Ransomware- Working, Prevention And More In Depth Discussion

Ransomware- Working, Prevention And More In Depth Discussion

Recently Microsoft patched a bug through which a new ransomware named Wannacrypt had entered the computers which were using old Windows version. This was the biggest ransomware attack that infected more than 300,000 computers across 150 countries and earned more than 100 million dollars. 

But the attack was stopped by releasing an emergency patch after few days of discovery of this ransomware. This ransomware spread very rapidly as a form of software and different format of files. 

Wannacrypt ransomware encrypted the computer’s files with .wncry  extension and demanded bitcoins to the infected users for the decryption key. This was a painful attack on office computer users and other important document saved computer users who didn’t update the Windows regularly. 

It is necessary to know about ransomware to stay secure from it. Ransomware is basically a malware who literally kidnaps your computer and encrypts all files of the computer and demands money for decryption. 

Many people ask that if the computer files are encrypted by ransomware, how to decrypt it? ow, it is not possible. If you know about cryptography then you will understand that ransomware uses the combination of both public key method and symmetric key method, according to reports.

 So decryption becomes impossible for anyone. The mathematical function that ransomware use is very very difficult and breaking it is impossible. The only way to decrypting it using the corresponding decryption key of the encrypted files. We will discuss on ransomware, its working, prevention, and more in-depth discussion.

Working Of Ransomware:

If we compare the wannacrypt ransomware with the history of ransomware, it is noticeable that it is weaker than previous ransomware. 

Ransomware talks to its master through changing of servers and domains concept and this conception of the Wnnacrypt ransomware master is very weak. They made a very weak ransomware. 

Some people claim it is just a sample of ransomware. It was made for testing. Because if there is no domain fluxing then obviously it is weaker than others. Some people ask that if it is very weak then how it spread so widely? Because it has loopholes. 

Researchers claim that someone of NSA leaked the spying tools used by NSA. The makers were not a big group and also they were not hard coders. They didn’t know how to do domain fluxing. The way how this ransomware talks to its master can be blocked. That is why it is weaker than other ransomwares. 

But because of loopholes, it spread widely. Ransomware is not a big thing. Buyers can buy ransomware stronger than wannacrypt from the darknet for 39$ or 50$ of a deal. There are many researchers on the darknet who are making ransomwares for student’s learning and also open projects are available. 

Consider a basic example, a coder made a ransomware and he wants to infect a computer. There are many ways to infect the computer but some way he installed it on a computer. There are many things which he can’t install for presenting of antivirus. But one thing is there, that is his key concept. He can’t attach the key with the ransomware. In this case, someone will analyze it and find out the key. So the coder will not attach the key. 

There is a big profit from it. the ransomware will take all the details and IP configuration of the computer and will take the command server from its master and it will send the computer details to the command server. The command server will make a key corresponding to the details and he will give the key to the ransomware and the ransomware will encrypt the computer files by this key and the key will destroy. But this key is on the server. Now the ransomware will try to infect ahead. 

Exclusive: #ransomware drops 30% in 2016 to 2018 and #cryptominers increased by nearly 45%. #KLReport https://t.co/1CtQONeMfi pic.twitter.com/vA3ZibLraM

— Securelist (@Securelist) June 27, 2018



If it infects another computer it will do the same thing. It will talk to the command server for the key and will encrypt the computer by the key. This process can be done in many ways, this is just a typical example. If we go to the realistic example, the coder will put a domain(ex: crackitdown.com) in the ransomware’s algorithm so that the domain can give the key to the ransomware. 

Wherever the ransomware will go it will talk to the crackitdown.com for the key. But there is a problem if someone blocks the domain. If CIA or NSA blacklisted the domain it will lose the contact with the bots(ransomware) and the bots can’t talk with the domain. There will also an issue with the server where the all keys are stored. The server will possibly be hacked. 

If someone hacks the keyserver and take all keys then there will be a big loss for the master of the ransomware. Therefore coders use domain fluxion. The coder first only changed the server to a different server but now he will start changing the domain also. The coder will put a series of domains in his botnet or ransomware what you wanna say. This series begins from one and goes to thousand. 

The botnet will first sit on the computer and will start counting the series from one to thousands. Actually here generates a lot of domains, crackitdown.com, crackitdown.net, crackitdown.tk etc. Among thousands of domains, some domains are of the coder. The botnets start sending queries to the series of domains from one to thousands and from where it gets a response there it will stop. 

This domain will contact it to the server for the key. If the domains are blocked or removed, its okay man, the coder has thousands of domains and he knows the algorithm of changing domains. Some ransomware makers take a series of strangely named domains which are looks like tor domains. 

The names of the domains are like AFBZXXMAERJWHDCBNAMDWJG.DGFH and they know that nobody will register this type of domains. But if someone registers a domain among them, consider a security researcher registered a domain of this series and he saw that the ransomware only pings for response and from where it gets a response, it stops. 

If the security researcher got what query the ransomware sending to the server and the researcher registers the first domain of the series, then game over. The researcher will give the response to the ransomwares and will connect to his own server and will command to shut down. All ransomwares will shut down. 


But the ransomware coders are not so stupid. There is a concept for it, consider the ransomware maker made a very strong algorithm which is time-based, date based or IP address based. The maker spread thousands of ransomware.

 These ransomwares works believing on a date as a parameter, on the first date, it will follow a series of domains and the second date it will follow another series of domains. All domain series are random. 

If a security researcher registers a domain of the series of a particular date, he can save computers from the ransomware only for one day. In reality, the ransomware coders use a very very complex algorithm and take fifty thousand or more than fifty thousand series of domains.

Prevention:

The Wannacrypt ransomware exploit was sold in various darknet websites by the Shadow Broker hackers group. They claimed that they hacked the exploits information from NSA. 

If you didn’t update your windows still its okay because the patch was a crucial update. But for future, you must remember to update the Windows regularly and if you are using old Windows version then avoid using it and change it to latest version Windows 10.

Use a good antivirus program but it is not necessary to install an antivirus as the working method of Windows Defender is same as any antivirus. Update regularly the Windows and the Windows Defender virus definition and it will suffice for a good security. There is nothing more difference between Windows Defender and other antiviruses. The malware bytes is also a very good antivirus.

Hope you liked the discussion. Give us your opinion below in the comment box. Thank you.