Preventive measures for ransomware

Since the large-scale outbreak of WannaCry (eternal blue ransomware) in May 2017, ransomware has been a great threat to government, enterprise and Internet users: the risk of corporate data leakage has continued to rise, and ransom cases involving millions or even hundreds of millions of ransoms have continued to appear. .

In March 2021, new active ransomware viruses worldwide: FancyBear, Hog, DearCry, Sarbloh, BadGopher, RunExeMemory, Phoenix CryptoLocker, etc. Among them, FancyBear is still in the development stage. DearCry is the first family caught this month to use Exchange vulnerabilities to send ransomware. The newly emerged PhoenixCryptoLocker may be related to the Evil hacker organization.

The ransomware has brought more and more influences to enterprises and individuals, and its harmfulness is also increasing. This article introduces some measures to prevent and deal with ransomware, hoping to help readers avoid ransomware.

1. How to judge the condition

How to judge whether the computer has a ransomware virus? Ransomware has obvious characteristics that distinguish it from other viruses: it encrypts the documents and data of the victim's host, and then ransoms the victim to illegally seek personal gain from it. The main purpose of ransomware is for ransomware. After the hackers implant the virus and complete the encryption, they will prompt the victim that your file has been encrypted and cannot be opened anymore. A ransom is required to restore the file. If the computer has the following characteristics, it can indicate that it has been ransomware.

1. The computer desktop has been tampered with

After a server is infected with a ransomware virus, the most obvious feature is that the computer desktop has changed significantly, that is: new text files or web files usually appear on the desktop. These files are used to explain how to decrypt the information, and the ransomware prompts and messages are displayed on the desktop. Decrypt contact information.

The following is a schematic diagram of several typical desktop changes after a computer is infected with a ransomware virus.


2. The file suffix has been tampered with

After the server is infected with ransomware, another typical feature is that the icons of files such as office documents, photos, and videos become unopenable, or the file extension is tampered with. Generally speaking, the file extension will be changed to the name of the ransomware family or its family representative symbol, such as: the extensions of the GlobeImposter family are dream, TRUE, CHAK, etc.; the extensions of the Satan family are satan, sicck; the extensions of the Crysis family The extensions are ARROW, arena, etc.

2. How to save yourself

1. Correct disposal method

(1) Isolate the recruiting host

Disposal method

When it is confirmed that the server has been infected with the ransomware virus, the infected host should be isolated immediately. The isolation mainly includes two methods: physical isolation and access control. Physical isolation is mainly network disconnection or power failure; access control mainly refers to the authority to access network resources Carry out strict certification and control.

1) Physical isolation

The common operating methods for physical isolation are disconnection and shutdown.

The main steps of disconnection include: unplug the network cable, disable the network card, and turn off the wireless network if it is a laptop.

2) Access control

The common operation method of access control is to add strategy and modify the login password.

The main steps of adding the strategy are: use security devices on the network side for further isolation, such as firewalls or terminal security monitoring systems; avoid exposing the remote desktop service (RDP, the default port is 3389) on the public network (for example, for the convenience of remote operation and maintenance) It is necessary to open it, you can access it after logging in through VPN), and close unnecessary ports such as 445, 139, and 135.

The main operations to modify the login password are: immediately modify the login password of the infected server; secondly, modify the passwords of other servers under the same LAN; thirdly, modify the login password of the highest-level system administrator account. The modified password should be a high-strength and complex password. The general requirements: use a combination structure of uppercase and lowercase letters, numbers, and special symbols, and the number of passwords is long enough (15 digits, more than two combinations).

Principles of Disposal

The purpose of isolation is, on the one hand, to prevent the infected host from automatically infecting other servers through the connected network; on the other hand, to prevent hackers from continuing to manipulate other servers through the infected host.

There is a type of ransomware that spreads to other hosts through system vulnerabilities or weak passwords. For example, WannaCry ransomware. Once a host is infected, it will quickly infect other computers on the same network, and the infection time for each computer is about 1- About 2 minutes. Therefore, if isolation is not carried out in time, the entire LAN host may be paralyzed.

In addition, it has recently been discovered that hackers will use hosts exposed on the public network as a springboard, and then follow the path to find core business servers to carry out ransomware attacks, causing more massive damage.

When it is confirmed that the server has been infected with the ransomware virus, the infected host should be immediately isolated to prevent the virus from infecting other servers and causing unpredictable losses.

(2) Investigation business system

Disposal method

After the infected host has been isolated, other machines in the LAN should be checked to check whether the core business system is affected, whether the production line is affected, and whether the backup system is encrypted, etc., to determine the scope of the infection.

Principles of Disposal

The degree of impact on the business system is directly related to the risk level of the event. Assess risks and take corresponding measures in time to avoid greater harm.

In addition, if the backup system is safe, you can avoid paying the ransom and restore files smoothly.

Therefore, after confirming that the server has been infected with ransomware and confirming that the infected host has been isolated, the core business system and backup system should be checked immediately.

(3) Contact professionals

After emergency self-rescue treatment, it is recommended to contact professional technicians or safety practitioners as soon as possible to investigate the infection time, transmission method, and infected family of the incident.

2. Error handling method

(1) Use mobile storage devices

Wrong operation

After confirming that the server has been infected with the ransomware virus, use mobile storage devices such as U disks and mobile hard drives on the poisoned computer.

Error principle

Ransomware usually encrypts all files on the infected computer, so when a U disk or mobile hard disk is plugged in, it will also immediately encrypt the stored content, resulting in increased losses. From a general principle, when a computer is infected with a virus, the virus may also spread through removable storage media such as U disks.

Therefore, after confirming that the server has been infected with ransomware, do not use U disks, mobile hard drives and other devices on the poisoned computer.



(2) Read and write disk files on the host

Wrong operation

After confirming that the server has been infected with the ransomware virus, trust the various decryption methods or tools on the Internet and operate it by yourself. After repeatedly reading the files on the disk, the probability of correct recovery of the data is reduced.

Error principle

The basic encryption process of many popular ransomware viruses is:

1) First, read the file saved on the disk into the memory;

2) Secondly, encrypt the file in the memory;

3) Finally, rewrite the modified file to the disk and delete the original file.

In other words, many ransomware viruses will delete the original files while generating encrypted files. In theory, it is still possible to partially or completely recover encrypted files using some special data recovery software.

At this time, if the user performs repeated read and write operations on the computer disk, it may damage the original files on the disk space, and ultimately cause the files that were originally hoped to be restored completely unrecoverable.


3. How to restore the system

1. Historical backup and restoration

If the files have been backed up beforehand, then we can directly restore the encrypted files from the cloud disk, hard disk or other disaster recovery system. It is worth noting that before file recovery, you should ensure that the virus in the system has been cleared, the disk has been formatted or the system has been reinstalled, so as to avoid the moment when the mobile hard disk is plugged in, or after the file is downloaded from the network disk to the local, The backup file is also encrypted.

Backing up in advance is both the most effective and the lowest cost way to restore files.

2. Decryption tool recovery

The encryption algorithms used by most ransomware viruses are internationally recognized standard algorithms. The feature of this encryption method is that as long as the encryption key is long enough, ordinary computers may take hundreds of thousands of years to crack, and the cracking cost is extremely high. . Normally, it is impossible to decrypt and restore files without paying the ransom.

However, in the following three situations, the infected files can be recovered through decryption tools provided by major security vendors:

1) There are loopholes in the design coding of the ransomware or the encryption algorithm is not implemented correctly;

2) The maker of the ransomware proactively released the key or master key;

3) The law enforcement agency seized the server with the key and shared it.

By querying the websites of reliable security vendors, you can learn which ransomware can be decrypted and take corresponding measures.

3. Reinstall the system

When the file cannot be decrypted and you feel that the encrypted file is of little value, you can also use the method of reinstalling the system to restore the system. However, reinstalling the system means that the files can no longer be restored. In addition, after reinstalling the system, you need to update the system patch, install the anti-virus software and update the anti-virus software's virus database to the latest version, and also need to carry out targeted anti-black reinforcement for the server.

4. How to strengthen protection

Although some ransomware currently has decryption tools, the production cost of ransomware is low, and the profit is high. New types of ransomware are emerging in endlessly, and not all ransomware can decrypt. Therefore, strengthening the protection of ransomware is much more effective than remediating after the ransomware.

For teachers and students in colleges and universities, strengthening protection mainly includes the following corresponding measures:

Develop good safety habits

1) The computer should install security software with cloud protection and active defense functions, do not quit the security software or turn off the protection function at will, and do not easily let go of various risk behaviors prompted by the security software.

2) Use the third-party patching function of security software to manage vulnerabilities in the system, patch the operating system and common software as soon as possible, and update the virus database regularly to prevent viruses from automatically invading the computer using vulnerabilities.

3) The password set by the computer should be complex enough, including numbers, uppercase and lowercase letters, symbols, and the length should be at least 8 digits. Do not use weak passwords to prevent attackers from cracking.

4) Important document data should be backed up frequently. Once the file is damaged or lost, it can be retrieved in time.

Reduce dangerous online operations

5) Do not browse websites with unintelligible bad information. These websites are often used to launch horse-hanging and phishing attacks.

6) Do not open the attachments of emails from strangers or the URL links in the body of the emails easily. Do not easily open script files with extensions such as js, vbs, wsf, bat, cmd, ps1 and executable programs such as exe, scr, com, etc. For compressed file packages sent by strangers, you should be more vigilant and use it first. Open the software after checking.

7) If the computer is connected to mobile storage devices, such as U disks, mobile hard disks, etc., security software should be used first to check its safety.

8) For files with uncertain security, you can choose to open and run in the sandbox function of the security software, so as to avoid the damage of the Trojan horse to the actual system.

Post a Comment

Previous Post Next Post