Arduino Projects

Arduino Projects
Playlist

EMP Jammer

How to remove ransomware like WannaCry : Commonsense

                    Ransomware doesn’t sneak into your PC like ordinary malware. It bursts in, points a gun at your data, and screams for cash—or else. And if you don’t learn to defend yourself, it could happen again and again, as the WannaCry or Wanna Decryptor outbreak is demonstrating.

WannaCry appears to leverage software the National Security Agency developed, and was then turned into malware. It's already struck the U.K. National Health Service and several other banks and organizations.

Armed gangs of digital thieves roaming the information superhighway sounds like an overwrought action movie, but the numbers say it’s true: Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016, an increase of 167 times year over year, according to Sonicwall—even as the number of malware attacks declined. Why steal data when you can simply demand cash?

[ Further reading: How the new age of antivirus software will protect your PC ]

For the first time ever, the reent RSA security conference in San Francisco held a comprehensive one-day seminar on ransomware, detailing who’s being attacked, how much they’re taking—and, more importantly, how to block, remove and even negotiate with the crooks holding your data hostage. We came away with a trove of information that you can use to formulate an anti-ransomware strategy.

Eric Geier

Anti-ransomware solutions like Malwarebytes are a reliable go-to for extra protection from unsavory software, but they’re not foolproof.

Ransomware hits you where it hurts—so prepare

Three years ago, my wife’s computer was invaded by ransomware, imperiling baby photos, tax documents, and other personal data. My heart sank: Would we have to pay out hundreds of dollars to avoid losing our entire digital lives? Thank goodness, no—because we had already taken most of the steps that the experts recommend.

The first step: Understand your enemy. According to Raj Samani, the chief technology officer of Intel Security’s EMEA business, there are over 400 families of ransomware in the wild—even some for Mac OS and Linux. A survey by Datto found that CryptoLocker, which hunts down and imprisons your personal documents via time-locked encryption,  was by far the most prevalent. But they vary. One took over a victim’s webcam and caught embarrassing footage, threatening to post it online, according to Jeremiah Grossman, chief of security strategy at SentinelOne.

A few common-sense habits can help mitigate your exposure to malware and ransomware, experts say: 

• Keep your PC up to date via Windows Update. WannaCry doesn't even try to attack Windows 10, choosing instead Windows XP and other older Windows operating systems.
• Ensure you have an active firewall and antimalware solution in place. Windows Firewall and Windows Defender are barely adequate, and a good third-party antimalware solution is far better. WannaCry patches are already available, however, even for Windows 8 and Windows XP.
• Don’t rely on antimalware to save you, however. Experts speaking at the RSA session reminded attendees that antivirus companies were only just getting around to addressing ransomware, and their protection isn’t guaranteed. 
• Ensure that Adobe Flash is turned off, or surf with a browser, like Google Chrome, that turns it off by default.
• Turn off Office macros, if they’re enabled. (In Office 2016, you can ensure they’re off from the Trust Center > Macro Settings, or just type “macros” in the search box at the top, then open the “Security” box.)
• Don’t open questionable links, either on a webpage or especially in an email. The most common way you’ll encounter ransomware is by clicking on a bad link. Worse still, about two-thirds of the infections that Datto tracked were on more than one machine, implying that infected users forwarded the link and exposed more people. 
• Likewise, stay out of the bad corners of the Internet. A bad ad on a legitimate site can still inject malware if you’re not careful, but the risks increase if you’re surfing where you shouldn’t.

For dedicated antimalware protection, consider Malwarebytes 3.0, which is advertised as being capable of fighting ransomware. RansomFree has also developed what it calls anti-ransomware protection. Typically, however, antimalware programs reserve anti-ransomware for their paid commercial suites. You can download free anti-ransomware protection like Bitdefender’s Anti-Ransomware Tool, but you’re protected from only four common variants of ransomware.

A good, but not perfect, defense: Backup

Ransomware encrypts and locks up the files that are most precious to you—so there’s no reason to leave them vulnerable. Backing them up is a good strategy.

Take advantage of the free storage provided by Box, OneDrive, Google Drive, and others, and back up your data frequently. (But beware—your cloud service may back up infected files if you don’t act quickly enough.) Better yet, invest in an external hard drive—a Seagate 1TB external hard drive is only $55 or so—to add some less-frequently accessed “cold storage.” Perform an incremental backup every so often, then detach the drive to isolate that copy of your data. (CIO.com has some additional backup advice to help defeat ransomware, as does our earlier story.)

Ian Paul/PCWorld

You’ll feel a lot better if you have your data backed up online and off.

If you are infected, ransomware may allow you to see exactly which files it’s holding hostage via File Explorer. One clue may be ordinary .DOC or .DOCX files with strange extensions attached. Ondrej Vlcek, the chief technical officer of Avast, offered an unintuitive piece of advice: If the ransomware isn’t time-locked, and you don’t need the files right away, consider leaving them alone. (Work on another PC, though.) It’s possible that your antivirus solution may be able to unlock them later as it develops countermeasures.

Backup isn’t foolproof, however.  For one thing, you may need to research how to back up saved games and other files that don’t fit neatly into “Documents” or “Photos.” Ditto for utilities and other custom apps.

What to do if you’re infected by ransomware

How do you know you have ransomware? Trust us, you’ll know. Ransomware like the busted Citadel ring “warned” that your PC was associated with child pornography, and the imagery associated with most ransomware is designed to invoke stress and fear.

Don’t panic. Your first move should be to contact the authorities, including the police and the FBI’s Internet Crime Complaint Center. Then ascertain the scope of the problem, by going through your directories and determining which of your user files is infected. (If you do find your documents now have odd extension names, try changing them back—some ransomware uses “fake” encryption, merely changing the file names without actually encrypting them.)

The next step? Identification and removal. If you have a paid antimalware solution, scan your hard drive and try contacting your vendor’s tech support and help forums. Another excellent resource is NoMoreRansom.com’s Crypto-Sheriff, a collection of resources and ransomware uninstallers from Intel, Interpol, and Kaspersky Lab that can help you identify and begin eradicating the ransomware from your system with free removal tools.

NoMoreRansom.org

The front page of NoMoreRansom.org’s Crypto-Sheriff site includes an easy tool to discover what kind of ransomware may be affecting your PC.

If all else fails

Unfortunately, experts say that the key question—should we pay up, or risk losing everything?—is often answered by pulling out one’s wallet. If you can’t remove the ransomware, you’ll be forced to consider how much your data is worth, and how quickly you need it. Datto’s 2016 survey showed that 42 percent of those small businesses hit by ransomware paid up. 

Microsoft

From Dec. 2015 until May 2016, Tescrypt was the most common ransomware variant detected by Microsoft. 

Keep in mind that there’s a person on the other end of that piece of malware that’s ruining your life. If there’s a way to message the ransomware authors, experts recommend that you try it. Don’t expect to be able to persuade them to unencrypt your files for free. But as crooked as they are, ransomware writers are businessmen, and you can always try asking for more time or negotiating a lower ransom. If nothing else, Grossman said there’s no harm in asking for a so-called “proof of life”—what guarantee can the criminal offer that you’ll actually get your data back? (Of the companies that Datto surveyed, about a quarter didn’t get their data back.)

Remember, though, that the point of the prevention, duplication, and backup steps are to give you options. If you have pristine copies of your data saved elsewhere, all you may need to do is reset your PC, reinstall your apps, and restore your data from the backup.

Don’t let this happen to you

In my situation, my wife and I discovered that we had already backed up everything important to both a cloud service and an external drive. All we lost was a few hours of our evening, including resetting her PC. 

Ransomware can infect your PC in any number of ways: a new app, a Flash-based gaming site, an accidental click on a bad ad. In our case, it was a sharp reminder not to go clicking willy-nilly because a “friend” had recommended some bargain shopping site. We’re teaching those same lessons to our kids, too.

Ransomware is an unsettling reminder that people mean you harm, and that misfortune may strike at any time. If you treat your PC as part of your home, however—cleaning, maintaining, and securing it from outside threats—you’ll rest easier knowing you’ve prepared for the worst.

Ransomware Facts by Microsoft Security Support

Ransomware

Ransomware stops you from using your PC. It holds your PC or files for "ransom". This page describes what ransomware is and what it does, and provides advice on how to prevent and recover from ransomware infections.

You can also read our blog about ransomware: The 5Ws and 1H of ransomware. 

On this page:

• What does ransomware do?
• Frequently asked questions
• Details for home users
• Details for enterprises and IT professionals
• Prevalent ransomware
• Top ransomware

What does ransomware do?

There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.

Ransomware can:

• Prevent you from accessing Windows.
• Encrypt files so you can't use them.
• Stop certain apps from running (like your web browser).

Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.

There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.

Frequently asked questions

Expand all

• Is it true that the legal authorities in my area have detected illegal activities in my PC?
• I cannot access my PC or my files. Should I just go ahead and pay to regain access?
• How do I get my files back?
• What should I do if I've paid?
• How did message know my IP address?
• How did ransomware get on my PC?
• How do I protect myself against ransomware?
• How do I remove ransomware from my PC?

Details for home users

There are two types of ransomware – lockscreen ransomware and encryption ransomware.

Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.

Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

Newer versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:

• Visiting unsafe, suspicious, or fake websites.
• Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
• Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.

It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.

That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:

• Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
• If you’re ever unsure – don’t click it!
• Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).

Check our frequently asked questions for more information about ransomware, including troubleshooting tips in case you’re infected, and how you can backup your files to help protect yourself from ransomware.

Details for enterprises and IT professionals

The number of enterprise victims being targeted by ransomware is increasing. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).

The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.

Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.

The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility.

OneDrive for Business can assist in backing up everyday files.

In some cases, third-party tools released by some security firms are able to decrypt files for some specifically ransomware families. See our blog FireEye and Fox-IT tool can help recover Crilock-encrypted files for an example. Tim Rains, Microsoft Director of Security, released the blog Ransomware: Understanding the risk in April 2016 that summarizes the state of ransomware and provides statistics, details, and preventative suggestions to enterprises and IT professionals: Our Threat intelligence report: Ransomware also includes suggestions on prevention and recovery, statistics, and details.

Prevalent ransomware

Globally, ransomware continues to be a problem. In particular, we’ve seen increases in Italy and the eastern seaboard of the US.

The past six months (between December 2015 and May 2016) have seen the rise of Tescrypt globally. Crowti remains near the top of the pack, as does Brolo and FakeBsod.

Reveton has also dropped down the ladder, now at 1% of the top 10 share, down from 7% for the preceding 6 months.

Figure 1. Top 10 Ransomware (December 2015 to May 2016)      

Figure 2. Top 10 Ransomware (June to November 2015)      

For the top 10 countries with the most detections, the United States takes a full half of all detections. Italy is second, followed closely by Canada, Turkey, and the United Kingdom. After that the distribution is spread across the globe.

Figure 3: Top 10 countries (December 2015 to May 2016)

The greatest detections in the US were for FakeBsod, followed by Tescrypt and Brolo. Tescrypt was also prevalent in Italy.

Figure 4: Top detections in top countries (December 2015 to May 2016)

FakeBsod uses a malicious piece of JavaScript code to lock your web browser and show a fake warning message when you visit a compromised or malicious webpage. The warning message tells you to “contact Microsoft technicians” about an “Error 333 Registry Failure of operating system – Host: Blue screen Error 0x0000000CE”. If you call the phone number in the message you will be asked to pay money to “fix” the issue.

An example of the fake warning message is shown in Figure 5:

Figure 5: Message used by FakeBsod to lock your web browser

You can regain control of your web browser without paying anything by closing the warning message using the Task Manager.

When you reopen your browser, make sure you don't click Restore previous session.

Read more about this threat in the Ransom:JS/FakeBsod.A description.

Top ransomware

• Ransom:HTML/Tescrypt.E
• Ransom:HTML/Tescrypt.D
• Ransom:HTML/Locky.A
• Ransom:Win32/Locky
• Ransom:HTML/Crowti.A
• Ransom:HTML/Exxroute.A
• Ransom:Win32/Cerber.A
• Ransom:JS/FakeBsod.A
• Ransom:HTML/Cerber.A
• Ransom:JS/Brolo.C

Source Microsoft Security Support  :  Microsoft

Examples of ransomware