Beware of Ransomware Variants

Have you ever thought of your computer being kidnapped? In this new age, this is no longer ridiculous as several destructive ransomware variants (including LockBit, Hive, BlackCat, BlueSky, REvil, Petya, NotPetya, Locky, CyptoLocker, CryptoDefense, CyptoWall, etc.)  appeared to kidnap computers in the world. The number of ransomware infections has been increasing!

 

Ransomware attacks victims through:

  • phishing emails with look of legitimate emails such as phony FedEx and UPS tracking notices with malicious file attached;
  • remote access service on a poorly secured system and infect other devices through networks or removable devices;
  • compromised website which targeted users with outdated or unpatched browser (e.g. IE) or plugins (e.g. Flash Player);
  • some banner ads to cause user device infected.

Once you open an anonymous attachment, or visit compromised website using outdated browser, ransomware will invade and encrypt your computer.  Some attackers would extract the files before encrypting them.  More horribly, these “criminal” encrypts files not only on your computer, but also within shared network drive(s).

After the files are encrypted, a popup will display on the infected computer asking the victim to pay ransom money typically in the range of 100-3000 USD within a time limit, otherwise, the only key for decryption will be deleted.  Some attackers may even further applying different extortion methods like disclosing or selling the stolen information, distributed denial-of-service (DDoS), etc.

 

  1. Stole and encrypts files on victims’ computers, e.g. LockBit encrypts files on victims’ computers and adds a .lockbit file extension to them.
  2. Files on network drives and cloud services are affected.
  3. Data will be unrecoverable due to encryption by ransomware.

Until now, there is NO effective method to decrypt all the kidnapped files. To save your computer from harms, please remember:

  1. Keep your operating system and software up-to-date with the latest patches.
  2. Alert to the suspicious email.
    • Do not open any malicious attachment, especially compress files (.zip,.7zip,.rar), or executable files (.exe).
    • Do not follow unsolicited web links in email messages.
  3. Disable macros for MS Office Files.
  4. Backup our files regularly, and keep it offline or in a separate and safe place, e.g. offline, to avoid being affected by the malware.
  5. Install and maintain up-to-date anti-virus software.
  6. If you are using Kaspersky anti-virus software, enable ‘System Watcher‘, ‘Application Privilege Control‘ and ‘Kaspersky Security Network (KSN)‘ to detect the abnormal activities on the system.  Details guidelines can be found at “Guidelines for Configuring Kaspersky Antivirus on Client“.
  7. Restrict the access of required services and disable unused ports or services.

 

If you are unluckily being kidnapped by ransomware, please:

  1. Disconnect your computer IMMEDIATELY from both wired and wireless network to avoid further impacts on shared network.
  2. Use another clean computer to change all the passwords (such as email, e-banking, etc.) which have been used or saved on the infected computer.
  3. DO NOT respond to any kidnapper by attempting payment and instead to report the incident to ITSC and the Police.
  4. Prepare a clean computer and restore the files and data from the backup.

Please visit here for more Information Security tips.

Last Update on: Aug 2022