Most Popular Ransomware: CryptoLockers

To put it simply, you are at the mercy of cybercriminals…

Şükrü Durmaz
DataBulls
6 min readMar 30, 2021

--

The main aim of evil-minded cybercriminals is to gain access to personal or organizational sensitive data via exploitable cybersecurity vulnerabilities or social engineering attacks. After gaining access, they encrypt those sensitive data with different types of ransomware and block victims’ access to them unless the requested ransom is paid.

To gain anonymity, the ransom is requested as blockchain-based cryptocurrencies which, as we all know, cannot be traced back to the cybercriminals. Generally, the ransom is requested with the most famous cryptocurrency, BitCoin. It would be %100 correct if we say that Bitcoin and some other altcoins have become de-facto standard currencies for cybercriminals to demand their fee for returning encrypted files to their victims.

At this point, we should also state in capital letters that when you pay the ransom in blockchain-based cryptocurrencies, there is no guarantee that you will get the decryption key you need in return.

To put it simply, you are at the mercy of those cybercriminals.

If they are honest (!) or decent (!) enough then there is a chance that you may get the decryption key and be happy that your systems are back online again. This anonymity, invisibility, and concealment of criminal traces impact criminal motivation and phenomena of victimization by encouraging cybercriminals. Unless this problem is tackled by both technology and law enforcement, we will continue to hear such ransomware cases more and more.

Up until now, as Difose — Digital Forensic Services, our incident response team has handled many ransomware attack cases. In most of the cases, unfortunately, we faced that the companies tried to handle the ransomware cases on their own and based on their knowledge and experience. However, the mitigation of or coping with ransomware attacks requires a certain level of experience and professionalism.

We strongly advise victims to look for professional help rather than trying to solve the problem on their own as this approach may cause all the professional efforts to become void.

Please keep in mind that the incident response processes MUST be handled by a team of professionals to maximize the success probability. It would be very helpful if we can write down every step you should follow in case of a ransomware attack, but considering the fact that cybercriminals may also read this article, it may not be the best approach. To tell you the truth, we experienced that in the past.

Photo by Marko Blažević on Unsplash

Some years ago, after posting some of the recovery techniques on social media platforms, cybercriminals changed their attack types and techniques. We shared posts on social media that we were able to recover your data via vulnerabilities in encryption software or via volume shadow copies. As a result, we started to face different types of ransomware attacks. For that reason, we, both the victims and the professionals, must be so careful in fighting against cybercriminals.

  • To enable continuous access to the network, cybercriminals use software such as boot kits that enable malicious code to start before operating system loads. Launching malware from MBR or VBR enables cybercriminals to control all the stages of OS startup and provides them permanent access to the network.
  • Second thing that cybercriminals do when they get access to the network is to create a superuser with the privileges of system administrator and give up on using a default administrator account in order not to be detected.
  • After that, they start reconnaissance by using different network reconnaissance tools to find out other computers and servers on the network. Most importantly, they try to find out backup storage with those reconnaissance tools.
  • Lastly, they encrypt all critical data (finance, management, logistics, production, etc.) stored on servers including the backup systems with unbreakable encryption techniques.

# What would be the first thing that comes to your mind when your sensitive data is encrypted by cybercriminals? The answer is so simple: Backup. Here comes the second question.

# What will be the solution if you have only an on-premise online backup that is attached to the network 24/7 and be accessed easily? Just nothing because your online backup will most probably also be encrypted.

Cybercriminals encrypt every piece of data that they have access to. Additionally, they also wipe system logs and deleted files. After that, they just leave a “readme.txt” file for your information stating that all your files are encrypted and you need to pay the requested ransom in a limited time frame to receive the decryption key.

Photo by XPS on Unsplash

However, there are various backup systems that cybercriminals using ransomware don’t like. It is not always easy for cybercriminals to have access to and thereof encrypt NAS and DAS backup systems. With that being said, we also met with NAS and DAS backup systems which were configured to be directly accessible without a username or password. This type of configuration makes it easy for cybercriminals to access the backup systems. When the attackers cannot gain access to NAS and DAS backup systems, they start to perform the following tasks.

  • They try to learn made, model, and OS of NAS and DAS backup systems with special reconnaissance techniques.
  • Even though they cannot gain access to and encrypt data, they exploit system vulnerabilities and unaccomplished firmware updates to damage or disarrange RAID structure to make data inaccessible by the users. Sometimes, they even create different RAID setups for the same purpose.

Let me try to explain the situation with a real-life ransomware example that we handled a few weeks ago.

  • During our IR process, we saw that the victim company has a NAS backup system with 8 disks that were configured with RAID5.
  • We noticed that the cybercriminals couldn’t get access to the data, but they had changed the RAID structure a few times and consequently damaged the RAID structure.
  • We unmounted all 8 disks and got the bit-to-bit copy of each disk. Then, our data recovery experts started to work on these disks in our lab to reconfigure the RAID structure and recover data stored on them.
  • With our proprietary script, we managed to recover both RAID structure and thereof data on them after a week of tiring and meticulous work.
  • However, it should be noted that this is not as easy as it seems and it isn’t always the case.
  • Our advice to the victims of ransomware attacks that have NAS backup systems to consult with professionals before doing anything to recover from the disaster.

As the last word, no matter how strong or what your security measures are. It is highly likely that you may be one of the future victims of a cyberattack because it is just a matter of time. For that reason, you should always take into consideration of such ransomware attacks and get prepared with the required security measures, policies, and procedures accordingly. Additionally, from time to time, you should also control whether everybody follows the company’s cybersecurity procedures.

Please keep in mind that file and system backups that are out of the reach of cybercriminals save a life. For that reason, you should consider a well-planned offline backup procedure if you want to stay safe against the dangers of ransomware attacks.

Other Articles:

--

--

Şükrü Durmaz
DataBulls

The subject matter of Digital Forensics and Cybersecurity. Entrepreneur. International trainer.