Scribd Logo
Carica

Benvenuto in Scribd!

  • What is .pdf ransomware and how to prevent it

    Caricato da

    Neenu Sukumaran
    62 visualizzazioni3 pagine

    Titolo originale

    What is pdf ransomware

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOCX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    62 visualizzazioni3 pagine

    What is .pdf ransomware and how to prevent it

    Caricato da

    Neenu Sukumaran

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 3

    What is .pdf ransomware?

    .pdf is a ransomware-type infection that belongs to the Dharma ransomware family. As


    with most of infections from this family, .pdf was discovered by Jakub Kroustek. After
    successful infiltration, .pdf encrypts most stored data, thereby rendering it unusable.
    Additionally, it renames each file by appending the victim's ID, developer's email
    address, and ".pdf" extension. For example, "sample.jpg" might be renamed to a
    filename such as "sample.jpg.id-1E857D00.[decryptbots@cock.li].pdf". Note that the
    ".pdf" is extension is a genuine Portable Document Format (PDF) and, therefore,
    encrypted files are likely to have a PDF file icon. Despite this, do not be tricked - files
    are certainly encrypted, not just their formats changed. Once encryption is complete,
    .pdf opens a pop-up window (HTML application) and stores the "RETURN FILES.txt"
    text file on the desktop. Updated variants of this ransomware use the ".
    [3442516480@qq.com].pdf" extension for encrypted files.

    The new text file delivers a short message stating data is encrypted and encourages
    victims to contact .pdf's developers. The HTML application provides much more
    information. It states that files are compromised using RSA-1024 cryptography and that
    a unique decryption key is necessary to restore them. Unfortunately, this information is
    accurate. RSA-1024 is an asymmetric algorithm designed to generate two unique keys
    for each victim. The public key is used to encrypt data, whilst the private key is used to
    decrypt it. Victims cannot access their private keys - these are stored on a remote
    server controlled by .pdf's developers. Therefore, these people are able to blackmail
    victims by offering paid recovery of files. The cost of decryption is currently unknown,
    however, size of ransom usually fluctuates between $500-$1500, and criminals demand
    payment in a cryptocurrency such as Bitcoins, Moneros, DASH, Ethereum, or other.
    Note that .pdf developers offer free decryption of one file (up to 1 MB, non-archived) to
    'prove' that they are capable of restoring data and to gain the victim's trust. Do not pay,
    even if you can afford to. Ransomware developers often ignore victims, once payments
    are submitted. Therefore, paying is likely to deliver no positive result and you will be
    scammed. Ignore all requests to submit payments or even contact these people. There
    are no tools capable of cracking RSA-1024 encryption and restoring data free of charge.
    Therefore, you can only restore everything from a backup, if one has been created.

    Screenshot of a message encouraging users to pay a ransom to decrypt their


    compromised data:
    .pdf is virtually identical to dozens of other ransomware-type infections such
    as Sguard, Cetori, and NEMTY PROJECT. Although the developers are different, all
    ransomware infections are virtually identical. Most compromise data (usually, by
    encryption) so that developers can make ransom demands by offering paid recovery of
    files. Encryption is performed using AES, RSA, and other similar cryptographies that
    generate unique decryption keys. Therefore, unless the virus is not fully developed or
    has bugs/flaws, restoring data manually (without developers' involvement) is impossible.
    Ransomware infections are one of the main reasons why you should maintain regular
    backups, however, store them on a remote server (e.g., Cloud) or unplugged storage
    device (external hard drive, Flash drive, or similar), since locally stored backups are
    compromised together with regular data. In fact, have multiple backup copies stored in
    different locations, since there is always a chance that servers/storage devices can be
    damaged.

    How did ransomware infect my computer?


    The way developers proliferate .pdf is currently unconfirmed, however, these infections
    are usually distributed using trojans, fake software updaters and 'cracks', spam emails,
    and third party download sources (e.g., Peer-to-Peer [P2P] networks, freeware
    download websites, free file hosting sites, and similar). Trojans are lightweight malicious
    applications that stealthily infiltrate computers and inject them with additional malware.
    Fake updaters and cracks infect systems rather than updating/activating software.
    Spam email campaigns are used to send hundreds of thousands of deceptive emails
    containing malicious attachments (e.g., links/files) and messages that describe these
    attachments as various 'important documents' (e.g., receipts, invoices, bills, etc.) and
    encourage recipients to open them. The same applies to unofficial download sources,
    which criminals use to present malicious executables as genuine software, often tricking
    users into manual download/installation of malware. In summary, careless behavior and
    lack of knowledge of these threats are the main reasons for computer infections.

    Potrebbero piacerti anche