[MART] - Daily Diary #355 - Malware Types - Ransomware

CTAS-MAT ctas-mat at appgate.com
Fri Sep 24 20:31:19 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

09/24/2021 - Diary entry #355

Continuing our thread on malware types, started in our Daily Diary #328, today we are going to talk about the infamous Ransomware. A ransomware is a very dangerous kind of malware. Generally speaking, any malware that restricts access to a system and charges a ransom payment is considered a Ransomware. That includes not only malware that is dropped in the system to disrupt software and files, but also malicious scripts with the goal to hijack databases and websites.

The most common type of Ransomware adopts the strategy to encrypt the files in the system. In that case, the malware samples include an encryption algorithm, and upon execution, it tries to encrypt as many files as possible. The ransom is demanded in exchange for a decryption software, that can (in theory) recover all the affected files. Most Ransomware in that category implements a combination of an asymmetric algorithm, like RSA, ECC or ChaCha, along with a symmetric algorithm like AES. When encrypting a file, they will randomly generate an AES key, encrypt the content, and encrypt the generated key with a public key embedded in the sample. The final encrypted blob is then appended to the encrypted content, and replaces the original file in the system.

Since 2019, we observed an increase of Ransomware applying a new strategy named double-extorsion. In that case, before encrypting the files in the system, the attackers exfiltrate as much private data as possible. In case the ransom is not paid, the attackers publish the data in a "wall-of-shame". With companies employing better backup systems, cyber-crime adopted the double-extortion model to profit even from companies with up-to-date backups and routines to recover their operation quickly.

Recovering from a Ransomware attack can be very expensive and time-consuming. The best way to prevent against this kind of threat is to adopt a ZeroTrust methodology, isolating networks and minimizing any damage caused by an attack.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210924/57676188/attachment.htm>

More information about the MART mailing list