// Cybersecurity clarified.

Ransomware Clarified for Non-Techies

2022-08-07   Dawid Farbaniec
Ransomware is a type of malware that locks access to important data (e.g. by encrypting it) or scares about publishing sensitive data. This text has been written to explain the mechanisms by which this type of malicious program works and how a computer user should behave in order to limit the damage caused by ransomware.

Behavior in Case of Suspected Infection

Once launched, the ransomware will search for files on the disk and damage them one by one. Files can be encrypted and even wiped. For this reason, turning off the device in time will give you a chance to stop this process.

It is worth adding that powering off infected devices can protect other machines on the network from infection. Ransomware malware may have a built-in worm that will try to spread through your home or business network.

There are ransomware programs that wipe files and then offer to recover them for a ransom, what is a nonsense.

See also: Learn About Over 20 Types of Malware

Data Recovery and Decryption after Ransomware Attack

If a ransomware program uses the same key for encryption and decryption, it is possible that one can find a tool, e.g. made by an antivirus company, that allows to recover files.

However, ransomware malware has changed over time and mostly uses asymmetric encryption, where the public key is used for encryption and the private key is used for decryption. For this reason, one will need the private key or weakness of the cryptographic algorithm to create a decryption tool.

Hope to recover at least fragments of the most important data is offered by tools that try to read deleted data from the computer's disk. This is possible because disk operations on files do not always overwrite data.

Presentation of a Controlled Ransomware Infection

For educational purposes, a deliberate infection of Windows with BlackBasta ransomware is presented below.

Sample data was created on the experimental system.

A sample of BlackBasta ransomware is then launched.

Rebooting the machine in safe mode is a BlackBasta feature.

Several seconds pass and the sample valuable data is corrupted by encryption.

The readme.txt file appears on the Desktop with a ransom note.

If we do not have a backup or valuable data has been exfiltrated to an external Command & Control server then it's not good.

Educational Ransomware Graphics

Stay safe.

Bibliography [access: 2022-08-07]