Recently, a friend of mine called asking for advice. His personal computer had been compromised with ransomware. The attacker was asking for 0.1 Bitcoin, the equivalent to ~640 USD. My friend explained that all of his files were encrypted in a “.gdcb” format, which when opened showed only a file “GDCB-DECRYPT.txt”. It became clear that he was dealing with GandCrab. After several attempts to handle the situation himself through online guides, he eventually gave in, paying the ransom.
It’s actually one the most effective methods of attack and easy to monetize. Most people have heard of ransomware from the 2017 WannaCry attacks which targeted Windows OS by encrypting data and demanding Bitcoin payment. The WannaCry attackers successfully attacked more than 200K computers worldwide, the largest scale ransomware attack in history. The reason hackers love ransomware is simple. With a more traditional type of attack where credit card information is stolen, hackers then turn to the Dark Web to sell and monetize the data. When it comes to ransomware, it’s almost as simple as a wire transfer since the target will almost always pay to regain access to their data.
What should we do to protect ourselves?
Backups are the main and sole savior. A backup can be in a USB or external hard drive. However, the problem with that is Malware can leap into external drives the same way it can happen with a network drive. Now, people are moving to cloud backup solutions such as Dropbox, Box, and Google in the hope of keeping their personal data safe. These platforms are easier to integrate to your computer, however, it’s also easier for hackers which don’t make the cloud necessarily safer. Bottom line, the best way to avoid damage from ransomware infections is to maintain regular up-to-date backups – whether on the cloud or a physical drive.
Just this week a new update to GandCrab was released that improves its ability to evade detection. So how do computers become infected with it? GandCrab, like other ransomwares, dupes users into installing it themselves by disguising itself as another file. Once installed, it locks the user out of their device and demands payment in cryptocurrency. New features encrypt files faster, essentially guarding the ransomware with a series of encryption layers, and make it impossible to analyze.
Ransomware is easy to manipulate in the fact that it can be installed wherever the hackers need it to be. Most criminals will look for quick and easy wins but more advanced attacks could target cloud users. Additionally, malware is used by in some ransomware attacks to leak data in the second stage of ransom. For example: “If you pay extra, we won’t leak your data to a platform like PasteBin”. This particular method is most threatening to companies, one wrong download by an employee, and company data can be easily compromised. Because employees are more vulnerable, it’s critical that companies not only invest in backup systems and technologies but employee education as well. Training employees to create a human firewall of a cyber-educated workforce is one of the best defense mechanisms for companies.
Lastly, if you were attacked and decided to pay the ransom, know that you can typically negotiate the price. Even if there is no guarantee the criminal will release your files from encryption, most ransomware criminals live up to their word. If you have an intact backup, this can be avoided by wiping the computer and restoring it from a backup.
Originally posted by Alex Aronovich on LinkedIn.