Main article: Ransomware ransomware ransomware viruses (ransomware)
2024: FBI gets 7,000 LockBit ransomware decryption keys and starts helping people unlock computers
U.S. Federal Bureau of Investigation (FBI) announced the receipt of more than 7,000 decryption keys for the LockBit ransomware virus, which allows the agency to help victims of this malware restore access to their data. This was announced on June 6, 2024 by Brian Vorndran, assistant director of the cyber division. FBI More. here
2023
RTK-Solar experts have released a decoder for the HardBit ransomware
The cybercriminal group HardBit, which previously attacked Western countries using the ransomware of the same name, was spotted trying to extort a Russian organization. Experts from the Solar JSOC CERT Cyber Incident Investigation Center of RTK-Solar analyzed samples of all versions of HardBit and found a way to decrypt files. The company announced this on September 7, 2023. Read more here.
Kaspersky Lab has released a tool to unlock computers infected with the popular Conti ransomware virus
On March 16, 2023, Kaspersky Lab released a new decryption tool that will help victims of ransomware created from Conti source code recover their data. Read more here.
2022
Kaspersky Lab has published a practical guide to the techniques, tactics and procedures of the most popular ransomware groups and protection against them
Kaspersky Lab on June 24, 2022 published a practical guide to the techniques, tactics and procedures of the most popular ransomware groups.
The study was based on data for the period from October 2021 to March 2022. This study showed that the different families of this type of software coincide by more than half in their TTPs throughout all stages of the Cyber Kill Chain attack chain (this chain of attacks shows what stages an attacker must go through in order to achieve his goal).
The study presents data on activity/ Conti(Ryuk announced the suspension of activities in May 2022), Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and. BlackCat These groups conduct their activities around the world, including in,,. From USA Great Britain Germany March 2021 to March 2022, the operators of these groups tried to attack more than 500 organizations in different ones, industries including industry software development. construction
The report describes all stages of the attack, the attackers' favorite TTPs and their targets, as well as methods of protecting against targeted ransomware attacks. It also includes SIGMA detection rules that SOC specialists can use.
After analyzing what techniques and tactics collected in MITRE ATT&CK (a knowledge base containing a taxonomy of actions used by attackers during a cyber attack) are used by well-known groups, experts found many similarities among TTPs throughout all stages of the Cyber Kill Chain. The similarity between attacks can be seen in the following:
- the Ransomware-as-a-Service (RaaS) partner model is actively used, when the creators of the ransomware do not deliver malware to the device themselves, but only provide data encryption services. Many attackers use ready-made templates or automation tools;
- old and similar tools are reused. This reduces the preparation time for the attack;
- common tactics, techniques and procedures are reused, which facilitates the hacking process. It is possible to detect these techniques, but it is much more difficult to do this proactively across all possible threat vectors;
- companies do not quickly install updates and patches, which makes it easier for attackers to access their infrastructure.
This global study is in the public domain and helps to understand how these groups operate and how to protect against such attacks.
In recent years, ransomware has been the main nightmare of the entire cybersecurity industry. Malware operators are constantly improving their tools, and studying all groups of ransomware, the evolution of their activities is a time-consuming and complex process even for experienced analysts. We are proud to present the results of a large analytical work based on careful observation of the most active groups. Our report gives a detailed picture of this type of threat and, we hope, will be able to facilitate the work of all cybersecurity specialists, "said Nikita Nazarov, head of the Threat Intelligence service group. |
Information security researchers have released a decoder for ransomware Hive 5
The researcher, malware known as reecDeep, developed and published on GitHub the decoder for the latest version of the ransomware ON Hive[1] did not work alone - it was helped by a researcher from Russia Andrei Zhdanov, also known as rivitna. Experts studied, encoder created a key generator for it, and then a full-fledged tool that generates key lists and immediately selects the necessary ones.
The data decryption tool page provides technical details describing how it works. The decoder uses brute force to match keys to encrypted data. In addition to information about the tool, the page on GitHub contains technical details of the Hive 5 version.
ReecDeep also said that the decryptor is compatible with minor updates to version 5 of Hive (5.1, 5.2, and so on). In addition, this tool will not work with previous versions of ransomware, ON as they are written in Go and use completely different methods enciphering[2]
2021: Ransomware protection: Does it exist?
Main article: Ransomware Protection: Does It Exist?
2019: How to protect your business from ransomware viruses
Ransomware ON continues to carry one of the biggest threats on the Internet, writes the ZDNet portal in 2019[3]Rash clicking on a link can lead to a sequence of events that threaten to encrypt all user data, and he will be faced with the choice of paying ransomware in exchange for a big money decryption key (attackers usually require it in the form bitcoins of or another cryptocurrencies to confuse traces of transactions) or refuse to pay a ransom. Due to the fact that many victims prefer to pay off, criminal groups involved in the spread of ransomware have considerable funds and continue to improve malware attack tactics.
So, if unpretentious scammers are content with sending blind malware, then gangs that have put their fishing on the stream are looking for vulnerabilities in corporate networks and attack only when it is possible to inflict maximum damage by encrypting as many devices at a time as possible. Malware is distributed not only by criminal groups, but also by groups that are supported by individual countries. They do this to wreak havoc and profit for their patrons. The ever-growing number of attacks on business can be compared to a kind of arms race: on the one hand, cyber crime is constantly replenishing the arsenal of ransomware modifications and is looking for new ways to compromise systems, while enterprises are forced to build capacity to protect corporate infrastructure in order to eliminate any infiltration loopholes.
In fact, criminal gangs always act on preemption, so there is no guaranteed means to fully protect yourself or your business from ransomware or any other malware. However, a number of steps can be taken to mitigate the effects of attacks or minimize the chances of attackers.
1. Install software patches to keep the software up to date. Patching is a tedious and time-consuming procedure that is required to close security gaps in the software. Many users ignore it, but this is wrong, because open vulnerabilities open up room for hackers to maneuver. Hackers will exploit any vulnerabilities in the software to penetrate the network if enterprises do not have time to test and deploy patches.
A classic example of what the delay in installing security patches resulted in is WannaCry. In the summer of 2017, this ransomware program went through a real tsunami over IT networks. In total, in a short time, 300 thousand computers belonging to individuals, commercial organizations and government agencies in more than 200 countries of the world suffered from the worm. The distribution of WannaCry blocked the work of many organizations: hospitals, airports, banks, factories, etc. In particular, a number of British hospitals have delayed the implementation of prescribed medical procedures, examinations and urgent operations. Despite the fact that a patch for Windows Server Message Block that prevents threats like WannaCry was released a few months before it appeared, a huge number of organizations ignored it, which led to infrastructure infection.
Many companies have yet to learn basic IT hygiene lessons. According to a survey conducted by the information security company Tripwire, one in three companies that faced infrastructure hacking had open vulnerabilities. Sophos telemetry systems in August 2019 alone detected 4.3 million attacks using WannaCry "followers." According to the results of the last summer month, 6963 ransomware options were recorded, 80% of which are new. Experts counted 12,480 WannaCry variants that have appeared since the original version appeared.
2. Change the default passwords for all APs. Clicking on a potentially dangerous link in an e-mail is the most famous way to infect malware, but it is far from the only one. According to the F-Secure study, about a third of ransomware was distributed through password-guessing attacks, or, as they are also called, brute force attacks, and through a remote desktop protocol (RDP) connection.
The password-guessing attack involves hackers trying to gain access to servers and other devices using as many password variations as possible. Usually these attacks are carried out with the involvement of bots, in the hope that sooner or later a guessed password will help them penetrate the perimeter of the organization. Due to the fact that for some reason many organizations do not change the passwords that were set by the default equipment manufacturers, or choose easily guessed combinations, attacks using "brute force" do not lose their relevance.
RDP allows you to remotely manage your PC and is another ransomware option. The main actions that significantly reduce the area of damage include setting strong passwords, as well as changing the RDP port, which will limit the range of devices connected to it only to those that the organization will install.
3. Train staff to recognize suspicious emails. Email is one of the classic ways that ransomware infiltrates an organization. This is due to the fact that sending malware ransomware gangs to thousands of e-mail addresses is a cheap and easy way to distribute software. Despite the seeming primitiveness of this tactic, it is still depressingly effective. To ensure the protection of the enterprise from ransomware and phishing, which are distributed through e-mail channels, the enterprise needs to conduct training in order to train personnel to recognize suspicious e-mail.
The main rule: in no case should you open e-letters received from unknown senders, and even more so you do not need to click on links in such letters. It is worth beware of attachments that are asked to enable macros, since this is a standard path to malware infection. As an additional level of security, it is worth using two-factor authentication.
4. Complicate the structure of navigating your network. Ransomware groups are increasingly looking for the highest possible financial benefit. Obviously, by blocking one or more computers, they will not receive it. To inflict maximum damage, they penetrate the network and look for ways to distribute ransomware to as many computers as possible. To prevent the spread of ransomware or at least make life difficult for hackers, you need to segment networks, as well as limit and further protect administrator accounts that have access to the entire infrastructure. As you know, for the most part phishing attacks are aimed at developers, which is due to the fact that they have wide access to various systems.
5. Monitor the devices connected to your network. Computers and servers are where data is stored, but these are not the only devices administrators need to worry about. Office Wi-Fi, IoT devices and a remote scenario - there is currently a wide variety of devices connecting to the company's network and devoid of the built-in security features that an enterprise device requires. The more of them, the greater the risk that in some of them, for example, in a poorly protected printer or other network device, there will be a backdoor through which criminals will penetrate corporate systems. In addition, administrators need to think about who else has access to their systems, and if these are your suppliers, are they aware of the potential risk threatened by ransomware and other malware?
6. Create an effective backup strategy. Having reliable and up-to-date backups of all business-critical information is vital protection, especially against ransomware. As a result of a combination of unfavorable circumstances, when hackers manage to compromise several devices, the presence of timely backups means that they can be restored and started working quickly again. Given the importance of the backup strategy, the enterprise needs to know where the business-critical data is stored. Perhaps the CFO stores the data in a spreadsheet on the desktop, and this data is not mirrored to the cloud.
One very important detail to keep in mind is that if you back up non-critical data, or if you want it, rather than schedule it, the backup strategy is of little use.
7. Before you pay the ransom, think. Let's simulate the situation. Ransomware has made its way through the protection of the organization, and all computers are encrypted. Restoring data from backups will take several days, but these delays may be critical to the business. Maybe it's better to pay them a few thousand dollars? What shall I do? For many, the conclusion will be obvious: if the business is restored as soon as possible, then you should pay. However, there are reasons that suggest this decision could prove fatal. Firstly, there is no guarantee that after payment, criminals will transfer the encryption key, because these are criminals and they lack the usual moral principles. Moreover, by making a payment, the organization will demonstrate its willingness to pay and this can cause new attacks from them or from attracted groups that were looking for solvent customers. Secondly, paying a ransom either from your own funds or through insurance coverage means that the criminal course brings income to groups. As a result, it can spend criminally mined funds on improving campaigns, attacking more enterprises. Even if one or more businesses are lucky enough to be unlocked by computers, paying a ransom means stimulating a new wave of extortion.
8. Develop a ransomware response plan and test it. Each enterprise must have a plan to recover from unforeseen intervention in workflows - be it a breakdown of machinery or natural disasters. Responses to ransomware should be his standard article. They should not only be technical (cleaning PCs and restoring data from backups), but also be considered in a broader business context. For example, how to explain the situation to buyers, suppliers and the press; whether the ransomware attack should be notified to the police, insurance company and regulators. In addition to developing a plan, you will need to make sure that it is working, since some assumptions may be erroneous.
9. Scanning and filtering e-mail. The easiest way to protect your employees from clicking on a malicious link in an e-mail is to make sure that it never gets into their mailbox. To achieve this, you need to use content scanning and e-mail filtering tools. Installed filters will significantly reduce the number of phishing and ransomware programs.
10. Thoroughly study the scheme of your network. The information security market offers a number of related security tools ranging from intrusion prevention and detection systems to security information and event management (SIEM) systems that provide a complete understanding of network traffic, its arrival channels, etc. SIEM receives event information from various sources, such as firewalls, IPS, antiviruses, OS, etc. The system filters the obtained data, leading them to a single format suitable for analysis. This allows you to collect and centrally store event logs on different systems.
Next, SIEM correlates events: looks for relationships and patterns, which makes it highly likely to identify potential threats, failures in the IT infrastructure, attempts to unauthorized access, attacks. These products give an up-to-date idea of the state of the network and, among other things, allow you to determine anomalies in traffic that can indicate hacking by hackers, however, without indicating whether it was carried out using ransomware or other types of malicious software. In any case, if the enterprise does not see what is happening on its network, it will not be able to stop the attack.
11. Make sure your antivirus software is up-to-date. Updating antivirus signatures seems commonplace, but some organizations, as a rule, are small, do not pay due attention to this process. Many modern antivirus packages offer ransomware detection or add-ins that detect suspicious behavior common to all ransomware: file encryption. Antivirus signatures understand that external programs are trying to modify and encrypt user files, and are trying to stop encryption. Some security packages even make copies of files that are threatened by ransomware.
2017: Recommendations for protecting against targeted ransomware attacks
To protect against targeted attacks using ransomware, Kaspersky Lab and Jet Infosystems experts recommend taking the following actions:
- Back up data that can be used to recover files in the event of an attack.
- Use a security solution with behavior detection technology. It identifies Trojans of any type by analyzing their actions in the attacked system. This allows you to detect even previously unknown malware.
- Check out the site of the international initiative No More Ransom, created to help victims of targeted attacks recover files without having to pay a ransom. If your data is encrypted, Kaspersky Lab recommends using the No Ransom service, which presents tools developed by the company to help ransomware victims.
- Audit the installed software, not only on workstations, but also on all network nodes and servers. Update your software in time.
- Conduct a comprehensive assessment of network information security (audit, penetration testing, GAP analysis) to detect and close all loopholes that attackers can exploit.
- Use external expert assessment: consulting authoritative vendors will help anticipate the vector of future attacks.
- Avoid using accounts with administrator privileges. Set up a separate account to manage the computer, and use an account with elevated privileges in cases where it is actually required, say, to install or configure software. Most everyday user tasks are solved without the rights of "admin." This also applies to home computers, especially those to which children have access, it is generally better to configure the "child safety" mode, since there are various possibilities for this.
- Restrict network access to files. Disable or restrict sharing of your computer's file resources. The latest viruses also spread over the network from computer to computer. There, the principle of infection is much more complicated, but this is not about this. For a home network, for the same reasons, it's the same. Do not provide unlimited network access to your computer's disks.
- Configure Internet browsers. Look at the security settings of browsers, set the level that will allow you to work comfortably and safely. If the set of sites you regularly visit is not too large, you can thoroughly raise the level of security without compromising the quality of information display. Of course, saving passwords is not good, and no one does, but just in case - use complex "master passwords" to protect all your saved passwords, if this option is supported by your browser. It will not help from a specialist, but storing passwords in clear text is completely bad. Avoid bait sites that look like real ones. Carefully check where exactly you enter passwords, card numbers, etc.
- Check public Wi-Fi. When using public Wi-Fi, such as in a cafe, make sure the hotspot really belongs to the cafe, not just similar in name. See if it has protection (the same "lock"). Also pay attention to who owns the certificates of the sites you open: the certificates must belong to them, and not to this cafe or someone else. There is no guarantee that a novice hacker did not stay at the next table and does not collect passwords from social networks or does not spread the same WannaCry virus to visitors' laptops.
- Do not open suspicious emails (phishing). The most important thing is to protect your data, it is to them that all kinds of "ransomware," "ransomware" and other malicious software are aimed. Taking into account the fact that the cheapest and most working way to deliver malicious content is e-mail - follow common sense considerations when receiving correspondence. Consider that everything you get from the outside - it contains a virus rather than it does not. A letter from any suspicious or unknown address is an excuse to delete the letter without reading it. During everyday work, a certain skill is developed, even visually you can distinguish addresses, say, partner.ru from partner.ru.com or nested Account.docx from the executable Account.docx. ______.exe or links to the http ://script somewhere. Account.pdf.js. It is important to remember that if "bank," "tax," "customer," etc. encourage you to do something urgently with an attachment, open a file or go to a certain site by letter - be extremely wary of this. By the way, sometimes on the street right in front of the office you can find a "lost" flash drive, and this distribution method is also found.
- Conduct cybersecurity training for employees. Special attention should be paid to engineering personnel, their awareness of attacks and threats.
- Protect both inside the corporate network perimeter and outside. In the right security strategy, significant resources are allocated to detect and respond to attacks before they reach critical targets.
2016: No More Ransom launch to combat ransomware Trojans
At the end of July 2016, the No More Ransom website was launched - a joint international initiative Kaspersky Lab of ",," McAfee Europol and the Dutch police, aimed at combating ransomware Trojans. As the main results of the first year of the project, the company cites the following figures: more than 28 thousand infected malicious ON devices have been decrypted, and the amount of money saved on the redemption amounted to 8 million euros.
On the http://omoreransom.org website, you can find 54 utilities for decrypting files developed by Kaspersky Lab and other project participants. These tools successfully combat 104 ransomware families. Over the year, 1.3 million unique users visited the No More Ransom website, of which 150 thousand fell on May 14 this year - the peak of the WannaCry ransomware epidemic. The No More Ransom platform is available in 26 languages.
In 2016, the project was supported by more than a hundred partners, including both private companies and law enforcement agencies from different countries. Of the recently joined - the banking conglomerate Barclays, the Belgian CERT (CERT.BE), and the Global Forum on Cyber Expertise (GFCE), as well as law enforcement agencies, Czech Republic, and Greece. Hong Kong Iran