The Anti-virus Times

Monday, October 23, 2023

In the Anti-virus Times, we have already written about encryption ransomware, or, as they are also called, encryption trojans. People rightly assume that this type of malware is one of the most dangerous — the total financial damage caused by the actions of encryption ransomware over the past ten years can hardly be calculated. At the same time, it is not only about the money given to attackers as a ransom. The restoration costs after incidents, lost profits and time and, of course, destroyed information, the value of which, in principle, may not have financial value, are the real consequences of such attacks.

If you monitor news and trends in the field of information security, you may get the impression that, in recent years, attacks involving encryption ransomware threaten only large corporations and government agencies. Indeed, every year we can observe dozens of similar incidents, which are reported by various resources devoted to computer topics. The motives of cybercriminals are clear: they hope to receive appropriate "fees" by successfully attacking large companies. The prospect of destroying or, worse, disclosing sensitive information poses a serious threat to an entire enterprise, so some victims are ready to cut a deal, and fraudsters take advantage of this.

Unfortunately, all this does not mean that ordinary users and home systems and networks are no longer a target for encryption ransomware. On the Internet, there is still a huge number of different modifications of trojans of this family, which are often distributed with email attachments or disguised as useful programs. Small companies that do not pay enough attention to information security and appropriate training for their employees are also at risk. An attack does not have to be targeted to cause serious damage to business processes.

We often talk about the fact that it is always easier and cheaper to prevent an incident than it is to deal with its consequences. Scenarios and results of ransomware attacks only prove this statement. In one of our previous Anti-virus Times issues, we briefly analysed how to minimise the risks of encryption ransomware infections. Today we will talk about what to do if the data on your computer has already been encrypted.

To get started, let's recall how ordinary encryption ransomware functions in most cases. When launched, it starts encrypting the files on the computer according to its program. This program first determines what files should be encrypted. Most often, these are images, documents, archives, database files, backups, and other user information. As a rule, the trojan's code defines the list of extensions and even the file names to be encrypted. Second, files are encrypted according to a certain algorithm with the help of an encryption key. Typically, a trojan encrypts all the files of the extensions specified that it can access. Some ransomware modifications also attempt to gain access to network drives or other devices connected to a computer. In this way, a trojan can encrypt files, including those on external drives and network storages. The encryption process is not instantaneous; that is, if you forcibly turn off the computer while the program is running, some of the files will remain uninfected. The working time of the encryption ransomware will depend on the number of files processed, computer performance and the algorithm of the trojan itself. After the files are encrypted, the malware creates a so-called "ransom note" on the desktop — a text file with an explanation of what happened, the demands being made, and the attacker’s contact information.

Most encryption ransomware adds its own extension to the name of the modified file, which, among other things, can be used to try to determine what sample of the trojan is involved. It is worth saying that encrypted files involve more than just altered data. Most often, in the process of working, the malware creates a temporary encrypted file based on the "clean" file and then overwrites the original with this temporary file. This approach technically complicates the ability to recover information without decryption.

If it has so happened that the files were encrypted by a trojan, then the most correct and simple solution to the problem would be to launch an anti-virus scanner to neutralise the threat and then restore the data from the current backup. But the stark reality of life is that not everyone has backups. If the encrypted data is of great value, the user may be tempted to pay the attacker a ransom to get their files back. Often, in their notes, cybercriminals promise not only to restore the data, but also to share "secret" knowledge on how people can protect their PCs from similar attacks in the future — in general, they do everything possible to persuade the user to make a deal.

Information security experts strongly recommend not to succumb to the extortion of intruders. Payment encourages further criminal activity and also encourages virus writers to develop new versions of malware. In addition, there is no guarantee that after payment, the ransomware operator will make contact and send a decryption key. It bears mentioning that the creators of trojans do not always have the opportunity to decrypt the data encrypted by their own program. Finally, a computer can be infected with an old ransomware version whose handler has retired for some reason. But can you do anything about this?

In fact, the further consequences of the incident will largely depend on luck. If the computer is infected with encryption ransomware whose decryption key is freely available on the Internet, we can consider that the user got off lightly. The bad news is that the probability of such an event is very low — there are thousands of modifications of ransomware trojans in the world, and their modern versions use cryptographic algorithms and keys unique for each copy of malware. Restoring files from Windows shadow copies is also not always possible — using standard tools, effective encryption ransomware can delete the service files necessary for data recovery.

So, what if the files have been encrypted? First of all, isolate the computer if it is part of a network. After that, we recommend that you contact Doctor Web's technical support service via a special form on our website. You will need to save a sample of the encrypted file and the ransom note to a separate medium (we are going to discuss how to do this correctly below); after that, it is better to disconnect the infected computer for a while. All further actions, including contacting the technical support service, should be performed on another device. Keep in mind that attempts to modify or delete corrupted or temporary files, and also the launch of any recovery program and other independent actions in the infected system, can lead to the situation where even a special utility with the necessary key cannot restore the data. Therefore, it is important to wait for the verdict of our specialists on the technical possibility of recovery before taking any further steps, including curing the system with an anti-virus program.

Along with this, we recommend that you file a police report, stating that your computer has been accessed without your authorisation and is being used to distribute malware and that you are being extorted. If, instead of receiving the ransom they were expecting, cybercriminals around the world feel just the gaze of law enforcement, it is unlikely that this will motivate them to continue to engage in such useless and dangerous activities — digital extortion. But remember that if a criminal case is launched, you can be asked to hand over the infected device for examination, and that will take some time. And even if such a step does not help you here and now, citizens' appeals will still be a driving force directed against intruders. And this is an argument in favour of the fact that there will be fewer such incidents in future.

If you want to try to solve the problem on your own, there are a number of special services on the Internet that determine the trojan modification involved. These services are based on an analysis of the encrypted file sample and the ransom note. After you know which ransomware has been on your computer, you can search the Internet for decryption keys and file-recovery instructions. Recall that all incident-investigation actions should be performed on a third-party device. At the same time, observe security measures when transferring the sample files to removable media. To reduce risks, enable the display of hidden and system files on the infected device. Then transfer to a formatted "flash drive" the necessary data — samples of the encrypted files and a text document containing the ransom note. At the same time, make sure that no extra files appear on the removable media. It is worth noting that encryption ransomware usually does not spread via removable media, but additional caution can’t hurt in this matter. But if you connect a data drive to an infected device, there is a high risk that the files on it will also be encrypted. Therefore, we recommend that you use as a secure environment our product Dr.Web LiveDisk whose capabilities we described in this article. It can be used to transfer the necessary data; during this process, the malicious program will not be able to work in its environment.

Following the same principle, you can copy all encrypted files to a separate blank media to decrypt them in the future, when the decryption key is found. The probability of such an event may approach zero, but it cannot be excluded — especially if the lost files were of particular value to you.

As you can see, a successful encryption ransomware attack involving strong algorithms leaves you with not too many ways of getting your files back. Virus writers continue to improve their creations, and, as a rule, they test fresh malware assemblies to see if anti-virus software can detect them. This means that the risk of infection is always present, especially when digital security is neglected. At the same time, using comprehensive anti-virus protection and complying with simple rules, coupled with regularly creating backups, virtually nullifies all the efforts of digital extortionists.