Have you been hit by a ransom malware? You came to the right place!
In recent years, we have witnessed a tremendous growth in the aggressive amounts of various ransom malware. First, it must be understood that this is usually an attack for economic purposes, i.e. the attacker takes the existing information and encrypts it and demands that the victim pay a ransom in order to release the information.
One of our clients called urgently and with great pressure (and rightly so): "Listen, someone took over my computer," he said, "the information I have on the drives is sensitive... Can you help me?? Within minutes, an urgent call was sent to the team of data security engineers in the laboratory. The team than connected to the servers and began the rescue project that was given the name - Operation Shulman.
What is a ransom malware?
Typically, the attackers search specifically for a target or even target someone by invitation or payment. The sensitive files are encrypted using a ransom virus, and then comes the demand for money. They will require a lot of money to recover the files. An attacker typically has a list of file extensions or folder locations and the ransom code will target the exact encryption to the most sensitive location on the drive. Because of the encryption of the files, it is almost impossible to perform encryption or cracking operations without the original encryption key - which only the attacker has access to.
The best advice for prevention and protecting the customers is to ensure data confidentiality and limiting sensitive access by laboratory experts who have many years of experience and are familiar with the hackers and the way they operate closely. Confidentiality As the value of the data, important files are securely backed up remotely, and without access to a backup or storage facility. As it is well known, the ransom malware registers itself for days or even months before its actual operation and functions as a dormant agent that can be activated at any time.
There are codes that extract the sensitive information from the servers long before the ransom demand has appeared to the user, and by than it is too late. The files are in the possession of the hackers even before the payment is requested. There are various recovery methods but this is a temporary replacement for the hacking and not a sweeping solution that provides backup for future break-ins.
Therefore it is very important to protect the data with the help of skilled professionals - the Lab is at your service. Operation Schulman was successful and all the sensitive data was returned to its owners. In addition, the system was checked and all the security breaches through which the hackers got in, were sealed. The material was saved and the system was locked.
The operation was a success!
Ransom malware - technical details
In some cases, a third-party tool published by some security companies can decrypt files for a few specific ransom malware “families”. The tools created by FireEye and Fox-IT can help recover encrypted files.
Ransom malware is common mainly on the Italians’ servers on the East Coast of the United States, so I think, if you have servers over there – it’s good you’ll know this. From the end of 2015 until these moments we can see the rise of Tescrypt in the world, but mainly in the countries I mentioned. Crowti is still on the Top 5, great work by this team, but also Brolo and FakeBsod, have done and still do 1’7 with impressive underground aggressiveness.
Those who started to descent and also seem to crash are the team I especially liked Reveton. Their attack is not the breaking of the code itself, but rather a witty solution that undoes the purpose of the code and its metastases:
Ransom: HTML / Tescrypt.E
Ransom: HTML / Tescrypt.D
Ransom: HTML / Locky.A
Ransom: Win32 / Locky
Ransom: HTML / Crowti.A
Ransom: HTML / Exxroute.A
Ransom: Win32 / Cerber.A
Ransom: JS / FakeBsod.A
Ransom: HTML / Cerber.A
Ransom: JS / Brolo.C