How to Find the Source of Ransomware

Ransomware, In my opinion, is the worst thing that can happen to my files, as well as my wallet. They were hard to deal with back then, but today the old ones don’t work like in their glory days. Today you will learn everything meaningful about ransomware, and I’ll answer the most asked questions about it.

How Does Ransomware Work?

Ransomware is a malware designed to prevent users like me from accessing any file on my device. Let’s say I clicked on a fishy website; there, I find out that “I can earn thousands of dollars just by downloading this app” my naive personality downloads it, and then guess what happened.

The app opens when it’s being clicked on, but my wallet does not get 1000$ richer, in fact, all of my files are encrypted with “Hackers” encryption, and only they have the private key for decrypting them. Of course, they will not hand me the key if asked politely.

I will see a window where it would say something like, “All your files have been encrypted; if you want to get them back, send us 500$ in BTC on this address in 48h. If time expires, it’s no longer 500$ but 800$.”, and If I refuse to pay, all my important files are gone forever.

Fortunately, nowadays, you can find decryption keys on the internet for some known ransomware, but for the newly created ones, there is not much help.

How To Detect Files Being Encrypted?

It can be done just by looking at the extension of the file, but also, I would click on the file or folder, select “Properties” and click the “Advanced” button. If my file/folder is encrypted, the “Encrypt contents to secure data” checkbox will be selected.

What is the source code of ransomware?

If we are talking about where it was found, I would usually find it in phishing emails, on suspicious websites, or in the form of an app or .exe file. There are cases where ransomware is manually installed via a bad USB.
For example, a “Hacker” comes into the company’s building and leaves a USB. I come, as a normal staff and find the USB. The right thing to do is to alert someone about it, and in any condition, not to plug it into a computer, but I decide to test my luck, and that’s how I get fired when all of the files get encrypted.
Now, if we speak about the language it is written in, the most common ones are JavaScript, ActionScript, C#, C, and even Golang. A new ransomware was detected in Java, named Tycoon; it appeared in December 2019.

What Causes Ransomware Attack?

If we talk about people’s intentions, it can be a dedicated attack; for example, a group of “Hackers” will attack a hospital, and if successful, they’ll disable everything used for life support and many important devices and then ask for ransom.

Why is that? Because the government needs to act quickly, or many lives can be in danger. So the best option is to pay the ransom and then send Cyber Forensics to try and find anything related to the attackers. Of course, someone can just release their ransomware on the internet and wait for someone to download it.

Now, if we talk about the cause of why ransomware got into your system, it can be in a few different ways. First off, emails, or in other words Social Engineering. Next would be poor user practice. Now, my important one is the Lack Of Cyber Security Training.

Many companies spend their money and time on the system’s security, forgetting about the easiest and most common attack method, Social Engineering. And, of course, for the end, it’s Weak Password/Access Management, which is self-explanatory.

How To Prevent Ransomware?

The prevention of ransomware is not difficult if you follow the right path. My prevention would be, installing good monitoring applications, as well as anti-malware software. But there is more, I’ll also have frequent file backups, just in case; if the company’s people are involved, I will provide good user training.

Although the risk can’t be completely removed, it can be drastically reduced. Another tip is, that if you feel suspicious about a file, you can always check it out on VirusTotal.com.

Where Does Most Malware Come From?

As many of you already guessed, the most destructive malware comes from Russia and the neighboring states, according to the chief of the UK cybersecurity agency. New analysis says that 74% of all the money made from ransomware belongs to Russian “Hackers”, which would be 400 million dollars in crypto.

Ransomware groups work in jurisdictions where American law can’t reach them.

Can Ransomware Hackers Be Traced?

The best way to try and trace the “Hackers” is through the crypto wallet that was used for the payment or the key of the encryption they possess. Of course, that is not easy as it seems.
First, payments are anonymous; in my case, I would first need to identify which wallets were used to pay the ransom and which to cash out.

There are websites on the internet where you can find a lot about crypto wallets, but you’ll not find a lot about the person behind them. There is a good example where a few people were traced back and caught by the police because of their ransomware called ReEvil.

They were arrested in Romania by Europol, and it’s said that they had over 5000 victims and made about 500.000$ from ransom. I think you can only wait for their mistake; the only thing you can find in the code is how it works.

What If I Get Caught In Ransomware?

You may think that this can’t happen to you, that you are smart and will not download, click and install anything from the internet that you do not trust. Often, “Hackers” will not contact you directly from an unknown user.

Your friend’s profiles are the ones you need to be afraid of. For example, I was cautious about what I said above, but suddenly I saw a pop-up on my Steam about a free skin in a game called CSGO.

It never crossed my mind that it could be a trap since it was my friend sending me the link. Of course, I opened the link, logged on to the website, and my account was lost in a blink of an eye.

After an hour, I got a message from a friend who said his account was hacked and I should watch out. I was thinking, “You telling me that now!?”, but it was too late for me.

The same way it can happen to you, just with ransomware. So let’s get back on the subject; you get caught by it; what now? The first thing will be to check if this ransomware is already documented online.

Check the extension of encryption, and type it on the internet, good site for that would be nomoreransom.org, and if you see that the ransomware is an older version, you can probably find the key on the internet.

If you are not lucky enough and do not have backups of your files, the best thing to do is contact someone whose job is to deal with this. Sometimes it is best just to pay the ransom and be careful the next time.

What Was The Biggest Ransomware Attack?

I’ll say one of the biggest ransomware attacks must be WannaCry. It was a worldwide cyber attack it happened on May 2017. It targeted computers using only Microsoft Windows OS by encrypting their files and demanding a ransom paid in crypto, specifically Bitcoin.

It targeted older systems that are not patched since it propagated through the EternalBlue exploit. It is said that the attack affected around 200.000 computers in over 150 countries, and it is believed that the worm originated from North Korea. Here are some of the ransomware recorded:

  • AIDS Trojan/PC
  • Cyborg (1989)
  • CryptoLocker (2013)
  • Koler
  • Ransom32 (2016)
  • WannaCry (2017)
  • REvil (2019)
  • UHS (2020)
  • Conti (2021)

What Are The Types Of Ransomware?

There are 5 common types of ransomware.

  1. Locker Ransomware
    As it says, this type of ransomware locks users out of their system.
    Usually, users can only view the lock screen or the screen with the ransom demand. The mouse and keyboard would only be available for the payment to be complete. Lockers don’t usually destroy data; it only prevents users from accessing it.
  2. Crypto Ransomware
    It doesn’t lock the system, but it encrypts the data. Users can freely move and interact with the device and encrypt data. Of course, there will be a displayed timer with the cooldown for the payment to be complete.
  3. Scareware
    This is the interesting one; it is trying to freak and scare the users by displaying alarms and warnings such as danger, that way, it’s trying to trick the users into downloading malware that “Hackers” display. Usually, pop-ups look authentic so the normal user will tell no difference.
  4. Leakware
    Also known as Doxware, since the “Hacker”, instead of destroying your data, will threaten to publish it. They usually target banks and organizations that hold confidential data.
  5. Ransomware as a service(RaaS)
    It allows low technical knowledge criminals to subscribe to RaaS and then use the ransomware for further attacks. Of course, creators earn the percentage of the money their subscribers make.