Ransomware

Prevention and Removal

 What is ransomware?
• 'Ransomware' is a type of malware that attempts to extort money
from a computer user by infecting and taking control of the victim's
machine, or the files or documents stored on it.

• Typically, the ransomware will either 'lock' the computer to prevent

normal usage, or encrypt the documents and files on it to prevent
access to the saved data.
 History
• The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by
Joseph Popp.

• Extortionate ransomware became prominent in May 2005.

• By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and

MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing
key-sizes.

• In 2011, a ransomware worm imitating the Windows Product Activation notice surfaced.

• In February 2013, a ransomware worm based off the Stamp.EK exploit kit surfaced.

• In July 2013, an OS X-specific ransomware worm surfaced.

• CryptoLocker has raked in around 5 million dollars in the last 4 months of 2013.
 How do criminals install ransomware?
• Ransomware generates a pop-up window, webpage, or email warning from
what looks like an official authority.

• Ransomware is usually installed when you open

A malicious email attachment
Click a malicious link in
an email message
an instant message
on social networking site

• Ransomware can even be installed when you visit a malicious website.

 Types of Ransomware
• Encryption Ransomware

• Lock Screen Ransomware

• Master Boot Record (MBR) Ransomware

 Encryption Ransomware
• Encrypts personal files/folders (e.g., the contents of your My Documents folder -
documents, spreadsheets, pictures, videos).

• Files are deleted once they are encrypted and generally there is a text file in the same
folder as the now-inaccessible files with instructions for payment.

• You may see a lock screen but not all variants show one.

• Instead you may only notice a problem when you attempt to open your files.

• This type is also called 'file encryptor' ransomware.

 Lock Screen Ransomware
• 'Locks' the screen and demands payment.

• Presents a full screen image that blocks all other windows.

• This type is called 'WinLocker' ransomware.

• No personal files are encrypted.

Master Boot Record (MBR) Ransomware
• The Master Boot Record (MBR) is a section of the computer's hard
drive that allows the operating system to boot up.
• MBR ransomware changes the computer's MBR so the normal boot
process is interrupted.
• A ransom demand is displayed on screen instead.
 How to prevent ransomware ?
• Keep all of the software on your computer up to date.

• Make sure automatic updating is turned on to get all the latest Microsoft
security updates and browser-related components (Java, Adobe, and the
like).

• Keep your firewall turned on.

• Don't open spam email messages or click links on suspicious websites.

(CryptoLocker spreads via .zip files sent as email attachments, for
example.)
Cont..
• Download Microsoft Security Essentials, which is free, or use another
reputable antivirus and anti-malware program.

• If you run Windows 8 or Windows RT, you don’t need Microsoft Security
Essentials.

• Scan your computer with the Microsoft Safety Scanner.

• Keep your browser clean.

• Always have a good backup system in place, just in case your PC does
become infected and you can’t recover your files.
 Identify The Ransomeware

Most commonly, ransomware is saved to one of the following locations:

• C:\Programdata\(random alpha numerics).exe

• C:\Users\(username)\0.(random numbers).exe
• C:\Users\Username\AppData\(random alpha numerics).exe
 Removal – Microsoft Procedure
The following Microsoft products can detect and remove this threat:

• Windows Defender (built into Windows 8)

• Microsoft Security Essentials

• Microsoft Safety Scanner

• Windows Defender Offline (Some ransomware will not allow you to use the products
listed here, so you might have to start your computer from a Windows Defender
Offline disk.)
 Conclusion
When it comes to malware attacks, knowledge is the best possible
weapon to prevent them. Be careful what you click!! Preventive
measures should be taken before ransomewares establish strong hold.
Keeping all the software updated and getting latest security updates
might help to prevent the attacks. Use of antivirus and original
software is highly recommended. Creating software restriction policy is
the best tool to prevent a Cryptolocker infection in the first place in
networks.
Thank You