What is Ransomware?

Ransomware is a family of malware that takes files on a computer, network share, backup server, etc. and encrypts them before extorting the user for money to unlock the files. If the user doesn't pay within a few days, they lose their files.

The following are important considerations to remember about ransomware:

• The majority of ransomware outbreaks are brief. The attack is over by the time you detect the encrypted data.
• After the ransomware has finished encrypting data, it will erase itself, leaving just the encrypted files and ransom notes.
• The vast majority of ransomware infections are categorized as Trojans rather than viruses.
• This means they won't spread throughout your network; instead, they'll run on a single workstation that encrypts files on your network.
• Most Anti-Virus solutions will not identify or clear the encrypted files and ransom letters because they are not malicious.
• The great majority of contemporary ransomware-encrypted files cannot be deciphered, necessitating a restore from backups. To avert a ransomware attack, the best remedy is prevention.

Ransomware is commonly known as CryptoLocker, CryptoDefense, or CryptoWall, and it is one of the most common and destructive threats faced by Internet users today. It is a family of malware that can obtain files on a PC or network storage, encrypt them, and then extort money to unlock the files.

The first stage of a ransomware attack is entering your machine and executing your files. Once the executable is executed by a user or other malicious file, it connects to the criminal's command and control (C&C) server and sends information about the host. This connection is called callback or C2 traffic and generally uses standard port 80 and HTTP or port 443 and the HTTPS protocol.

The information sent by is usually the details of the operating system, IP address, geographic location, and access permissions of the account running the ransomware. For example, if the ransomware has domain administrator rights, criminals can also use this information to launch other attacks.

The C&C server that receives this information will send the encryption key necessary to encrypt the files on the machine. This is done in two stages (first infecting the machine and then obtaining the encryption key) to ensure that the key is kept secret. It is almost impossible to decrypt the file without the encryption key.

When the ransomware receives the encryption key, it will start encrypting files, targeting local files first, then files on removable media (USB, external hard drives), and then any accessible network location (mapped drives, usage network share). This can take hours or days, depending on the number of files, and will stop when complete or the user turns off the machine.

A ransom note is created in each folder of files encrypted by the ransomware. These notes are generally created in various file formats (.txt, .html, .png) to ensure that the victim can open them. The ransom note is also saved on the host's desktop and the desktop background is converted to an image of the ransom note.

Some variants of the ransomware implement auxiliary payloads on the machine after the encryption phase of the attack. Unlike ransomware, which is destructive and significant, the second payload is usually completely hidden from the user and designed not to be detected on the machine. These helper payloads are generally designed to steal usernames and passwords. The final stage of the

ransomware attack is to erase itself. This is done to reduce the chance that security companies will obtain ransomware for analysis. Then, you will get an encrypted version of the file and the ransom note. These files are not malicious files and are generally not detected or removed by antivirus products