Laptop affected by ransomware, don't panic, this is how to deal with ransomware virus
Hello, welcome back to the Seccodeid blog, back again, my item is Bayu aji, because mas He's a son who is busy with his work, at this time I will fill in the content on this blog. This time I will discuss a little about ransomware. Yes, surely you guys already understand what ransomware is, I'm here to discuss the knowledge that I've learned hehehe, I'm also still learning, I'm not called proficient. Yep, there are still people out there who are more skilled and experienced for sure, I studied and analyzed this took more than 1 year, yoi knowledge is not instant, so I will share what I learned about ransomware.
How dangerous is ransomware? yes maybe some of you will think this question, I think ransomware is very dangerous, ransomware not only locks your data but ransomware plants a lot of malware on infected laptops, for example adware, trojans, and so on and you have to pay a ransom to unlock it. locked files. I once handled the case of my friend being hit by ransomware, yep, my friend here is from Nepal, his laptop was hit by ransomware, at 9 or 11 pm, my friend asked something strange on his laptop, the data could not be opened and adware appeared, not only that, even the laptop behaves strangely, often opens strange pages or websites, yep the malware automatically opens the edge, then redirects to strange websites. Then my friend asked for help to remove the virus and then I was given login access on my friend's laptop (remote). Here's what it looks like
After I analyzed, and asked the cause of the ransomware, it turned out that my friend installed and downloaded the game “pes or fifa”, forgot what version, then all the data was encrypted, and added another virus. The embedded ransomware is .mkos
Next I suggest removing the virus, initially the virus could not be removed. Then I suggest using iobit unlocker, yep iobit is very powerful for removing stubborn applications, because the virus is very difficult to stop, from trying through the task manager, windows registry. In the end, I suggest deleting it immediately. Then I tried to analyze readme.txt and locked files via emisoft and no more ransomware. And the result is nil, this ransomware is a new variant of Djvu ransomware, for which there is no known antidote or decrypter.
The next step, I suggest to backup or recovery. But my friend chose to reinstall, if you reinstall all the data risk will be lost, because in the file there are important files, as a result my friend immediately reinstalled and returned to normal.
A lot of things happen with ransomware, from installing pirated applications and others, but my friend's case is different. He was hit by ransomware because he cracked his cpanel password, well, I just heard of cases like this, the ransomware extension is .ssh if I'm not mistaken, and ransomware still exist today, many new variants are coming out, we as users must be careful when we want to install something.
Steps to analyze ransomware
Here I describe, when I was trying ransomware, from wanacry, petya, to the sample ransowmare that infected my friend's laptop, when I tried it took a lot of time and effort, from analyzing, to trying to find out how the program works. For wanacry, I think this is difficult, because developers make systems complex and use security holes in Windows. As a result, I couldn't complete the analysis in total, on the other hand I'm also still learning, so I decided to try a new sample hehe. Here I outline what you need, and learn
Prepare the right time, knowledge and mentor
Prepare mentors and mature knowledge, if you want to analyze a virus or malicious program. I suggest looking for the right mentor for you, because developers have their own logic and genius, some make programs complex, and some only run a few functions, but the average developer definitely makes programs that are not simple and easy to read. by others, therefore prepare mentors and mature knowledge.
Prepare the lab for trials
Yep, I tested ransowmare with various tools, such as virtual machines, Disassembler tools such as ghidra, ida pro, Api monitor, sample programs and so on. I use these tools to analyze, there are some things you should know, here I will describe a little, if I am wrong, I'm sorry.
1. Understand how a program works, you have at least tried to make a program from simple or complex, yep, this article is very useful for you when you want to reverse engineer. You at least know how the program you created works, then analyze it yourself, from debugging, and try to tweak the program you created.
2. Understand the programming language, if you want to try at least know the programming language that you master, for example c, c++, java, rubby, asm or php and INI files. If you already understand a programming language and try to make a program, you will undoubtedly have an idea in analyzing the program.
3. Understand about the network, yes the network is necessary. Every application must have a network port that is used such as xampp, browser, VPN, there must be a port running behind an application, so here you at least know about OSI layers and pots, UDP, TCP, Kill switches and others.
4. Understand about algorithms, there are many algorithms from easy to difficult, for example you want to try starting with basic algorithms first, such as input output in c, c# and other programming languages, there are many algorithms that are often used such as file handling algorithms, sorting, looping, selection, and others. If you already know the algorithm, you can measure the algorithm that has been created, for example lowcost, portability, and expandable
5. Never give up, yep, the last step is to never give up, keep learning from open or paid sources, if you have friends who are very proficient I suggest being good friends with them, it will be useful for you, you can directly ask questions and learn together with them. that person, don't be shy, want you to be bullied, be bullied, keep learning, don't pay attention to what people say, listen to good input and then store it in your brain.
Actually, there is still much more for you to learn, I am here to give you a little understanding and what I learned, if there are any shortcomings or mistakes, I'm sorry, if you want to add, you can write a comment below.
How ransomware works
Ransomware will lock any of your data, everything can be locked such as .exe, .jpg, .mp3 and others, this ransomware does not recognize file sizes and file extensions, everything will be wiped out with ransomware, for that you have to be careful when you want to try it, make sure you try it through a virtual machine, don't let your original machine get this virus.
Ok, I will explain some of what I do when analyzing a ransomware, consider the following:
As I said above. Prepare the lab for testing first, for how to set it up, do the following.
l Assuming the OS to be used, I'm using Windows 7 Vista, why do I use this?, because I don't have a Windows 10 ISO. So I decided to use Windows Vista.
l After that, you can install via your virtual machine, such as virtual box, setting with large storage, because there are several tools that you have to install there, such as network analysis, ida pro, ghidra and others.
l Then, you prepare the sample to be tested, after that do not run the program immediately, turn on the backup first, you can use a 3rd party such as EaseUS, or use one drive from Windows.
l Turn off the internet, if you are using a LAN cable, I suggest you just turn it off, we don't know what kind of program to analyze, we're afraid that it could infect others, it would be best to prevent it first.
l After that, do not forget to look in the Windows registry. Yes, you can see in the Windows registry, compare before and after you run the program, usually a virus will later be recorded or entered into the Windows registry, now that will be useful when you analyze it later, what is the Windows registry for? its function is to store settings on the system as well as hardware and software, if you don't know the Windows registry, don't tamper with other parts, just see and analyze after the program you run.
l Next, you can first turn on network analysis, and task manager, why is it necessary? later here you will see the activity of the application that is running. Usually this activity will be caught through network analysis and task manager.
l Yep after that you run the program.
Ransomware has certain types, here are some types of ransomware that I know of:
l Non-encrypting ransomware or lock screens
Does not encrypt data or files, but restricts access to a file.
l Ransomware encrypts Master Boot
Ransomware that locks the boot thus preventing the computer from entering the OS
so the computer cannot enter the operating system, because the system on the MBR and NTFS is locked directly by ransomware.
l Leakware or extortionware
Ransowmare that threatens the victim or target, and steals data and even damages the victim's data, if the ransom is not paid then the virus developer will threaten even more dangerous ones.
l Mobile Device Ransomware
Ransowmare contained in the mobile or cell phone.
Flow Ransoware
If I describe it like this, yes this is according to my view and my image when analyzing ransomware
1. Preliminary stage
Once sent via email, phishing email, pirated or ransomware-embedded application, or using other methods, the ransomware will then install itself on any network device it has access to. Therefore, if you want to try turning off the network first, even more so you are in a network that is used by many people. And a program must run with a port, please you can analyze and find the port that is running on the program.
2. Stage Secure Key Exchange (KEY in a ransomware)
Ransomware connects to the server and is then operated or controlled by the virus developer. The goal is to generate a cryptographic key (key) that will be used on the system. Usually use serial ID on your product, I tried and the result is like this.
I'm trying to connect the API in my IoT project, then the API responds will send to the root store that has been created, if I save it in the path results/lolicon/
This project is made in c, c++, php, and r languages
Results like this, you can try by opening CMD and then typing "systeminfo" then the results will appear as above, yes the data that I sent using the API then went to my system root path, why do you need it like this? So that you can find out who the affected target uses what device and what serial hehe.
3. Stage Encryption or locking files
Ransomware starts encrypting any files it can find on both the local machine and the network. Usually when the ransomware is running, it cannot be stopped, even worse, the antivirus is not detected and runs in the background. How come it can't be detected, the developer must have changed a signature on the program so that the antivirus can't detect it. There are many ways so that the program cannot be detected by the antivirus, you can change the signature in various ways, so that the signature on your program does not enter the antivirus database. And you can try to take advantage of the loopholes from the antivirus or the operating system. You can see in the Windows Registry if there are strange programs stored there, most likely it is a file from a virus.
4. Hold ransom or redeem
With encryption complete, the ransomware displays instructions on how to pay the ransom, threatening data destruction if payment is not made. Such data cannot be returned.
Example
5 Stages of decryption
The target can pay the ransom and hope to actually decrypt the files. Unfortunately, it often doesn't work, your data becomes corrupted and can't even be decrypted. The reason is that decrypting a file is a difficult thing, if you can get it back, at least there are some whose data is damaged or the data becomes corrupt, for that the best step is to recover your data, and reinstall it.
Yes, here I do not teach to make ransomware, but understand the flow of a ransomware, just for learning, and if you have very great knowledge, it would be better not to make it for evil, just use it for our own evaluation heheh.
How to prevent and restore data on ransomware
1. Never download or install untrusted sites
If you like to look for pirated games or applications, my advice is to undo it, look for a paid one or use a trial. If it's an emergency, look for a trusted site
2. Don't click on links or attachments in emails
You get an email, which contains a file, or a link. My advice if the email is suspicious just ignore it, you can see the contents of the email header, in gmail there are features that you can use
You can use whois and nslookup to view details about a website, such as DNS, IP and more. So do not immediately believe in an email, analyze it first.
3. Install antivirus
You can install an antivirus, it's free, if I just use Windows Defender hehe.
4. Diligently backup every day
Use the one drive feature in Windows, or you can use a 3rd party like EaseUs, you can also use a hard disk, backup your important files. If something happens, there's still hope.
5. Always be aware of USB
USB can transmit viruses, so reduce the use of USB. If you have a USB safe step you can do is, do not lend the USB to others, use it for personal use. If you can make a torrent box, my advice is to use torrent or cloud, at home I rarely do file transfers using USB, I transfer files on Rasbian, so Rasbian doesn't need USB, only using the network your files can be sent.
Tips for you if you have been exposed to Ransomware
If you have been exposed to ransomware, you will surely panic, yes, if you were in that position, you would feel the same way, for that I give tips if you have been exposed to ransomware.
l Don't rush to reinstall, try to recover your data first, if you have a safe backup, you're still lucky that there are many free cloud storage providers such as droptbox, mega, google drive, one drive, and others. Take advantage of it to back up your data
l Try it with EaseUs, you can use EaseUs for recovery, but the results of the recovery will be random and unordered, and your data may be safe, only some of which may not be recoverable.
l Using safemode on windows, yep you can try to enter into safe mode boot, your data may be safe
Conclusion
- Ransomware
- Ransomware Prevention
- How Ransomware works
- Wanacry
- Decrtpter Ransomware
- What is Ransomware
- Laptop affected by Ransomware