BlueDog's Home

Preface#

Ransomware is a highly contagious and destructive type of malware that primarily uses various encryption algorithms to encrypt user data, intimidating, coercing, and extorting users for high ransom payments. Recently, the situation regarding ransomware attacks has become even more severe, causing significant impacts on important enterprises in global sectors such as energy and finance. Due to the difficulty in recovering encrypted information and tracking the sources of attacks, ransomware directly affects the normal operation of information systems related to production and daily life. The threat of ransomware in the real world has intensified, becoming a widely recognized cybersecurity challenge globally.

Relevant Background#

The threat of ransomware has become one of the most concerning cybersecurity risks today. The secondary extortion model, which combines information theft and leakage, further deepens the harm caused by ransomware. Attacks targeting individuals, enterprises, government agencies, and various institutions are emerging endlessly, and no one can remain unaffected in the face of ransomware threats. If ransomware incidents can be dealt with promptly and correctly, the losses caused by ransomware can be effectively reduced, preventing the further spread of the virus.

Continuous Increase in Ransomware Attack Incidents#

In the first half of 2021, internationally, there were over 1,200 publicly disclosed ransomware attack incidents globally, which is roughly on par with the total number of ransomware attack incidents disclosed in 2020. Domestically, the National Industrial Internet Security Situation Awareness and Risk Warning Platform monitored and found that the access volume of malicious domains related to ransomware reached 50,500 times, a year-on-year increase of over 10 times. As of the second quarter of 2021, the access volume of malicious domains related to ransomware is shown in the figure below.

Overview of Ransomware#

Typical ransomware includes types such as file encryption, data theft, and disk encryption. Attackers primarily spread ransomware through phishing emails, compromised websites, and other forms, or initiate attacks by exploiting vulnerabilities and remote desktop intrusions, implanting ransomware and carrying out extortion.

(1) Main Types of Ransomware#

1. File Encryption Ransomware This type of ransomware encrypts user files using various encryption algorithms such as RSA and AES, demanding ransom in return. Once infected, it is extremely difficult to recover the files. This type of ransomware is represented by WannaCry, which has been widely imitated by attackers since its large-scale outbreak in 2017. It encrypts files using encryption algorithms and uses dark web communications to return decryption keys, demanding payment in cryptocurrency, thereby concealing the attacker's true identity. File encryption ransomware has become the main type of ransomware currently.

2. Data Theft Ransomware This type of ransomware is similar to file encryption ransomware, usually employing multiple encryption algorithms to encrypt user data. Once infected, it is also very difficult to recover the data. However, during the extortion phase, attackers identify and steal important user data, threatening users with the public disclosure of this data to pay the ransom. According to statistics, as of May 2021, the suspected Conti ransomware had attacked and infected over 300 entities globally, including government departments and key enterprises, stealing and publicly disclosing a large amount of data.

3. System Encryption Ransomware This type of ransomware also encrypts system disk master boot records, volume boot records, etc., using various encryption algorithms, preventing users from accessing the disk, affecting the normal startup and use of user devices, and extorting ransom from users. It can even encrypt all disk data, making recovery difficult once infected. For example, the Petya ransomware, first discovered in 2016, encrypted all data of the attack targets while overwriting disk sectors with embedded master boot record code, directly causing devices to fail to start normally.

4. Screen Locking Ransomware This type of ransomware locks the user's device screen, usually presenting a full-screen image containing ransom information, preventing users from logging in and using the device, or disguising itself as a system blue screen error, thereby extorting ransom. However, this type of ransomware does not encrypt user data, allowing for the possibility of data recovery. For example, the WinLock ransomware locks the user's device screen by disabling key components of the Windows system, requiring users to pay the ransom via SMS.

(2) Typical Spread Methods of Ransomware#

1. Exploiting Security Vulnerabilities Attackers exploit weak passwords, remote code execution, and other security vulnerabilities in network products to invade user internal networks, gain administrator privileges, and actively spread ransomware. Currently, attackers typically exploit publicly disclosed vulnerabilities for which patches have been released, scanning for devices that have not been patched in a timely manner, attacking and deploying ransomware through these vulnerabilities.

2. Spreading via Phishing Emails Attackers embed ransomware within documents, images, and other attachments in phishing emails or write malicious links into the body of phishing emails, spreading ransomware through phishing attacks. Once users open email attachments or click on malicious links, the ransomware will automatically load, install, and run, achieving the goal of executing a ransomware attack.

3. Spreading via Compromised Websites Attackers compromise websites through network attacks, implanting malicious code on the site, or actively building websites containing malicious code to lure users to visit and trigger the malicious code, hijacking the user's current access page to the ransomware download link and executing it, thereby implanting ransomware into user devices.

4. Spreading via Removable Media Attackers hide original files on USB drives, external hard drives, and other removable storage media, creating shortcuts that match the drive letter and icon of the removable storage media. Once users click on these shortcuts, the ransomware automatically runs, or a trojan program specifically designed to collect and return device information runs, facilitating future targeted ransomware attacks.

5. Spreading via Software Supply Chains Attackers exploit the trust relationship between software vendors and software users, attacking and invading relevant servers of software vendors, using software supply chain distribution and update mechanisms to hijack or tamper with legitimate software during normal distribution and upgrade processes, evading user network security protection mechanisms to spread ransomware.

6. Spreading via Remote Desktop Intrusions Attackers typically obtain remote login usernames and passwords for target servers through weak passwords, brute force attacks, and other means, then log into the server via remote desktop protocol and implant ransomware. Once attackers successfully log into the server and gain control, they can use the server as a launchpad to further spread ransomware within the user's internal network.

Current Status of Ransomware Attacks#

In light of recent attack incidents, ransomware attacks are showing new characteristics in terms of targets and methods, while attackers are beginning to construct precise and complex attack chains to launch ransomware attacks.

(1) Recent Characteristics of Ransomware Attacks#

1. Targeting Important Industry Information Systems for Directed Ransomware Attacks. Attackers are targeting industry information systems that carry important data resources, such as energy and healthcare, as "high-value" targets for ransomware attacks, abandoning traditional "scattergun" ransomware dissemination models that lack specific targets, and shifting towards a precise ransomware attack chain that includes reconnaissance, attack intrusion, and virus implantation, such as sniffing networks to find attack entry points and exploiting vulnerabilities to invade, launching targeted attacks on important industry information systems, implanting ransomware, and demanding exorbitant ransoms.

2. Feigning Ransomware Attacks to Conceal Real Network Attack Intentions. Attackers identify key targets and pretend to encrypt data files and carry out extortion, using ransomware to traverse system files, overwrite system boot directories, and perform functions similar to backdoor trojans, feigning ransomware attacks while hiding their true intentions of stealing sensitive information and damaging information systems. Reports indicate that in the attacks by hacker groups like Agrius and Pay2Key, they are believed to have pretended to encrypt data and extort ransom to conceal their direct destructive actions against information systems.

3. Developing Ransomware Specifically for Industrial Control Systems, Increasing Attack Risks for Industrial Enterprises. Attackers develop and upgrade ransomware capable of specifically infecting industrial control systems by integrating vulnerabilities in industrial control system hardware and software or embedding malicious functions that forcibly terminate real-time monitoring and data collection in commonly used systems in the industrial sector, targeting industrial enterprises for attacks, causing serious impacts on production lines and business operations. Additionally, there is also the possibility of utilizing ransomware like REvil and DarkSide to attack industrial enterprises through delivery and implantation.

4. Vulnerability Exploitation Remains the Main Attack Method, Leading to Ransomware Spread from a Single Point to Comprehensive Diffusion. Attackers primarily exploit publicly disclosed vulnerabilities, actively discovering devices that have not been patched in a timely manner through vulnerability scanning and port scanning, using vulnerabilities to "break through" network security defenses, conducting remote attacks, and moving laterally within the target's internal network to expand the scope of ransomware infection and carry out extortion.

5. Using Virtualized Environments as Attack Launchpads for Bidirectional Ransomware Spread. Ransomware attacks are beginning to use virtualized environments as channels, infecting virtual machines, virtual cloud servers, etc., forcibly terminating virtualization processes, or exploiting vulnerabilities in virtualization products and configuration flaws in virtual cloud servers to achieve "escape" from the virtualized environment, thereby spreading ransomware bidirectionally to users and networks.

6. Economic Interests Drive Operational Model Upgrades, Forming an Initial Ransomware Black Industry Chain. Some ransomware attack groups have developed "Ransomware as a Service," providing "plug-and-play" ransomware attack services to group "members," such as purchasing ransomware programs, target system access permissions, or ordering ransomware attack services against specific targets. At the same time, they recruit "partners" in the virus development and attack intrusion stages to increase the success rate of ransomware attacks through "division of labor and cooperation." Reports indicate that the REvil ransomware attack group is responsible for developing the virus, negotiating ransoms, and sharing ransom payments, while their "partners" are responsible for invading target networks.

(2) Typical Ransomware Attack Process#

Focusing on the ransomware attack chain, recent ransomware attack groups implant ransomware and carry out extortion based on successful network attack intrusions. Their typical attack process mainly includes four stages: reconnaissance, attack intrusion, virus implantation, and extortion implementation.

1. Reconnaissance Stage#

1> Collecting Basic Information#

Attackers collect network information, identity information, host information, organizational information, etc., about the attack target through active scanning, phishing, and purchasing on the dark web, laying the foundation for targeted ransomware attacks.

2> Discovering Attack Entry Points#

Attackers discover security vulnerabilities in the target network and system through vulnerability scanning and network sniffing, forming breakthrough points for network attacks. Additionally, referring to typical ransomware spread methods, attackers can also use compromised websites and phishing emails to spread ransomware.

2. Attack Intrusion Stage#

1> Deploying Attack Resources#

Based on discovered remote desktop weak passwords and vulnerabilities in network information systems, deploy corresponding network attack resources, such as MetaSploit, CobaltStrike, RDP Over Tor, etc.

2> Gaining Access Permissions#

Using appropriate network attack tools, obtain access permissions for the target network and system through software supply chain attacks, remote desktop intrusions, etc., and elevate privileges within the organization's internal network through the use of privileged accounts and modification of domain policy settings.

3. Virus Implantation Stage#

1> Implanting Ransomware#

Attackers deploy ransomware through malicious scripts, dynamic link libraries (DLLs), etc., hijacking system execution processes, modifying the registry, obfuscating file information, and other methods to evade detection by security software, ensuring successful implantation and functionality of the ransomware.

2> Expanding the Infection Scope#

Once attackers have invaded the internal network, they implement internal spear-phishing, utilize file sharing protocols, or leverage the worm-like functionality of the ransomware itself to move laterally within the target's internal network, further expanding the scope of ransomware infection and attack impact.

4. Extortion Implementation Stage#

1> Encrypting and Stealing Data#

Attackers run the ransomware to encrypt images, videos, audio, text files, as well as key system files and disk boot records, while also returning sensitive and important files and data discovered based on the type of attack target, facilitating extortion against the target.

2> Loading Ransom Information#

Attackers load ransom information to coerce the attack target into paying the ransom. Typically, ransom information includes contact details for the attackers via dark web forums, cryptocurrency wallet addresses for ransom payments, and methods to obtain decryption tools upon payment.

Ransomware Attack Security Protection Measures#

1. Ransomware Attack Security Protection Framework#

Different security measures play varying roles at different stages of ransomware attacks. By sorting typical security protection measures for ransomware, mapping them to the four stages of ransomware attacks according to core protection measures (●), important protection measures (◎), and general protection measures (○), a ransomware attack security protection framework is constructed. Users are advised to choose appropriate protection measures based on their own situations to prevent and mitigate ransomware attack risks.

1. Core Protection Measures These measures play a core protective role at specific stages of ransomware attacks, effectively blocking ransomware attack behaviors or completely eliminating specific impacts caused by ransomware attacks. For example, data backup and recovery primarily target the extortion phase of ransomware attacks, eliminating the impacts of data loss caused by ransomware encryption and data theft through pre-attack data backups and post-attack data recovery.

2. Important Protection Measures These measures play important protective roles at specific stages of ransomware attacks, but compared to core protection measures, they do not fully prevent or respond to ransomware attacks. For example, implementing appropriate security management measures, such as strict network isolation and access control, plays a core protective role in preventing attackers from gaining access permissions and conducting attacks. However, during the reconnaissance phase, attackers may employ various methods such as active network probing and dark web purchases, where security management may not fully prevent or respond effectively, thus playing an important protective role.

3. General Protection Measures These measures play a general protective role at specific stages of ransomware attacks, but compared to core and important protection measures, they can only provide a limited level of prevention against ransomware attacks. For example, formulating emergency plans primarily targets situations where attackers have begun implementing ransomware attacks, clarifying emergency response mechanisms and processes. In cases where ransomware attacks have been detected, the emergency plan should be activated, and measures should be taken to respond to attack risks. However, before ransomware attacks occur, security protection measures mainly focus on prevention, so formulating emergency plans plays a general protective role before attackers formally implement attacks.

2. Practical References for Ransomware Attack Security Protection#

To prevent and mitigate attack risks, typical ransomware attack security protection measures and practices are categorized into three stages: "before, during, and after" the attack, focusing on management and technical aspects.

1> Before: Strengthening Preventive Foundations#

(1) Formulating a Cybersecurity Emergency Plan Establish an internal emergency organizational system and management mechanism covering cybersecurity emergencies such as ransomware attacks, enhancing the overall management of ransomware attack responses, and clarifying work principles, responsibilities, emergency processes, and key measures. Once a ransomware attack occurs, immediately activate the internal cybersecurity emergency plan and promptly carry out emergency response work according to plan requirements to ensure effective control, reduction, and elimination of the impacts of ransomware attacks.

• Responsibilities: Clearly define specific responsibilities and divisions of labor within the internal cybersecurity emergency plan, establishing an emergency organizational system covering cybersecurity emergencies such as ransomware attacks, typically led by specific departments within the organization, coordinating internal related departments to identify risks, strengthen prevention, and ensure effective emergency response from organizational and personal safety perspectives.
• Emergency Processes: Clearly define emergency processes and main work contents for cybersecurity emergencies, including ransomware attacks. The emergency process for ransomware attacks typically includes but is not limited to immediately isolating infected devices, investigating the infection scope of major business systems, and utilizing backup data for data recovery.
• Key Measures: Clearly define key measures for emergency responses to cybersecurity emergencies, including but not limited to regularly organizing cybersecurity drills, establishing professional technical means for cybersecurity monitoring and response, strengthening the construction of technical support teams for cybersecurity emergency responses, reserving emergency equipment for vulnerability detection and network scanning, and conducting cybersecurity emergency training.

(2) Strengthening Internal Cybersecurity Management Implement measures in areas such as network isolation and asset management, such as physical and logical network isolation, timely updates of antivirus software and vulnerability patches, avoiding exposure of critical information systems on the internet, signing agreements with vendors to clarify security responsibilities and obligations, and reviewing the service situations provided by vendors.

• Network Isolation: Use reasonable network segmentation to limit the invasion and spread of ransomware. For example, segment the network into isolation zones, internal network zones, external access zones, and internal server zones based on different business needs, and restrict network access between different segments. Within the same segment, use virtual LAN technology to isolate assets of different departments, reducing the possibility of ransomware further spreading within the internal network due to a single infected device.
• Access Control: Set strict access permissions for critical business systems within the organization, such as opening necessary access permissions based on the principle of least privilege and setting access control rules according to access control policies. Timely update access control rules, deleting redundant or invalid access control rules, such as regularly reviewing open access permissions and promptly removing permissions retained due to personnel departures or asset IP changes.
• Asset Management: Investigate the exposure of organizational assets, clarify the true scope of exposed assets, covering assets of subsidiaries, lower-level institutions, etc., and conduct asset reviews based on actual situations, such as weekly, monthly, or semi-annually. At the same time, minimize exposure of assets on the internet based on the principle of least privilege, especially avoiding exposure of critical business systems, databases, and other core information systems on the internet.
• Vulnerability Scanning: Conduct vulnerability scanning on organizational assets, and promptly patch any discovered security vulnerabilities. For devices and products used for vulnerability scanning, manage them centrally, establishing complete and continuous vulnerability discovery and management methods; support importing third-party vulnerability reports and analyzing mainstream vendor vulnerability and configuration check scan results; strengthen the association with vulnerability knowledge bases based on scanned vulnerability results, and timely obtain vulnerability information and solutions.
• Identity Verification: Implement identity identification and verification for users, ensuring that identity identifiers are unique, using two or more identity verification methods such as dynamic passwords, and having the ability to prevent brute-force password cracking. Passwords and other identity verification information should meet complexity requirements and be changed regularly, enforcing periodic mandatory password changes and modifications of factory default passwords. Additionally, regularly assess the security of system passwords using scanning software and hardware to identify and eliminate password security risks.
• Software Management: Standardize the internal software version management mechanism, avoiding the use of pirated or unknown software. Use software risk assessment systems or tools to regularly check the relevant software versions used by critical business systems to avoid security risks caused by outdated software versions. Monitor and block access to "risky websites" based on network traffic to reduce the likelihood of downloading and installing malicious software that could lead to ransomware infections.
• Supply Chain Management: Implement supply chain security risk prevention and control measures, including management of personnel related to the supply chain, lifecycle management of the supply chain, and procurement outsourcing and vendor management. Ensure that the procurement and use of network devices, security products, encryption products, and other products and services comply with national regulations. Sign agreements with selected vendors to clarify the security responsibilities and obligations of all parties in the supply chain, and regularly review and audit the services provided by vendors, controlling any changes in service content.

(3) Deploying Professional Cybersecurity Products Deploy cybersecurity products on the endpoint and network sides, and regularly check device alarm situations. For example, on the endpoint side, install security software with proactive defense capabilities, avoid casually exiting security software, disabling protection functions, or executing release operations, and establish an application software whitelist, promptly maintaining the accuracy, completeness, and timeliness of the whitelist; on the network side, deploy traffic monitoring and blocking devices to strengthen monitoring and tracing of ransomware attack threats.

• Endpoint Side: Deploy antivirus software, endpoint security management systems, and other endpoint security products to detect and eliminate ransomware. Endpoint security products should support protection against brute-force attacks, port scanning, system login protection, and weak password detection; they should support various modes such as cloud-based threat intelligence linkage and local real-time monitoring, and have the capability to specifically eliminate ransomware; they should also have ransomware immunity and application process protection capabilities, such as using file protection products to detect file execution, generation, modification, renaming, etc., and promptly alert and intercept when large numbers of files are traversed, file modification operations occur, or encryption algorithm libraries are called. Use ransomware bait documents to detect malicious modifications to documents and intercept associated processes. For core application data, support driver-level file protection and set compliant process access policies to prevent non-compliant processes from arbitrarily modifying files.
• Network Side: Deploy firewalls, bastion hosts, and other products at the network boundary, allowing only authorized users to access critical business systems, achieving access permission restrictions and management. Link with detection systems to implement ransomware attack alerts through traffic analysis, with firewalls blocking attack IP addresses based on alerts; deploy IPS, UTS, and other traffic monitoring and blocking products to restore traffic samples carrying ransomware, linking with threat intelligence and sandbox analysis to identify and block ransomware during delivery; deploy email security gateways and email threat analysis systems to detect and intercept ransomware delivered via email.
• Central Side: Deploy network security threat management platforms, vulnerability scanning systems, and other products to achieve timely discovery and closed-loop management of security vulnerability threats and weak password risks; deploy network security situational awareness platforms to monitor ransomware attack situations and discover virus transmission clues by collecting and analyzing raw traffic and network alarm information; specifically deploy honeypots for commonly used high-risk vulnerabilities in ransomware attacks to detect lateral transmission behaviors of ransomware, providing early warnings before ransomware reaches real attack targets, while conducting tracing analysis on ransomware and transmission methods captured in the honeypot environment.
• Server Side: Leverage the advantages of server computing and storage resources, based on supporting driver-level file protection and endpoint protection measures against brute-force attacks and port scanning, by deploying bait documents to monitor changes to bait documents in real-time. Based on the MD5 values of the documents, determine whether the system is being subjected to ransomware encryption. If multiple bait files change within a certain time frame, it indicates an ongoing ransomware attack, and the process modifying the bait files should be immediately terminated, isolating the corresponding files; for known ransomware, kernel preemption can be used to achieve immunity against specific ransomware attacks; when file creation, modification, or process startup and module loading events are detected in the system, the application layer should proactively call the antivirus engine to scan the file for viruses; establish a whitelist for application processes to intercept malicious application processes.

(4) Strengthening User Cybersecurity Awareness Improve cybersecurity awareness through training and drills to cut off the entry points for ransomware spread at the user level. For example, regarding files, do not click on email attachments from unknown sources, and perform security scans before opening email attachments; regarding websites, do not download software from unknown websites; regarding external devices, do not mix work and personal external devices, disable the autoplay feature for removable storage devices, and regularly perform security scans.

• File Aspect: Security awareness regarding file safety includes but is not limited to not installing software from unknown sources, not clicking on email attachments from unknown sources, disabling macro functions in Microsoft Office software, and not easily opening script files with extensions such as js, vbs, wsf, bat, cmd, ps1, sh, etc., or executable programs such as exe, scr, com. For compressed files sent by strangers via email, perform security scans before opening.
• Website Aspect: Security awareness regarding website safety includes but is not limited to not downloading software from unknown websites, not clicking on URLs in untrusted emails, and maintaining heightened security vigilance while browsing the web. Avoid visiting websites containing pornography, gambling, or other undesirable content, and use browsers with security features or alerts to reduce the likelihood of encountering compromised websites or phishing attacks.
• External Device Aspect: Security awareness regarding device safety includes but is not limited to not using removable storage devices from unknown sources, not mixing work and personal external removable storage devices, regularly performing security scans on removable storage devices, and disabling the autoplay feature for removable storage devices when connecting to work devices. Use security software to perform security scans on removable storage devices.
• Remote Use Aspect: Security awareness regarding remote use includes but is not limited to authorizing remote access only to necessary personnel, using dual authentication for critical endpoints, setting account abnormal lockout policies, modifying default remote access ports such as RDP protocol port 3389 and SSH protocol port 22, and restricting remote access to databases by only allowing connections from specific addresses through firewalls.

(5) Ensuring Important Data Backup Classify and store data and files based on their importance, such as actively encrypting and storing important and sensitive data to prevent dual or multiple extortion using ransomware. Clearly define the scope, content, and frequency of data backups, regularly implementing local backups, off-site backups, and cloud backups to increase the chances of recovering data in the event of ransomware attacks that lead to data file encryption, damage, or loss.

• Data Classification Strategy: Based on a clear understanding of the organization's internal data assets, adopt a classified storage and backup approach according to the importance of data to the organization and the attributes of the data itself. For example, classify data as public, internal, or confidential, or based on different business types corresponding to the data.
• Sensitive Data Encryption Storage: Encrypt and store critical data, sensitive data, and files using encryption tools, encryption systems, and encryption hardware, such as performing full-disk encryption on hardware devices storing data or encrypting sectors where data is stored, and encrypting data files during transmission.
• Regular Data Backup: Implement real-time backups, scheduled backups, and other methods for data backup. For example, perform synchronous or asynchronous real-time backups when data changes occur during transmission or reception on storage devices, set clear backup times for regular data backups, or trigger data backups based on changes in data storage directories or the completion of application operations.

2> During: Implementing Emergency Response#

(1) Isolating Infected Devices Once a ransomware attack is confirmed, take measures such as disconnecting from the network and shutting down to isolate infected devices. This may involve unplugging network cables, disabling network cards, and turning off wireless networks to prevent the ransomware from automatically connecting to the network through infected devices and further infecting other devices.

• Physical Isolation: Upon confirming a ransomware attack, to prevent infected devices from automatically spreading the virus through connected networks and to stop attackers from continuing to attack other devices via infected devices, isolate infected devices by disconnecting from the network and cutting off power, while also disabling wireless networks, Bluetooth connections, and unplugging all external storage devices.
• Changing Passwords: To prevent attackers from gaining access through leaked or cracked passwords, leading to ransomware attacks, and to stop attackers from further expanding the attack scope using leaked or cracked passwords, immediately change the login passwords of infected devices, other devices on the same local area network, and the highest-level system administrator accounts.

(2) Investigating the Scope of Ransomware Infection After isolating infected devices, investigate situations regarding data backups, network distribution, and information leakage, and check whether core business operations have been affected by the attack. For devices with unclear infection situations, perform disk backups in advance, and conduct on-site or online investigations within the isolated network to avoid re-infection due to residual ransomware when starting devices.

• Information Leakage Investigation: Once a ransomware attack is detected, promptly investigate information leakage situations. Additionally, after isolating infected devices, quickly check for abnormal access situations on devices storing sensitive information to confirm whether there is a risk of sensitive data leakage.
• Network Topology Investigation: Understand key information such as the network topology, business architecture, and device types in the on-site environment to assess the scope of ransomware spread and attack methods, making preliminary judgments about the areas affected by ransomware to support controlling virus spread and eliminating virus threats.
• Business System Investigation: After confirming that devices are infected with ransomware and have been isolated, promptly investigate core business systems and backup systems, focusing on whether core business systems have been affected by the attack and whether production-related systems have been encrypted, further determining the scope of ransomware infection.
• Data Backup Investigation: After isolating infected devices, promptly investigate the availability of data backups. For important servers and other devices, implement data backup redundancy strategies to ensure that when one server is encrypted, backup devices can quickly and effectively connect to ensure the normal operation of core business processes.

(3) Assessing the Ransomware Attack Incident Analyze the ransomware's ransom information, encrypted files, desktop backgrounds, suspicious samples, pop-up information, etc., using tools to analyze the ransomware, or seek assistance from cybersecurity professionals to investigate the infection time, transmission methods, and types of infection, determining the type of ransomware involved to facilitate attempts at virus decryption.

• Assessing the Type of Ransomware: After infecting a device, attackers typically load ransom prompt information to coerce users into paying the ransom. Organizations affected by ransomware can search for ransom prompt information from the encrypted disk directories and determine the type of ransomware based on its identifiers.
• Assessing Attack Intrusion Methods: By reviewing logs and samples retained on the device, determine how attackers gained access. If log information has been deleted, analyze samples or suspicious files left on the infected device to identify how attackers intruded, facilitating the remediation of security vulnerabilities.

(4) Attempting to Decrypt the Ransomware Based on the determined type of ransomware, attempt to decrypt it using the ransomware's own encryption characteristics and processes to recover all or part of the encrypted data, such as attempting to decrypt certain ransomware for which private keys have been published or using file sizes as keys. Note that virus decryption technology is highly specialized, and it is advisable to contact cybersecurity companies for assistance.

• Known Private Key Decryption: Obtain private keys from ransomware attack groups through various channels for decryption. For example, private keys for ransomware like GandCrab and Avaddon have been made public, and related decryption tools can be used for specific ransomware decryption. It is recommended to visit No More Ransom to input the identified ransomware name, where all available decryptors (if any) will be listed.
• Encryption Vulnerability Decryption: Analyze and exploit non-standard issues in the ransomware's own coding to obtain key generation methods, such as using file sizes as keys in dynamically generated virtual private networks.
• Plaintext-Ciphertext Collision Decryption: Some ransomware uses fixed-length key strings generated through encryption, which may allow for the retrieval of the encryption key used by the ransomware through plaintext-ciphertext comparison calculations, facilitating ransomware decryption.
• Brute Force Decryption: Exhaustively search the limited key space of the ransomware, such as in cases where pseudo-random numbers are generated using time as a seed to produce keys, to perform brute force attacks to obtain the key.

3> After: Implementing Security Reinforcement#

(1) Using Backup Data for Recovery Based on the data backup situation of devices affected by ransomware attacks, measure the time cost of data recovery, the importance of the data, and confirm the scope, order, and version of backup data for recovery, utilizing offline, off-site, and cloud backup data for restoration.

• Local Data Recovery: Use data from local backups for recovery. If local backup data has also been encrypted by ransomware, utilize disk repair tools, file fault tolerance mechanisms, or contact professional data recovery companies for data recovery.
• Off-site Data Recovery: Use copies of data backups for recovery, migrating the backed-up data to local storage. If off-site backup data has been encrypted, similarly utilize disk repair tools, file fault tolerance mechanisms, or contact professional data recovery companies for data recovery.
• Cloud Data Recovery: Download specific time-point data from cloud snapshot backups or full data from cloud image backups to local storage for cloud data recovery. If data is stored and applied in the cloud, selectively recover data based on the organization's needs for local storage and applications.

(2) Updating Cybersecurity Management Measures Based on issues exposed by ransomware attack incidents, revise and improve cybersecurity management systems, ensuring effective attack warnings and responses, while reviewing attack incidents and updating emergency plans for cybersecurity emergencies to further implement cybersecurity responsibilities.

• Improving Management Systems: Timely and purposefully improve cybersecurity management systems based on issues exposed by ransomware attack incidents. For example, check and identify the current management standards for executing cybersecurity management processes against national laws, regulations, management provisions, and policy strategies; accurately identify the applicability of acquired legal and regulatory standards to the organization, making necessary updates to cybersecurity management systems and standards, and promptly clearing outdated regulations to ensure that the organization's cybersecurity management systems meet continuous improvement requirements.
• Updating Emergency Plans: Emergency plans and emergency practices are mutually complementary and promote each other. When executing emergency plans, review each network attack incident and update the emergency processes and key measures included in the emergency plans based on exposed cybersecurity issues. For instance, if a ransomware incident is triggered by phishing emails, a special management team should be established in the emergency plan to handle phishing emails, detailing the responsibilities of each individual while refining the provisions of personal security management systems.

(3) Strengthening Cybersecurity Vulnerability Remediation After eliminating the impacts of ransomware attacks, conduct investigations and remediation of cybersecurity vulnerabilities. For example, in terms of permission management, focus on investigating weak passwords, account permissions, password updates, and sharing issues; in terms of vulnerability remediation, promptly update system, software, and hardware vulnerability patches.

• Password Management: Strictly enforce account password security management, focusing on investigating weak password issues, and further improving the internal password management mechanism. For example, require all personal terminals, servers, and other devices to have configured passwords, prohibiting any instances of no password; when transmitting accounts and passwords, use encryption measures to avoid interception during transmission; password settings should have sufficient length and complexity, using combinations of numbers, letters, and symbols; clearly define password update cycles and regularly change passwords, requiring users to change passwords when requested by administrators; new passwords should not have direct connections to old passwords, enhancing prevention against guessing new passwords based on old ones; passwords should not be easily guessable combinations, such as using the user's name, birthday, or other easily guessed information; strictly check the repetition rate of passwords to prevent attackers from using the same password to attack multiple devices.
• Vulnerability Remediation: Improve the organization's asset vulnerability, patch upgrades, and configuration hardening, establishing a unified management security mechanism and security operation specifications. For example, establish an asset vulnerability database, patch sources, patch reliability verification, customized patch upgrade plans, patch gray-scale upgrades, and retention review mechanisms, and strictly execute according to the roles, responsibilities, and processes specified in security operation specifications to ensure the security of the systems themselves. Investigate the actual vulnerability status of all systems or use vulnerability scanning tools to understand their actual vulnerability existence; disable systems that are no longer officially updated and maintained, promptly updating to new systems before putting them back into use; when vulnerabilities are discovered in software and hardware products, promptly disable them to prevent attackers from exploiting these vulnerabilities during that period, and pay attention to patch release situations to remediate vulnerabilities before restoring use.
• Permission Control: Effectively manage internal permission control within the organization, ensuring that employees perform their respective duties, with clear responsibilities and authority. For example, when employees' job responsibilities change, if existing responsibilities do not align with current account permissions, they should apply for permission changes. If administrators discover that users have permissions that are unnecessary for their current work, they should inform them and revoke excess permissions; regularly check account statuses, determining the shutdown status and permission scope of accounts by contacting account owners; establish permissions based on the principle of least privilege when opening accounts, providing services in the form of minimal permissions and resources, and requiring higher permissions to be approved based on actual situations.
• Internal Network Strengthening: Based on security needs, organically combine firewalls, data diodes for unidirectional transmission, intrusion detection, deep packet inspection, and caching to establish security barriers between internal and external networks. On the endpoint side, deploy endpoint defense software focused on effective protection. Regularly check device event alarms to avoid situations where incidents occur but remain unknown; strengthen system protection policies; investigate security settings related to hosts and promptly modify any issues found. Strictly control the access of mobile devices to the internal network to prevent security threats from entering through mobile devices, and establish network monitoring mechanisms between different areas of the internal network to promptly detect and handle network security incidents between different areas, preventing the escalation of network security incidents. Implement corresponding control measures between internal departments to prevent security threats from spreading from a single department to the entire network. When interconnecting between departments, establish intercommunication access permissions based on the principle of independent access, using minimal permissions and resources for interconnection.

(4) Restoring Normal Use of Infected Devices For devices infected with ransomware to be put back into use, measures such as disk formatting, system reinstallation, deleting suspicious files and programs, and eliminating ransom information and encrypted files should be taken to avoid secondary infections from ransomware before restoring the devices to normal use.

Disk Formatting: Ensure that ransomware cannot hide or execute again before performing disk formatting. Since some ransomware alters the master boot record of the system, moving the ransomware itself to hide within the system disk for persistence, it is not possible to format the operating system disk. The ransomware processes should be terminated, and the sample body, derivatives, added registry entries, and startup items should be deleted to ensure that there is no ransomware present in the system disk and that it cannot execute again, preventing re-infection. Deleting Suspicious Files and Programs: Before deleting suspicious files and programs, terminate the ransomware processes to avoid process occupation that would prevent deletion. Some ransomware may rename themselves as system processes; security software and specialized removal tools can be used to check the current usage of system programs to avoid mistakenly terminating processes that would cause the system to malfunction. Additionally, the virus scanning function of security software can be used to find and delete suspicious files and programs hidden within the system. Some ransomware may set their file attributes to hidden or move to temporary directories, startup directories, or the system root directory during execution, and add startup items in the registry to achieve persistence. The hidden attributes of files can be turned on, suspicious files and programs removed, and their added registry entries deleted to ensure that the device restarts without encountering ransomware again.

Eliminating Ransom Information and Encrypted Files: Based on the situation of ransomware infection and data file recovery, choose appropriate measures to eliminate ransom information and encrypted files. For example, if encrypted files have been restored through virus decryption or data recovery, the encrypted files can be directly deleted; if encrypted files cannot be decrypted and are of certain importance, they can be backed up for future recovery using decryption tools, and once the backup is complete, the encrypted files can be deleted.

Quick Overview Q&A - Light Speed Learning Edition#

Q1: I have ransomware, is it possible to decrypt?#

You can check the status of the ransomware family you are infected with at the 360 Ransomware Search Engine. It supports searching by suffix, hacker email, and other keywords, and also allows uploading encrypted files or ransom prompt information left by hackers for inquiry. If the query result shows that decryption is possible, you can download decryption tools from No More Ransom for decryption.

Q2: I want to recover data, can you provide paid decryption services?#

If the query result indicates "temporarily unable to decrypt," it means that the industry has researched this family but has not yet found a technical solution for decryption. Currently, no other forms of decryption services are provided besides technical cracking, and there are no third-party service providers that can be recommended. If you believe it is necessary to seek paid decryption, you can contact hackers to purchase keys or contact third parties to purchase related services.

Important Note: The decryption solutions provided by third-party service providers are intermediary services that replace users in contacting hackers and operating subsequent payment and decryption processes, and they do not possess technical cracking capabilities.

Q3: What should I pay attention to when purchasing a key?#

First, we do not recommend any form of ransom payment. If you insist on purchasing a key, we suggest paying attention to the following points:

• It is not advisable to pay hackers directly. Paying hackers directly carries significant risks:

  • First, the decryption tool you receive may not work;
  • Second, the key may be incorrect, and you may not be able to decrypt your files;
  • Third, hackers may demand ransom again or even multiple times.

• If you must pay hackers, send 1 to 2 encrypted files to the hackers before payment to confirm that decryption is successful before deciding whether to pay.

• If you contact decryption service providers through Taobao, search engines, or other means, be sure to sign a contract before officially starting the decryption work, clarifying whether payment is required if decryption is unsuccessful, and if necessary, request on-site services.

• Do not consult too many third-party vendors. Most third parties are looking to purchase keys from hackers. Contacting too many third-party vendors may lead to hackers noticing multiple inquiries about your device, which could increase the ransom demand.

• Do not overly describe the importance of your files or your financial situation, as this may lead decryption merchants or hackers to raise their commissions or ransom demands.

Q4: Are data recovery methods effective?#

A small number of ransomware may allow for the recovery of some files through data recovery software due to the method used for encrypting files. However, most ransomware-encrypted files cannot be directly recovered. Additionally, many ransomware encrypt only the fixed-size header data of files for efficiency, so some databases may have a chance of recovery through data repair methods. However, this method does not guarantee 100% recovery, and there may still be some data loss, while the chances of recovering other file formats through this method are very low.

Q5: Is ransomware contagious?#

In theory, virus code can carry any form of malicious functionality, so it cannot be guaranteed that a specific ransomware variant is not contagious. However, based on the ransomware captured in practice, most ransomware does not exhibit self-propagating characteristics (WannaCry is an exception). However, this does not mean it will not affect other machines within the local area network; affected machines may experience the following situations.

1. Being on the same internal network as the infected machine and sharing some folders with it. If the infected machine can directly access that shared folder without appropriate permission controls, the virus can encrypt that shared folder. Check if only the shared folder is encrypted: press win+r, type cmd, and then enter net share. You can see which folders are currently shared by the device.

You can also check through Computer Management:

For shared folders added by yourself, you can adjust permissions, and if there is no need for use, you can directly close sharing.

2. Hackers may use the infected machine as a launchpad to attempt to attack other machines on the internal network by scanning ports in the same subnet, checking remote desktop login records, exploiting N-day vulnerabilities, etc.

Q6: Files have been encrypted, but no virus can be scanned?#

Ransomware victims often use antivirus software to scan for viruses immediately after discovering they have been infected, but the antivirus software does not detect any suspicious files. This phenomenon is common and can have many possible explanations:

• In most cases, ransomware deletes itself after encrypting files, leaving only the encrypted files, which do not carry the virus.

• Hackers may write ransom prompt information into startup items, and when users shut down and restart, a ransom window will pop up. That is a document left by hackers to guide users on how to contact them to pay the ransom to recover files. Generally, it is just a document and does not have encryption functionality or is not a virus.

• The local machine is not the one directly infected with ransomware; it has only had shared folders encrypted due to file sharing with the infected machine. This ransomware program exists on other devices, so there is no virus on the computer.

Q7: Will ransomware horizontally propagate within the internal network?#

Most hackers will first attempt to gain access to more machines within the internal network before deploying the virus, using various means, including:

• Weak Password Attacks

Including weak passwords for remote desktops, databases, Tomcat, shared folders, etc.

• Vulnerability Attacks

Such as vulnerabilities related to EternalBlue, Java vulnerabilities, WebLogic vulnerabilities, and Fanwei OA vulnerabilities, etc.

• Non-Active Propagation

If some machines in the internal network where the infected machine is located have shared folders set up without access permissions, the infected machine can directly access the files on that machine, leading to file encryption. Therefore, the infected machine in the internal network should be disconnected promptly, and the cause of infection should be identified before taking further action. At the same time, all machines in the internal network should immediately change their passwords, as hackers will attempt to collect passwords from other machines in the internal network after logging into user machines.

Q8: Files in the USB drive have been encrypted, can they still be backed up?#

If files in the USB drive have been encrypted after inserting it, it indicates that the ransomware is still running in the system. The ransomware needs to be terminated. The encrypted files themselves do not carry the virus. As long as the operation of the USB worm is prevented, you can safely back up the files to other locations.