Every Scam Begins With The InfectionEvery scam scheme begins with a requirement – in our case, this is an active ransomware infection. In many cases, the infection route begins with a social engineering trick. This is actually a very efficient way in comparison to direct hacker attacks, as a new report states that 76% of organizations report falling victim to phishing attacks. During the infection process, the victim computer is attacked by the virus, and depending on its features, the following consequences can be expected:
- Data Ransomware – The classic way is to use an encryption algorithm (cipher) to compromise valuable user data. This is usually done by using predefined (hardcoded) lists of file types that the encryption engine uses. Example data may include the most commonly used extensions for photos, videos, music, documents, configuration files, games, and even crypto currency wallets.
- Keylogging – Many of the advanced strains of ransomware also feature keyloggers that actively monitor the victim’s interaction with the computer by observing their mouse movement or keystrokes. Hackers use this strategy to capture account credentials to sensitive sites such as online banking services, email inboxes, and social networks.
- Institution of Additional Malware – Many advanced ransomware strains are able to install additional malware onto the victim computer.
- Remote Arbitrary Code Execution – In many cases, the ransomware variants contact a remote Command & Control (C&C) remote server that can be used to launch various commands on the infected machines. In practice, this means that the hackers can obtain remote control of the system. Such hosts can therefore be easily recruited into a dangerous botnet following a ransomware infection.
- Screen locker Usage – Upon infection, the virus locks the computers and prohibits any ordinary interaction until the ransomware sum is paid.
- Direct Sum Request – The exact sum is specified in the ransom note. In the last several months, we have seen timers, screen lockers, and other types of blackmail techniques in use.
- Private Sum Request – In this case, the victims need to contact the criminal operators of the virus to negotiate directly the ransomware sum. The hackers may opt to review the affected data, and if they contain a lot of sensitive information, a larger than ordinary sum may be requested by them.
- Pay the ransomware fee to the hackers – We do not recommend this option. In many cases, the victims do not receive any help at all, and as the payments are done using a crypto currency, the paid sum cannot be traced or restored.
- Use anti-spyware solutions – These are specialized software that are created to fight ransomware infections. Their signature sets are updated constantly, and they can actively prevent active and future threats by using advanced heuristics techniques.
- Use available decryptors for the malware family – Often when ransomware contain a weak spot in their encryption engine, the experts fimd them and create freely available decryptors that can restore the victim's files. However if the malware itself possesses advanced features like keyloggers, they cannot be removed by them. In these cases, the victims need to employ anti-spyware solutions.
- Attempt to remove the threat by themselves – Computer users may attempt to remove the virus themselves if they know how it behaves. In many cases, this does not lead to an effective removal.
The Ransomware Decryption ScamAs it turns out, computer criminals have attempted to continue their dangerous tactics by confusing the ransomware victims. This is done by posing as legitimate cybersecurity companies or experts that have the skills to restore and remove active infections without using software solutions. The fraud can easily be spotted if they request a sum that is bigger than the one that is extorted by the ransomware. Many victims have already reported being contacted by such people on the web. It is very possible that these scammers are actually the same ones that control some of the malware infections themselves. There are several ways of spreading this scam:
- Criminals can set up counterfeit cybersecurity expert profiles and even create establishments that pose as regular companies – They advertise their services as being able to decrypt even decryptable encryption ciphers used by ransomware such as Osiris (actual removal instructions available here) and Thor.
- Direct contact – The “experts” contact the victims directly offering their services in return for a “repair fee” that exceeds the ransomware fee. Most experts assume that these people simply buy the decryptor from the hackers and take the rest of the money.
- Advertising on security communities – Many of the hackers can use aggressive marketing tricks by posting comments, links, and information related to their “services”.
ConclusionAlways do what’s right – rely on quality sources especially when it comes to security. Anti-spyware utilities with advanced features and high-quality and up-to-date signature sets are the best weapon when it comes to all types of malware infections and attack campaigns. You can read an article on this topic by clicking here.