What Is Ransomware and How to Remove Ransomware?
What is Ransomware?
Ransomware is a kind of special malware that prevents victims from accessing their systems or system data (such as documents, emails, databases, and source codes) and demands ransom payment in order to regain access. This type of attack is known as a denial-of-access attack.
As the data is important, cyber criminals take technical measures to hold user data as hostage to extort money from individuals or organizations, which is efficient and profitable. Therefore, ransomware is not only a kind of malware, but also a very successful cybercrime business model.
Any organization or individual can be the target for a ransomware attack. Cyber criminals may launch undifferentiated attacks or attack more valuable organizations, such as government agencies and hospitals that have sensitive data and are more willing to pay a ransom. Ransomware causes service suspension or even interruption, and may also disclose business secrets, affecting the enterprise image. Enterprises need to pay the ransom for service restoration, which also has direct impact on enterprises' finance. What's worse, enterprises may be seriously lagged behind or closed.
Types of Ransomware
Ransomware is a type of malware that includes a wide range of malware variants, attempting to gain profits by threatening victims.
The commonly used ransomware is classified into the following types:
Encrypting ransomware. After entering the user system, ransomware usually searches for data files, such as text files, spreadsheets, images, and PDF files, and uses complex encryption algorithms (such as AES and RSA) to encrypt these files. Cyber criminals will require victims to pay a certain amount of ransom in the form of Bitcoin within a specified period of time; otherwise, data files may never be decrypted. WannaCry and its variant WanaCrypt0r 2.0, which broke out in May 2017, are typical encrypting ransomware. Encrypting ransomware does not affect system running. Since the encryption algorithm selected by ransomware cannot be cracked and electronic currency transactions cannot be traced, encrypting ransomware has become the most popular ransomware nowadays.
Lock-screen ransomware. Lock-screen ransomware does not encrypt files. Instead, it locks the operating systems, browsers, or keyboards to prevent victims from using them. The typical lock-screen ransomware, such as WinLock, uses pornographic images to block victims' screens until victims send a $10 premium-rate SMS for an unlock password. Lock-screen ransomware is often deceitful and intimidating. Cyber criminals usually pretend to be law enforcement agencies, claim that users have downloaded or spread illegal content (mostly related to child pornography), and require victims to pay ransom. Otherwise, they will arrest the victims.
In recent years, as the ransomware continuously develops, Doxware has emerged. Cyber criminals claim to have access to victims' personal privacy data and expose or send victims' privacy data to the social media or their contacts if they do not pay ransom on time. Some cyber criminals also sell the data on the darknet. This kind of crimes, which threatens the personal reputation of victims, is particularly harmful.
How Does Ransomware Work?
To better defend against ransomware, you need to understand the methods used by attackers to propagate ransomware.
Generally, users cannot immediately detect that devices are infected with ransomware. The ransomware runs in the background and does not display a dialog box for ransom until the data is locked.
Brute-Force Cracking
Brute-force cracking is the simplest and most direct intrusion method. Attackers use tools to scan high-risk ports exposed on the Internet and launch dictionary attacks. Weak passwords in the user system are vulnerable to brute-force cracking. The most common way to propagate ransomware is to perform brute-force cracking against the Remote Desktop Protocol (RDP).
Spam
Spam is also the main method of propagating ransomware. Attackers disguise as contacts of legitimate organizations, enterprises, or individuals, use email attachments with malicious files, or send emails with malicious URLs to induce recipients to open malicious attachments or access malicious URLs. If a recipient opens an email attachment with a malicious file, the ransomware is downloaded in secret to scan and encrypt files on the recipient's device. If a recipient accesses a malicious URL in an email and enters the web page that is embedded with Trojan horses, the ransomware is sent to the recipient's device in secret when the recipient browses the web page.
Vulnerability Exploitation
A vulnerability is an encoding error in an operating system or application. Attackers often use the Exploit Kit to check whether the operating system or application on devices has security vulnerabilities that can be used to transmit and activate ransomware. The typical case of ransomware is WannaCry in 2017, which rapidly spread on enterprises' intranets by exploiting a known vulnerability named EternalBlue exists in the Windows operating system. According to statistics, on May 12, 2017, more than 900,000 hosts were infected. From then on, ransomware that spreads through vulnerabilities began to explode.
How to Prevent Ransomware Attacks?
The most effective way to prevent ransomware attacks is to prevent attacks from entering internal organizations.
Network Protection
The key to defending against ransomware attacks is to intercept attacks before they enter the organizations and cause substantial damage. The best solution is to set up a multi-layer security defense system based on the firewall to prevent attackers from easily breaking through a simple-layer defense system. Strict security policies are the simplest and most effective protection measures. Specifically, only necessary services are enabled externally and high-risk ports are blocked to reduce risk exposure. Blocking known threats usually makes attackers give up attacks. Otherwise, attackers need to create ransomware or exploit new vulnerabilities, increasing their costs. In addition, file filtering can be enabled to prevent high-risk files from entering the network. URL filtering is used to block malicious websites to prevent users from accidentally downloading malware. On a network requiring high security, the FireHunter, HiSec Insight (formerly CIS), and deception system can be deployed to comprehensively detect security situation.
Corresponding licenses are required for the IPS, antivirus (AV), URL filtering, and sandbox interworking functions. For details, see the corresponding product documentation.
The IPS and AV functions depend on the signature database that needs to be updated in a timely manner. You are advised to enable automatic update and installation for the signature database. If the firewall cannot connect to the public network, you can upgrade the signature database through a proxy server.
Layered Defense |
Configuration Suggestion |
Operation Instruction |
|---|---|---|
Configuring strict security policies to restrict users' access to networks and applications |
North-south security policy: Configure strict network access policies at the network border, enable only necessary services externally, and allow only trusted users or users using trusted IP addresses to access necessary services. |
N/A |
East-west security policy: Divide the internal network into different security zones based on functions and risk levels, and configure strict security policies between the security zones. You are advised to block high-risk ports (such as ports 135, 137, 138, 139, 445, and 3389) or restrict users who are allowed to access to reduce the possibility of lateral spreading of ransomware. Configure traffic policies on network devices (such as switches and routers) to block high-risk ports. CAUTION:
Blocking ports may affect normal services. Before doing so, check whether services are carried on the ports to avoid the adverse impact on services. |
||
File filtering: Filter files of specified types (including all executable files, web page files, as well as .vbs, vbe, .scr, .bat, and .lnk files) to prevent high-risk files from entering the intranet. You are advised to block high-risk email attachments sent through SMTP and potential drive-by download. |
||
Detecting and blocking known threats through the IPS and AV functions |
IPS: Reference an IPS profile in the security policy to set the action to block brute-force cracking and vulnerability exploitation signatures. If the default action of the signatures is not block, you can configure an exception signature and change the action to block. Vulnerability exploitation signature IDs: 13830, 18822, 24550, 284600, 370090, 372110, 372130, 372280, 372290, 372300, and 377950. The default action of these signatures is block. Brute-force cracking signature IDs: 1000127, 1000133, 1000255, and 1000264. The default action of these signatures is alert. In this case, you need to add an exception signature. |
|
AV: The default action is taken for file transfer protocols (HTTP and FTP) and file sharing protocols (NFS and SMB). You are advised to set the action of mail protocols to Declare or Delete Attachment. The firewall adds a message to the email to notify recipients that the attachment may contain viruses. |
||
URL filtering: You are advised to use the whitelist mechanism to determine the required website types based on service requirements. If the whitelist mechanism cannot be applied, set the action of Malicious Web Sites and Others to block, and enable malicious URL detection. |
||
Interworking with the sandbox to detect unknown threats |
Sandbox interworking cannot block malicious files in real time. Instead, the feedback result is applied to malicious URL detection and file reputation detection to block malicious files. The firewall restores the traffic into files and sends the files to be detected to the sandbox for detection. The firewall then periodically queries the detection result on the sandbox and updates the list of malicious files and URLs in the cache based on the detection result. When traffic with the same characteristics matches the list, the firewall directly blocks the traffic. Enable malicious URL detection and file reputation detection, and set the action of mail protocols for file reputation detection to Declare or Delete Attachment. |
|
Configuring the HiSec Insight and deception system to prevent lateral spreading |
Deploy the HiSec Insight and switches and firewalls that support the deception function. The deception system can induce ransomware attacks to simulation services, capture the intrusion behavior, and report the detection result to the HiSec Insight. The HiSec Insight then delivers policies on the entire network to block the spread of ransomware viruses. The deception system helps reduce the probability of attacks on the real system and minimize losses. |
|
Deploying a log audit system for investigation, evidence collection, and attack source tracing |
Enable the log audit function on important servers and key network devices and send logs to the log audit system. The log audit system can store and manage the logs of network devices and servers in a centralized manner, which facilitates monitoring and post-event analysis. In addition, the log audit system can help avoid the situation where attackers encrypt or delete host logs. |
For details, see the product documentation of the log audit system. |
Host Protection
First, it is recommended that hosts be configured in a unified manner by using an organization-level IT infrastructure solution. The group policy of the AD server and the control center of the enterprise-edition antivirus software ensure that security measures are implemented properly without relying on the execution of employees.
Second, information security education for employees is required. A large amount of ransomware uses email and social engineering to lure employees to download malware or access malicious websites. Employees can avoid activating the attack media if they ignore the temptation. An effective method of preventing ransomware attacks is to perform information security publicity and train employees to form good office habits and identify and prevent typical attacks.
Table 1-2 lists the major host protection measures. Most of them can be implemented in a unified manner by using the IT infrastructure solution. For small and micro enterprises that do not have a comprehensive IT system, these measures can be converted into information security education for employees.
Measure |
Implementation Description |
|---|---|
Updating the system and software patches in a timely manner |
Generally, software update includes patches for newly discovered security vulnerabilities that are used to fix system vulnerabilities. Update operating system and browser patches in time to prevent ransomware from exploiting known vulnerabilities. |
You are advised to enable automatic update of the operating system. Enterprises can perform Windows operating system update settings using a group policy in a unified manner. |
|
Enable the automatic update option if the software provides it. |
|
Installing antivirus software and updating the virus database in a timely manner |
Install antivirus software with strong technical capabilities. Traditional antivirus software may be unable to effectively defend against ever-changing ransomware. You are advised to select antivirus software enabled with behavior detection and heuristic detection because they are more likely to detect the latest ransomware. |
Set the password for logging in to or uninstalling the antivirus software to prevent ransomware from closing or uninstalling the antivirus software. |
|
You are advised to enable automatic update of the antivirus database to improve the defense capability against known viruses. The virus database of enterprise-edition antivirus software can be upgraded in a unified manner through the control center. |
|
Periodically backing up important data |
Create a proper data backup policy and back up data periodically based on the importance of data. |
Test the backup system to ensure that the data is backed up successfully. As such, the data can be restored in case of an emergency, minimizing the impact on services. |
|
You are advised to back up important data in cold backup mode. Specifically, use an independent file server or portable hard disk to back up data. After the data is backed up, disconnect from the network to implement physical isolation. |
|
When you use an Elastic Cloud Server (ECS), you must create a snapshot in a timely manner. If a system fault, misoperation, or ransomware attack occurs, you can use the snapshot to roll back the cloud disk so as to quickly restore data and ensure normal service running. |
|
Setting and complying with the password policy |
Use complex passwords to increase the difficulty of brute-force cracking. The password must contain at least 10 characters, including uppercase letters, lowercase letters, digits, and special characters. The password cannot contain the user name. Do not use a password that contains only digits, such as the phone number, date of birth, and employee ID. |
Periodically change the password and use different passwords for different servers. |
|
Setting the account lock policy |
After the number of incorrect password attempts reaches the upper limit, the user account will be locked for a period of time, increasing the difficulty of brute-force cracking. An enterprise administrator can set a unified account lock policy on the domain controller. |
Setting the host firewall policy |
Enable and configure the host firewall policy to allow users using only trusted IP addresses to access specific services. |
Disable common high-risk ports (such as ports 135, 139, 445, and 3389) based on service requirements or set users or PCs that can access the ports. |
|
Prevent high-risk applications or services (such as RDP) that are exposed to the public network. If necessary, provide services for external systems through VPNs. |
|
Preventing macros from running automatically and exercising caution when enabling macros |
The common file-based ransomware attack is to lure users to enable macros to execute malicious codes. In most cases, macros are not required for normal services. Therefore, you are advised to disable automatic running of macros and enable the device to send notifications for this operation. Enable macros only when necessary and the file source is trusted. |
Downloading software only from the specified location |
Obtain application software only from official websites or specified suppliers. Do not access untrusted software download websites. |
Do not open email attachments or links from unknown sources |
Do not open attachments in emails, especially attachments with extensions like .js, .vbs, .exe, .scr, .bat, and .lnk, unless the email source is reliable and trusted. Do not click URLs in emails with unknown sources. |
Cyber criminals often disguise as e-commerce, banks, police, courts, tax authorities, or friends and colleagues in social media. Therefore, you can reply to or ignore suspicious emails. |
|
Displaying file name extension |
Displaying file extensions in Windows folders makes it easier to detect potential malicious files. Cyber criminals often use multiple file name extensions to disguise malicious files as videos, photos, or documents (such as tax refund.doc.scr), or forge file name extensions and set corresponding file icons. |
If you find files with forged file name extensions or unknown applications, disconnect from the network immediately to prevent malware from spreading to other PCs. |
How to Remove Ransomware?
If you are attacked by ransomware, perform the following operations.
- Do not rush to pay a ransom for ransomware. Paying the ransom is equivalent to encouraging cybercrime and encrypted file restoration cannot be guaranteed.
- Strictly speaking, encrypted ransomware cannot be cracked, unless when the ransomware design has a defect or the hacker organization discloses the decryption key (such as Shade).
- If the encrypted data is important or extremely sensitive and no decryption solution is available for ransomware, confirm that the cyber criminal can decrypt the data before deciding to pay the ransom.
No. |
Operation |
Suggestion |
|---|---|---|
1 |
Isolate devices infected with ransomware |
|
1-1 |
Remove network cables or modify network connection settings to isolate all devices infected with ransomware from the network, preventing ransomware from spreading and controlling the impact scope. Then check the number of affected hosts and record the fault symptom. |
|
1-2 |
Disable common high-risk ports (such as ports 135, 139, 445, and 3389) on uninfected devices in the LAN, or configure users or PCs that can access the ports. In addition, configure security policies (by referring to Blocking High-Risk Ports on a Firewall) and traffic policies (by referring to Blocking High-Risk Ports on a Switch) on network devices, such as firewalls and switches, to block communication through common high-risk ports. CAUTION:
Blocking ports may affect normal services. Before doing so, check whether services are carried on the ports to avoid the adverse impact on services. |
|
2 |
Clear ransomware |
|
2-1 |
Use antivirus software to scan and clear ransomware. Then restart the operating system, enter the safe mode, and install antivirus software to scan all disks. It takes some time for ransomware to search for and encrypt files. Clear ransomware as early as possible to reduce its damage and prevent it from repeatedly locking the system or encrypting files. |
|
3 |
Decrypt data |
|
3-1 |
Do not directly reinstall the operating system. If the data to be encrypted is important, back up the encrypted data and protect the environment to prevent decryption failure caused by environment damage. |
|
3-2 |
Access the website No More Ransom, use Crypto Sheriff to determine the type of ransomware, and check whether there is an available decryption solution to crack and restore files. NOTE:
In 2016, Europol, Dutch Police, Kaspersky, and Intel Security jointly launched the No More Ransom program to fight against increasingly rampant ransomware. This plan is supported by Eurojust and European Commission, and multiple organizations and security enterprises have joined this plan. You are advised to access this website to seek for a decryption solution. |
|
4 |
Investigation and evidence collection |
|
4-1 |
Seek help from professional technical personnel to collect evidence in order to analyze the attack path of ransomware and trace the attack path. Check security logs in the Event Viewer of the operating system, especially login failure events. Check security logs and session logs on network devices, especially major vulnerability attacks such as brute-force cracking and SMB. |
|
4-2 |
Determine the cause of virus infection and completely rectify the security problems in the system to prevent the system from being infected again. |
|
5 |
Reinstall the operating system |
|
5-1 |
If the ransomware cannot be removed and the encrypted data cannot be restored, back up the encrypted data (which may be restored in the future), format the hard disk drive, delete all data (including infected data), and reinstall the operating system and applications. |
|
5-2 |
Harden the operating system by referring to Table 1-2. |
Appendix: Common Protection Operations
This document describes only the key points for configuring common protection operations. For details about the complete configuration process, see the product documentation.
Blocking High-Risk Ports on a Firewall
1. Create a service group. Choose and click Add. Enter the port number (135, 137, 138, 139, 445, or 3389) in the Available pane to search for the corresponding service and add the service to the Selected pane.
2. Create a security policy. Choose and click Add Security Policy. Set Service to High-risk ports and set Action to Deny.
3. Select the security policy and select Move to Top from the Move drop-down list box.
4. Enable specific ports for specific users. For example, allow only the management terminal from the trusted zone to access the server in the DMZ zone through the RDP. Note that you need to move the added rule before the previous rule.
Blocking High-Risk Ports on a Switch
The following uses the operation of blocking all high-risk ports as an example to describe how to configure a traffic policy on a switch. You need to determine the blocking scope based on service requirements.
1. Create an ACL rule and specify the traffic destined for high-risk ports (135, 137, 138, 139, 445, and 3389).
acl number 3000 rule 5 permit tcp destination-port eq 135 rule 10 permit udp destination-port eq 135 rule 15 permit udp destination-port eq 137 rule 20 permit udp destination-port eq 138 rule 25 permit tcp destination-port eq 139 rule 30 permit udp destination-port eq 139 rule 35 permit tcp destination-port eq 445 rule 40 permit tcp destination-port eq 3389 rule 45 permit udp destination-port eq 3389
2. Create a traffic policy to block all traffic destined for these high-risk ports.
traffic classifier high-risk-ports operator or if-match acl 3000 traffic behavior block deny traffic policy block-high-risk-ports classifier high-risk-ports behavior block
3. Apply the traffic policy to all outbound interfaces of the intranet. The following uses GE0/0/1 as an example.
interface GigabitEthernet0/0/1 traffic-policy virus outbound
Blocking a File of a Specified Type on a Firewall
Before configuring file filtering, ensure that the corresponding license has been activated and the content security component package has been loaded.
1. Create a file filtering profile. Choose . Click Add. In the displayed dialog box, add a rule by referring to the following figure.
High-risk file types keep changing. You need to determine and update the file types based on the organization's security policies and current threat trends. In this example, all executable files, web page files, as well as .vbs, vbe, .scr, .bat, and .lnk files are blocked.
In this example, two rules are configured. The InMail rule blocks high-risk attachments sent from the Internet to the intranet, and the Drive_by_download rule blocks drive-by download accidentally triggered by users.
2. Apply the file filtering profile. Choose , edit the created security policy, and reference the created file filtering profile.
Configuring the IPS on a Firewall
Before configuring the IPS, ensure that the corresponding license has been activated and the latest IPS signature database has been updated.
1. Check the default action of the signature. Choose . Enter the signature ID in the search box and check the action. The default action for the following vulnerability exploitation signatures is Block. If the action of a signature is not block, record the signature ID.
Signature ID: 13830, 18822, 24550, 284600, 370090, 372110, 372130, 372280, 372290, 372300, and 377950.
2. Create an IPS profile. Choose . Select the default profile and click Copy. In the dialog box as shown in the following figure, modify the name and description.
3. Add exception signatures. On the Signature Exception List tab page, enter the following brute-force cracking signature IDs one by one and press Enter. Then change the action to Block (or Block and Isolation source IP). The signature IDs recorded in step 1 also need to be added to the exception signatures.
Signature ID: 1000127, 1000133, 1000255, and 1000264.
3. Apply the IPS profile. Choose , edit the created security policy, and reference the created IPS profile.
Configuring the Antivirus Function on a Firewall
Before configuring antivirus (AV), ensure that the corresponding license has been activated and the latest AV signature database has been updated.
1. Create an AV profile. Choose . Click Add. In the dialog box that is displayed, set Action of Mail Transfer Protocol to Declare.
2. Apply the AV profile. Choose , edit the created security policy, and reference the created AV profile.
3. Set the email declaration information. Choose , click Email Declaration, edit the declaration information based on the template, and import the information.
Example:
The attachment (%FILE) of this email contains viruses. Do not open it.
In the preceding message, %FILE indicates the file name of the email attachment. When a recipient receives a virus-infected email, this message is displayed in the email body.
Blocking Malicious URLs on a Firewall
A firewall can use the URL filtering function to block malicious URLs. Before configuring URL filtering, ensure that the corresponding license has been activated, the URL remote query component package has been installed, and the URL remote query service of the firewall is normal.
1. Create a URL filtering profile. Choose . Click Add. In the dialog box that is displayed, enable Malicious URL Detection.
Ensure that the action for Malicious Web Sites and Others is Block.
2. Apply the URL filtering profile. Choose , edit the created security policy, and reference the created URL filtering profile.
Configuring Sandbox Detection on a Firewall
Before configuring sandbox detection, ensure that the firewall has interworked with the sandbox and the connection between the firewall and sandbox has been established. For details, see the product documentation of the firewall and FireHunter6000.
1. Create an APT defense profile. Choose . Click Add. In the dialog box that is displayed, enable Malicious URL Detection, File Reputation Detection, and Sandbox Detection.
On the File Reputation Detection tab page, change the action of Mail Transfer Protocol to Declare or Delete Attachment. The default settings of sandbox detection configuration can be used.
2. Apply the URL filtering profile. Choose , edit the created security policy, and reference the created APT defense profile.