Ransomware – Data Recovery

What is Ransomware?

Let's start from the basics. In the following article we give you 13 answers about what is Ransomware and how to deal with it.

Ransomware are malicious software which attack and encrypt their victims' data. Then the victim is being asked to pay ransom in Bitcoin, in order to have their data decrypted.

Ransomware is getting smarter over the years, and even advanced users can become their victims.

Χρησιμοποιούμε όλες τις διαθέσιμες τεχνικές για να μπορέσουμε να αποκρυπτογραφήσουμε τα δεδομένα που έχουν επιμολυνθεί, όμως κάποιες φορές ερχόμαστε στη δυσάρεστη θέση να ενημερώσουμε τους πελάτες μας ότι ούτε κι εμείς πλέον μπορούμε να κάνουμε κάτι για να τους βοηθήσουμε.

How does a Ransomware work?

We've prepared a guide in order to help anyone who's interested understand some simple rules they need to follow to avoid getting infected by Ransomware.

Following these steps, you will be able to protect your computer from infections and protect your self, your data, your work and your beloved ones from sad events.

We suggest you to follow this guide. If it seems too complicated for you, ask help from someone who is more tech savvy than you.

How does a Ransomware work? See the video!

In the following video you can see Petya Ransomware in action. You have a chance to see what you must NOT do if you see something similar happening in front of your eyes.

In the following steps you can read advices about what to do to protect your home or office compiters from being encrypted.

How does a computer get infected by Ransomware?

Here are 13 simple answers that will help you keep infections away.

Rule #1: Do you have a Backup?

Not much to say here, this is the most basic rule that you need to follow regardless if there's a chance to be targeted by Ransomware or not. In case you have a recent backup and get attacked by Ransomware, the only thing you have to do is to remove the infection and restore your files from the backup.

Unfortunately, adding a hard drive to your computer and keeping your backups there is not a solid backup plan. The reason is that in case of a Ransomware infection, all local storage means will get targeted and all network devices will get infected too (sometimes even network drives that are not mapped). This means that your local or remote backup storage devices will get encrypted too.
Aurora Ransomware λύση back Up

There are two ways to overcome this: a) Keep your backups to the Cloud, whatever that means (cost, confidentiality issues, slow access) b) Keep your backups to a device that you disconnect after the backup procedure is done.

Rule #2: Do you have a proper antivirus?

Make sure your computer is being protect by a decent antivirus program. We suggest using antivirus, anti-ransomware and anti-exploit software that can analyze your computers behavior and protect you if something starts to behave erratically, even if the infection is from a new strain (zero day tolerance).

Rule #3: Do you update your operating system?

Most Ransomware are installed through scripts called exploit kits. These kits target weaknesses and security holes of the operating system (eg. Windows). If you get notified about new updates of your operating system, install them. More often than not, these updates patch critical security holes. Microsoft publishes updates on Patch Tuesday, which is every second Tuesday of the month, so you should be prepared to install these updates and restart your computer that day. The rest operating systems, such as Linux distros or Apple OS, publish their updates whenever there's a need for them. Make sure to install them.

Rule #4: Do you keep your installed software up-to-date?

It's the same as with the operating system: The exploit kits target security holes in installed software like Java, Adobe Flash Player, Adobe Reader etc.

Therefore, it is absolutely critical to have these application updated.

For Windows machines, we suggest Flexera Personal Software Inspector, which will check your installed software and inform you of any updates. UPDATE: Since Flexera is no longer available, we suggest FileHippo App Manager which is also free of charge to use.

For Mac machines, we suggest Macupdate Desktop, however it is not free of charge.

Rule #5: Are your SPAM filters active?

The most common means of Ransomware distribution is through SPAM email which pretend to come from a valid source.

Spam email trigger you to download infected files or click on links.

If you're using webmail services like Gmail, Yahoo or Hotmail/Outlook, then most of these email messages are being filtered and won't reach your inbox.

However, if you're using your own domain and your SPAM filtering is not working well or it's not being set up properly, then most of these emails will reach your inbox.

Rule #6: Did you activate file extension display?

By default, Windows and MacOS do not show the extension of the files when you're browsing a folder. This helps an attacker to trick a user to think an executable file is a common PDF or Word file. The user will click on the file thinking it will open with some text content, however all it does is execute the ransomware shell.

The picture on the left shows an example where a malicious executable file (.exe) pretends to be a .pdf file. By enabling the extension display, we see its real identity (.pdf.exe)

Rule #7: Did you open attachments that you do not recognize their sender?

The Ransomware infection is in the attachment.

If you receive an email that contains an attachment and you don't know why someone has sent it to you, do not open it.

In the picture above you can see an email with an attachment that contains Locky Ransomware. As you can see, it has an .xls attachment, it all looks good, and there's is a prompt to open it to check an invoice someone has sent us.
If you make the mistake and open the attachment, you might see another prompt that asks you to enable macros or content ("Enable Macros" or "Enable Content"). Do not do this, it will download Ransomware in your
computer and begin infection and encryption.

Rule #8: Careful with your downloads.

Free torrent downloads and P2P connections sound sweet because they're free, however they usually hide some nasty ransomware surprises. Always double check the websites that you download from and be extremely careful when you click on OK.

Rule #9: Did you rename vssadmin in Windows?

Unfortunately Ransomware developers have good knowledge of this operation, therefore, one of the first thing that a Ransomware will do when infection begins, is to delete all shadow copies by running vssadmin.exe.

Δυστυχώς οι δημιουργοί των Ransomware είναι αρκετά καλοί γνώστες αυτής της λειτουργίας, με αποτέλεσμα μία από τις πρώτες ενέργειες που κάνουν μόλις ξεκινήσει η επιμόλυνση είναι η διαγραφή όλων εκδόσεων των shadow copies εκτελώντας την εντολή vssadmin.exe.

If you're not using software that rely on vssadmin, we suggest you to disable it.

@echo off

REM We are redirecting the output of the commands and any errors to NUL.

REM If you would like to see the output, then remove the 2>NUL from the end of the commands.

REM Check if vssadmin.exe exists. If not, abort the script

if NOT exist %WinDir%\system32\vssadmin.exe (

echo.

echo.%WinDir%\system32\vssadmin.exe does not exist!

echo.

echo Script Aborting!

echo.

PAUSE

goto:eof

)

REM Check if the script was started with Administrator privileges.

REM Method from http://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights

net session >nul 2>&1

if %errorLevel% NEQ 0 (

echo.

echo You do not have the required Administrator privileges.

echo.

echo Please run the script again as an Administrator.

echo.

echo Script Aborting!

echo.

PAUSE

goto:eof

)

REM We need to give the Administrators ownership before we can change permissions on the file

takeown /F %WinDir%\system32\vssadmin.exe /A >nul 2>&1

REM Give Administrators the Change permissions for the file

CACLS %WinDir%\system32\vssadmin.exe /E /G “Administrators”:C >nul 2>&1

REM Generate the name we are going to use when rename vssadmin.exe

REM This filename will be based off of the date and time.

REM http://blogs.msdn.com/b/myocom/archive/2005/06/03/so-what-the-heck-just-happened-there.aspx

for /f “delims=/ tokens=1-3” %%a in (“%DATE:~4%”) do (

for /f “delims=:. tokens=1-4” %%m in (“%TIME: =0%”) do (

set RenFile=vssadmin.exe-%%c-%%b-%%a-%%m%%n%%o%%p

)

REM Rename vssadmin.exe to the filename in the RenFile variable

ren %WinDir%\system32\vssadmin.exe %RenFile% >nul 2>&1

REM Check if the task was completed successfully

if exist %WinDir%\system32\%RenFile% (

echo.

echo vssadmin.exe has been successfully renamed

echo to %WinDir%\system32\%RenFile%.

pause

) else (

echo.

echo There was a problem renaming vssadmin.exe

echo to %WinDir%\system32\%RenFile%.

echo.

pause

)

:END

Rule #10: Did you disable Windows Script Host?

Many Ransomware infections are installed via scripts written in JS or VBS.

If you know what these are, it's all good.
If you don't, we suggest you to disable the ability to execute such files in Windows.

To do this, follow Microsoft's guide from this link:

https://technet.microsoft.com/en-us/library/ee198684.aspx

If you disabled Windows Script Host and something is trying to run such script, you'll get a notification similar to this:

Rule #11: Did you disable Windows PowerShell?

Similar to previous step, PowerShell is being used by attackers in order to install Ransomware or encrypt files.

If you're not using it, disable it.

To do this, go to Start> CMD> Enter and enter the following command to the command prompt

και δώστε την ακόλουθη εντολή στο Command Prompt

powershell Set-ExecutionPolicy -ExecutionPolicy Restricted

If you want to enable it again, just change in the above command the word "Restricted" to "Unrestricted" (without the quotes).

Rule #12: Are you using strong passwords?

Always use strong passwords.

Forget '12345', '0000', '15101969', 'admin' and so on.

Instead, use passwords like 1@4t6Υ!&87kM-=^

Rule #13: Did you disable Windows Remote Desktop? Did you change the default port?

If you're not using Remote Desktop, remove it. It's one of the most common ways an attacker will use to gain access to your computer.

If you're using it and you need it, change its default port.

To do this: Start>Regedit>enter

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and find entry PortNumber in the right pane, Double click it, choose Decimal and change Value Data from 3389 to whatever you want.

Conclusion: What is Ransomware? 13 Rules and Guides.

In the sad event you get infected by Ransomware,

DO NOT PAY THE RANSOM AND GET IN TOUCH WITH US! If you wish to download the survival guide, click here