Monday, 15 May 2017

What is a Ransomware and how to prevent it

Ransomware is a kind of malicious software which encrypts the files of infected PC upon execution and it's designed to block the access of files in a computer until a sum of money is paid to the hacker. Once the money is paid, the hacker sends a decryption key to the victim which can be used to decrypt the files and get the access back. Most of the times, even if you pay the amount, the victim doesn't get any decryption key and it is almost impossible to track the attacker because they accept the money through bitcoin in encrypted form that is very difficult to track.

What exactly happens when a pc gets infected by a Ransomware?
Well, earlier, ransomware software were too easy to get rid of for a little techie people who knew about windows task manager and startup items. I have personally analyzed some old ransomwares and what they did was just executed themselves and created a startup entry for their main application to show that scary screen which says that your computer or files have been locked and you need to pay some money to the attacker to get back the access to the pc. It could be easily closed by ending the ransomware process from task manager and the malicious file could easily be stopped from auto executing by running msconfig command through RUN and deleting the startup entry of the ransomware software. Some ransomware create events in windows to auto download and execute themselves even after deleting the ransomware software and these kind of ransomwares are bundled with software cracks which are actually malwares. But that too could be stopped by deleting the particular event or task from the computer.
But these days, ransomware are being coded in a much complicated way that are FUD (fully undetectable) for so many anti-virus software and the encryption technology used by the ransomware is very difficult to crack so they are getting more dangerous as they are not detectable and non-removable by any antivirus. Although some antivirus vendors like KasperSky and Malwarebytes are providing decrypting tools to recovered the locked files, there are still so many ransomware available online which decryption algorithm is still not available.

Recently "WCry", referred as "WannaCry" ransomware infected about more than 57000 computers worldwide this friday (12th May 2017) and created a panic among the computer users. It affected hospitals, schools, offices and government agencies. After infecting the computer, it's asking to pay $300 to unlock the files and I'm not sure whether the attacker really sent any decryption key to decrypt the files for anyone who paid the amount.
wannacry ransomware screen
Well, this ransomware was accidently stopped by a cybersecurity researcher which is tweeting with the user name @MalwareTechBlog. The researcher bought the domain name used by the ransomware on a website called NameCheap.com for $10.69, and set it up on a server in Los Angeles which stopped the Ransomware as the domain name used by the ransomware was never booked and setting up the domain on the server stopped the ransomware to spread.

How to prevent from getting infected with ransomware?
But still the risk is not over and the attacker might spread the ransomware again by changing the code of it and by making it more difficult to decrypt. So what can be actually done to stop the ransomware to infect your PC? Well, there is no any 100% working solution available for it yet but yes, with the few precautions, you can prevent it. I'm listing a few tips which you can follow to be safe from the ransomware:
1. Don't open any file which you receive through mail from unknown people. The file might be of any extension so don't think that you are opening a safe file and get trapped.
2. Use sandbox before opening any suspicious file which you think might not be any virus. Using a sandbox creates a virtual space in your computer and keeps your computer safe in case if you encounter any virus in your sandbox.
3. Install any good antivirus and anti-malware in your computer and keep it up to date. You may use Malwarebytes, Kaspersky, AVG Internet Security etc.
4. Apart from antivirus, you can use Anti-Ransomware tools too such as Bitdefender AntiRansomware, Malwarebytes Anti-Ransomware, EMET, Kaspersky Anti-Ransomware tool etc.
5. Disable SMB service in windows services to prevent the ransomware to be executed. To do so, open appwiz.cpl from RUN and click Turn Windows Features ON or OFF. Now look for SMB 1.0 and uncheck it and click OK. Usually you can find this option in Windows Server Edition OS.
program and features
turn windows features ON or Off
Alternatively you can run the powershell command too which is given below:
"Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol"

Note: If you are sharing files among different computers, then don't turn off SMB feature. File sharing won't work after disabling this feature.

6. Install all the security patches and updates from Microsoft to keep your PC safe. TO install the important security patches, use the following links:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Since these too are not sufficient to prevent a user from getting infected from a ransomware so the only thing which can prevent your computer from being infected is using strong firewalls and use of common sense.

That's all for today. Keep visiting PC Tricks Guru for more tips and tricks.
Share:

3 comments:

  1. Stephanie James15 May 2017 at 17:31

    Thanks for this useful article. In my school's library, most of the PCs are running windows XP and all of them are under attack.

    ReplyDelete
  2. Great informative article. Please do share any working tool to recover the files.

    ReplyDelete
  3. Thank God that this virus is not so active in India. But still it would be a red alert for us.

    ReplyDelete

Custom Search Box

Subscribe Our Newsletter

Advertise With Us