaw ransomware deletes an encrypted file on the computer for every hour that the victim's ransom is not received - even if the ransom is paid later, it cannot be recovered. In addition, Jigsaw will delete an additional 1,000 files every time the victim restarts the computer and logs into Windows.

[[167212]]

Petya

To encrypt the entire drive, Petya ransomware directly encrypts the Master File Table, which contains information about the allocation of files and folders.

[[167213]]

RansomWeb, Kimcilware

Encrypting Web server data. RansomWeb and Kimcilware ransomware families both adopted this unusual method of wreaking havoc, namely, based on Web servers rather than client computers. They infect and encrypt website databases, Web servers and hosted files, and demand that website administrators pay them a ransom.

[[167214]]

DMA Locker, Locky, Cerber and CryptoFortress

Encrypts data on network drives - even unmapped drives. DMA Locker, Locky, Cerber, and CryptoFortress all walk through all open network Server Message Block (SMB) shares and encrypt any information they find.

[[167215]]

Maktub

Maktub ransomware compresses files first to increase encryption speed.

[[167216]]

The cloud environment is not safe either

Delete or overwrite all cloud backups. In the past, it was often safer to back up data to cloud storage and file sharing platforms. However, various new types of ransomware have begun to extend their claws to shared file systems.

[[167217]]

SimpleLocker

For non-Win platforms, SimpleLocker can encrypt files on Android and Linux systems, while Encode.1 targets Linux, and KeRanger specifically attacks OS X.

[[167218]]

Cerber

Use the computer speaker to deliver voice messages to the victim. Cerber ransomware generates a VBScript titled "#DECRYPT MY FILES#.vbs" that allows the computer to play random messages to the victim. It can only read English at present, but the decryption website it uses provides 12 language versions. The content it plays includes "Attention! Attention! Attention!" and "Your files, pictures, databases and other important files have been encrypted!"

[[167219]]

Tox

Ransomware as a service has become a new form of profit in underground forums. It can provide malicious code and infrastructure, urge ransom payments and provide decryption keys to victims. Tox ransomware is a prominent representative in this regard.

Original link: The despicable methods that ransomware uses to fool us

[Translated by 51CTO. Please indicate the original translator and source as 51CTO.com when reprinting on partner sites]