Bromium: Understanding Crypto-Ransomware

H

hjlbx

Thread author
Bromium: Understanding Crypto-Ransomware (PDF)

https://www.bromium.com/sites/default/files/bromium-report-ransomware.pdf

Despite having some advanced\technical code details, this report is easily understood - and therefore - useful to those interested in understanding the basics of ransomware.

For example:

"The most common mode of operation for crypto-ransomware droppers
is process injection. It is done by creating a suspended process (such as
explorer.exe or svchost.exe) and swapping the image with the unpacked
payload."

One can get the jist of ransomware mechansim(s).

If one is so inclined there are good PDF ransomware reports by McAfee and Sophos as well. Just do an online search "ransomware PDF."
 
Last edited by a moderator:

Andi.HR

Level 2
Verified
Apr 23, 2014
68
I find info in this report that is most useful for users:
"CryptoLocker, encrypting
an exponentially increased number of file types. From this point on, targeting
more than 70 different extensions became a norm with crypto-ransomware. All
types of music, videos and source code are generally among those encrypted.
TorrentLocker is a unique beast, targeting more than 200 types of files. Several
obscure extensions that are not commonly used, such as .djvu, .ycbcra and .blend
are among those targeted.
Let’s look into targeted file types in more detail. First, let’s define the list
of categories:
• doc—all sorts of documents including text, word processor files,
spreadsheets, etc.
• img—all images
• av—audio and video files
• src—source code files
• cad—all the possible design files
• db—databases
• sec—security related files including certificates, key chains and
password managers
• arch—archives
• fin—all financial software from bank clients to accounts tools
• bak—various backups
• oth—formats that we were not able to determine or too rare to have its
own category"

And this one too:
"Prevention of such a threat is possible only in early stages of infection before
files are encrypted. Antivirus and HIPS have two windows of opportunity to
prevent the attack:
• At stage of drive-by exploit
• At stage of process injection
After that the malware will proceed with file encryption and detecting it
at this stage might be too late.
Here are some recommendations on how to minimize the losses in case
of infection:
1. Regularly backup your data
2. Use an external hard drive for your backups. Unplug the drive after it’s
finished copying files
3. Always keep UAC enabled. A number of operations performed by
crypto-ransomware require admin privileges
It is likely that we’ll see more crypto-ransomware families and this threat won’t
go away anytime soon. The only way to make it go away is to stop paying thus
rendering its business model unprofitable. But this unfortunately is much easier
said than done."

Users have few more option to prevent ransomware beside UAC and AV and that is:
1.Run non-admin account
2.Secure their folders with sensitive data with "Secure Folders" or "Easy File Locker"
3.Malwarebytes Anti-Exploit will also help a lot
4.Once again BACKUP files to external drive and then disconnect it ( connect it only when performing backup ) but first check your PC that is clean with tools like Malwarebytes,HitmanPro,Zemmana AM,Panda Cloud Scaner,Kaspersky Malware Cleaner, etc...
5.And my favorite is to run browsers in Sandbox, I use Comodo Cloud AV that have this option but you choice may be Sandboxie or some other program with option to isolate browser from real PC.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top