Posts Tagged Ransomware Attack

Understanding The Concept Of Ransomware As A Service

Ransomware is a type of malware that extorts money from the target victim by infecting and taking control of the victim’s systems or secured documents stored in the system. Ransomware attacks either locks the computer from normal use or encrypts the documents using a key available with the attacker only.  ‘Ransomware as a Service’ is a kind of ‘Software as a Service’ provided by tech vendor. RaaS can also be defined as a ransomware infrastructure that is rented to hackers on dark web. It is an easy platform for novice hackers (with zero to low knowledge of coding malware) to access ransomware attacks and implant these ransomwares on victim’s machines for claiming extortion money.

How Does RaaS Function?

Here is a simple map of events to explain the functioning of RaaS model:

  • A deceitful vendor offers a tool containing Ransomware on Dark web
  • The package contains all the software and related files needed for a successful ransomware attack
  • Hackers and malicious actors purchase this tool package
  • They use the tools for attacking a victim’s system or network to get hold of computer files and information
  • Depending upon the type of ransomware, it may either lock or encrypt the files
  • The hackers now demand financial ransom in exchange of returning data access to the victim

Similar to other ‘Software as a Service’ models, RaaS involves user services such as provision of desktop, infrastructure, ERP, customer relationship management or other digital services. The buyers of RaaS have the option to order up the capability of the ransomware for launching a more severe attack.

Some important points to note include:

  • RaaS users take deliberate steps to conceal their identity and take deliberate steps to make their actions hard to track. A common practice is to demand payments in digital currency as it is comparatively difficult to trace.
  • Once the victim makes the ransom payment, it is not guaranteed that the hacker will provide the decryption key to the victim. Also, making the ransom payment does not ensure that the hacker will not leak any files or documents.

What Measures Can Be Taken To Combat RaaS Attacks?

Organizations need to take following measures to secure themselves against RaaS attacks:

  • Employees are the most vulnerable entry point but they may be used as first line of defense, if properly educated. Regularly educate them on the latest ransomware attacks and cyber security practices they should employ.
  • Secure the system and network by continuously auditing for any vulnerability. Also, regularly update the cyber security tools for latest versions.
  • Maintain a backup of all the files at a location from where they can be easily retrieved. This helps the business to keep functioning even if the systems are attacked.

For more information on understanding the concept of ‘Ransomware as a Service’, contact Centex Technologies at (254) 213 – 4740.

, , , ,

No Comments

What Is Maze Ransomware?

Maze is a sophisticated version of Windows ransomware that was discovered in May 2019. The ransomware was previously known as ‘ChaCha ransomware’. The goal of the ransomware is to crypt the files it finds on an infected system and demand a cryptocurrency payment in exchange of safe recovery of the encrypted data.

What Makes Maze Different?

Like other ransomware, Maze is capable of spreading across a corporate network and infecting all the computers connected to the victim network. It encrypts the data files in order to render them useless safely recovered.

However, what sets it apart from other ransomware is its ability to steal the data on infected systems and send it to servers controlled by the hackers. This allows hackers to threaten the victim organization to release its documents in case the ransom is not paid.

Thus, even if an organization uses a back up to retrieve the files, it is still obliged to pay the ransom to prevent public release of its documents.

The Maze hackers maintain a website where they list their clients (term used for victims who fail to pay the ransom). The website includes details such as name of the victim, when their computer systems were infected, links to download stolen data as “proof” and convenient buttons to share the details of breach on “social media”. The hackers have no reservations about offering uncensored downloads of stolen data that can damage an organization’s reputation.

How Does Maze Ransomware Work?

Maze ransomware makes use of different techniques to gain entry into a network. Some techniques include-

  • Use of exploit kits such as Fallout and Spelevo
  • Remote desktop connections with weak security
  • Email impersonation (the email contains a word attachment that uses macros to run the malware in the system)

The malware is a 32 bits binary file that is usually packed as an EXE or DLL file.

The malware encrypts the files in an easy step-by-step process:

  • Locate the file using “SetFileAttributesW” function & “FILE_ATTRIBUTE_ARCHIVE” attribute.
  • Reserve memory to the file with a call to “Virtual Alloc”.
  • Open the file with read and write permissions.
  • Get the file size with the “GetFileSizeEx” function.
  • Create a file mapping.
  • Generate a random key of 32 bytes with the function “CryptGenRandom”.
  • Generate a random ‘Initialization Vector (IV)’ of 8 bytes with the function “CryptGenRandom”.
  • Reserve 264 bytes of memory with the function “VirtualAlloc”.
  • Generate a new random extension for the victim file.
  • Crypt the file.
  • Write this new block with the key and IV to decrypt at the end of the file.
  • Rename the file with the function “MoveFileExW”.
  • The image of the file is unmapped, and handles closed.
  • The process is repeated with new files.

When all files are crypted, the wallpaper of the system is switched with a note to inform the user about the attack.

Maze also has a chat function to contact the hackers and receive the information about payment details.

For more information on IT security, contact Centex Technologies at (254) 213 – 4740.

, ,

No Comments

Understanding Clop Ransomware

Clop is a ransomware-type virus that belongs to the CryptoMix family. The word ‘Clop’ itself means ‘bug’ in Russian. The virus is mostly aimed at English-speaking users and tends to target complete networks instead of individual users.

Clop ransomware infects systems running on the Microsoft Windows platform. It has been designed to encrypt data and rename every file by appending the ‘.clop’ extension. After successful encryption of files, Clop generates a text file containing the ransom message and places its copy in every existing folder. Another unique character of Clop ransomware is the string ‘Dont Worry C|0P’ included in the ransom note. The decryption keys are stored on a remote server controlled by cyber criminals. This makes it necessary for every victim to pay the ransom in order to get the decryption key.

What Is The Payload Used For Clop Ransomware?

Transmission:

The Clop ransomware is distributed in the form of an executable that has been a code-signed digital signature. It makes the executable appear more legitimate and helps it in bypassing the system security.

The virus infection is spread through a macro or JavaScript attachment in a spam email. Sometimes, the virus may be delivered as a downloadable link in an email. Other ways of spreading the Clop ransomware include exploit kits, malwertizement, and compromised websites.

Execution:

After infection, the virus first stops the Windows services and programs to ensure the disabling of antivirus software such as Windows Defender etc. Additionally, it closes all the files so that they are ready for encryption. For disabling the Windows Defender, the virus configures various Registry values that disable behavior monitoring, real time protection, sample uploading to Microsoft, Tamper protection, cloud detections, and antispyware detections. In the case of older computer systems, Clop uninstalls Microsoft Security Essentials to surpass the security.

After terminating processes, it creates a batch file, which is executed soon after the ransomware is launched. The batch file disables windows automatic Startup repair. The ransomware then starts encrypting the files on the victim system and adds the ‘.Clop’ extension to the name of encrypted files.

The ransom note is created under the name ‘ClopReadMe.txt’ and a copy is placed in every folder.

How To Stay Protected?

  • Use an updated version of antivirus.
  • Scan the spammed mails.
  • Avoid clicking on unidentified links, advertizement or websites.
  • Create regular backups of the files.

For more information on how to secure your network for various threats, contact Centex Technologies at (254) 213 – 4740.

 

, , , ,

No Comments