{"id":6319,"date":"2017-01-23T15:50:20","date_gmt":"2017-01-23T23:50:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-157\/"},"modified":"2017-01-23T15:50:20","modified_gmt":"2017-01-23T23:50:20","slug":"news-157","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-157\/","title":{"rendered":"The 5Ws and 1H of Ransomware"},"content":{"rendered":"<p>For the past three months, we have seen <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/tag\/ransomware\/\">ransomware<\/a> hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"500\" class=\"alignnone size-large wp-image-7085\" alt=\"Ransomware geographical distribution for from February to April 2016\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer1-1024x500.png\" \/><\/a><\/p>\n<p>The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a <a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/TA16-091A\">joint statement<\/a> about ransomware.\u00a0Due to the global ransomware incidents, the Swiss government along with some industry players will also hold the <a href=\"https:\/\/www.stopthinkconnect.ch\/ransomwareday2016\/\">Ransomware InfoDay<\/a> today, May 19, 2016, as part of the ransomware awareness campaigns.<\/p>\n<p>The following table shows the top 20 countries where ransomware is most prevalent.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"316\" height=\"382\" class=\"alignnone wp-image-7095 size-full\" alt=\"Top 20 countries with the most prevalent ransomware incidents \" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer2.png\" \/><\/a><\/p>\n<p>This blog answers the frequently asked questions (who, what, where, when, why, and how) about a malware with an effect so tangible that it manages to lock your files, extort money from you, and disrupt important public and private operations.<\/p>\n<p>Case in point: RANSOMWARE<\/p>\n<p>&nbsp;<\/p>\n<h2>Whom does it affect?<\/h2>\n<p>You! Do you use any mobile devices, PC, laptop, or the internet for surfing, emailing, working, or shopping online?<a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"232\" class=\"alignnone wp-image-7105 size-medium\" alt=\"Who could be a ransomware victim?\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer3-300x232.png\" \/><\/a><\/p>\n<p>If yes, then you are a potential ransomware victim. Ensure that\u00a0precautionary measures are taken, see the Prevention section for details.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2>What is ransomware?<\/h2>\n<p>Ransomware is a malware that stealthily gets installed<a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"167\" class=\"alignright size-medium wp-image-7115\" alt=\"What is ransomware?\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer4-300x167.png\" \/><\/a> in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and fromaccessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).<\/p>\n<p>Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you&#8217;ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure. See our <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/ransomware.aspx\">Ransomware<\/a> page for details.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2>What does a ransomware attack look like?<\/h2>\n<p>Ransomware targets your pictures, documents, files, and data that are personally invaluable.<\/p>\n<p>You can tell that you are under attack when you see any of the following:<\/p>\n<ul>\n<li>Ransomware note<\/li>\n<li>Encrypted files<\/li>\n<li>Renamed files<\/li>\n<li>Locked browser<\/li>\n<li>Locked screen<\/li>\n<\/ul>\n<p>However, the ransomware attack symptom varies from one ransomware type to another:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1019\" height=\"538\" class=\"alignnone wp-image-7116 size-full\" alt=\"Sample ransomware lockscreens and ransom notes\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer5.png\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2>What!?! There are several ransomware types?<\/h2>\n<p>Yes. From the time that it first surfaced in 1989, ransomware morphed into different forms as it assimilates to people\u2019s computing habits, leverage recent technologies, and monetization strategies available.<\/p>\n<p>There are two types of ransomware \u2013 lockscreen ransomware and encryption ransomware.<\/p>\n<ul>\n<li><strong>Lockscreen ransomware<\/strong> shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a \u201cransom\u201d) to get access to your PC again.<\/li>\n<li><strong>Encryption ransomware <\/strong>changes your files so you can\u2019t use them. It does this by encrypting the files \u2013 see the Details for enterprises section if you\u2019re interested in the technologies and techniques we\u2019ve seen.<\/li>\n<\/ul>\n<p>Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.<\/p>\n<p>These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"857\" height=\"481\" class=\"alignnone size-full wp-image-7135\" alt=\"Ransomware history from 1989 to 2016\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer6.png\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2><\/h2>\n<h2>Where can a ransomware attack happen?<\/h2>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer71.png\"><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" class=\" size-thumbnail wp-image-7165 alignleft\" alt=\"R_consumer7\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer71-150x150.png\" \/><\/a>Computers and mobile devices.<\/p>\n<p>Ransomware employs its encryption and monetization strategies across PC and mobile devices.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2>When can a ransomware attack start?<a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer8.png\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"285\" class=\"alignright size-medium wp-image-7126\" alt=\"Ransomware attack workflow\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer8-300x285.png\" \/><\/a><\/h2>\n<p>Potential victims can fall into the ransomware trap if they are:<\/p>\n<ul>\n<li>Browsing untrusted websites<\/li>\n<li>Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:\n<ul>\n<li>Executables (.<em>ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc<\/em>.)<\/li>\n<li>Office files that support macros (.<em>doc, .xls, .docm, .xlsm, .pptm<\/em>, etc.)<\/li>\n<\/ul>\n<\/li>\n<li>Installing pirated software, outdated software programs or operating systems<\/li>\n<li>Using a PC that is connected to an already infected network<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Why do malware perpetrators victimize people with ransomware?<\/h2>\n<p>Because they have malicious or criminal intentions, and see it as an easy way to make money. They take advantage of people\u2019s ignorance, unpatched software vulnerability, or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Zero-day_(computing)\">zero-day<\/a> <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/glossary.aspx#Zero_day_exploit\">vulnerability<\/a>.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer9.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1063\" height=\"607\" class=\"alignnone size-full wp-image-7145\" alt=\"Ransomware in the news affecting crucial public and private services\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/R_consumer9.png\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>On the other hand, it mars an enterprise company\u2019s security and reputation as some ransomware incidents halt crucial services such as hospitals \u2013 thus forcing infected users to pay up if they haven\u2019t backed up their data.<\/p>\n<h2>Why must you educate yourself about ransomware?<\/h2>\n<p>Because it can take your hard-earned money in exchange of the stuff you already own &#8211; your data or files!! <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Ransom%3aWin32%2fExxroute.A\">Exxroute<\/a> ransomware, for example, demands $500 and doubles the ransom as you delay the payment. It also starts deleting your files if you delay the payment.<\/p>\n<p>It can also violate your privacy, disrupt your work or personal life, and possibly harm your reputation.<\/p>\n<p>If the ransomware perpetrators are cashing in on people\u2019s ignorance, then educating yourself about it can help disrupt their business.<\/p>\n<p>Download the ransomware infographics <a target=\"_blank\" href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/RansomwareInfographicForConsumer.pdf\" title=\"Ransomware infographics for consumers and small and medium business information workers\">here<\/a>.<\/p>\n<h2><\/h2>\n<h2>How can you avoid and bounce from a ransomware attack?<\/h2>\n<h3><a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/18\/the-5ws-and-1h-of-ransomware\/prevention\">Prevention<\/a><\/h3>\n<ul>\n<li>Keep your Windows Operating System and antivirus <a href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\">up-to-date<\/a>. \u00a0Upgrade to <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-upgrade\">Windows 10<\/a>.<\/li>\n<li>Regularly back-up your files in an external hard-drive.<\/li>\n<li>Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to <a target=\"_blank\" href=\"https:\/\/support.microsoft.com\/en-au\/help\/17128\/windows-8-file-history\">setup a drive for file history<\/a>.<\/li>\n<li>Use OneDrive for Consumer or for Business.<\/li>\n<li>Beware of <a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/how-to-review-and-mitigate-the-impact-of-phishing-attacks-in-office-365\/\">phishing emails<\/a>, spams, and clicking malicious attachment.<\/li>\n<li><a href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\">Use Microsoft Edge to get SmartScreen protection<\/a>. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/02\/24\/locky-malware-lucky-to-avoid-it\/\">Disable the loading of macros in your Office programs<\/a>.<\/li>\n<li>Disable your Remote Desktop feature whenever possible.<\/li>\n<li>Use two factor authentication.<\/li>\n<li>Use a safe and password-protected internet connection.<\/li>\n<li>Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).<\/li>\n<\/ul>\n<h3>Detection<\/h3>\n<ul>\n<li>Install, use, and regularly update an antivirus solution like <a href=\"http:\/\/www.microsoft.com\/security\/pc-security\/windows-defender.aspx\">Windows Defender<\/a> to detect ransomware.<\/li>\n<li>Enable <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2015\/01\/14\/maps-in-the-cloud-how-can-it-help-your-enterprise\/\">Microsoft Active Protection Service (MAPS<\/a>) to get the latest cloud-based ransomware detection and blocking.<\/li>\n<\/ul>\n<h3>Recovery<\/h3>\n<p>In Office 365\u2019s <a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/how-to-deal-with-ransomware\/\">How to deal with ransomware<\/a> blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:<\/p>\n<ol>\n<li>Make sure you have backed-up your files.<\/li>\n<li>Recover the files in your device. If you have previously turned <strong>File History<\/strong> on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.<\/li>\n<\/ol>\n<h4 style=\"padding-left: 30px\"><em>To restore your files or folders in Windows 10 and Windows 8.1:<\/em><\/h4>\n<ul>\n<li>Swipe in from the right edge of the screen, tap <strong>Search<\/strong> (or if you\u2019re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter \u201c<em>restore your files<\/em>\u201d in the search box, and then tap or click <strong>Restore your files with File History<\/strong>.<\/li>\n<li>Enter the name of file you\u2019re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.<\/li>\n<li>Select what you want to restore to its original location, and then tap or click the <strong>Restore<\/strong> button. If you want to restore your files onto a different location than the original, press and hold, or right-click the <strong>Restore<\/strong> button, tap or click <strong>Restore To<\/strong>, and then choose a new location.<\/li>\n<\/ul>\n<p style=\"padding-left: 30px\"><em>Source: <\/em><a href=\"http:\/\/windows.microsoft.com\/en-US\/windows-8\/how-use-file-history\"><em>Restore files or folders using File History<\/em><\/a><\/p>\n<h4 style=\"padding-left: 30px\"><em>To restore your files in Windows 7 and Windows Vista<\/em><\/h4>\n<ul>\n<li>Right-click the file or folder, and then click <strong>Restore<\/strong> previous versions. You\u2019ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you\u2019re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that\u2019s included in a library, right-click the file or folder in the location where it\u2019s saved, rather than in the library. For example, to restore a previous version of a picture that\u2019s included in the Pictures library but is stored in the <strong>My Pictures<\/strong> folder, right-click the <strong>My Pictures<\/strong> folder, and then click <strong>Restore previous versions<\/strong>. For more information about libraries, see Include folders in a library.<\/li>\n<li>Before restoring a previous version of a file or folder, select the previous version, and then click <strong>Open<\/strong> to view it to make sure it\u2019s the version you want. Note: You can\u2019t open or copy previous versions of files that were created by Windows Backup, but you can restore them.<\/li>\n<li>To restore a previous version, select the previous version, and then click <strong>Restore<\/strong>.<\/li>\n<\/ul>\n<p style=\"padding-left: 30px\">Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the <strong>Restore<\/strong> button isn\u2019t available, you can\u2019t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.<\/p>\n<p style=\"padding-left: 30px\"><em>Source: <\/em><a href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/previous-versions-files-faq\"><em>Previous versions of files: frequently asked questions <\/em><\/a><\/p>\n<p style=\"padding-left: 30px\"><strong>Important<\/strong>: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).<\/p>\n<p style=\"padding-left: 30px\"><strong><em>Warning<\/em><\/strong><em>: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.<\/em><\/p>\n<p>3. Recover your files in your OneDrive for Consumer.<\/p>\n<ul>\n<li><a target=\"_blank\" href=\"https:\/\/support.office.com\/en-us\/article\/Find-lost-or-missing-files-in-OneDrive-0d929e0d-8682-4295-982b-4bd75a3daa01\" title=\"Instructions on how to find lost or missing files from your OneDrive\">Find lost or missing files in OneDrive<\/a><\/li>\n<li><a target=\"_blank\" href=\"https:\/\/support.office.com\/en-us\/article\/Delete-or-restore-files-and-folders-949ada80-0026-4db3-a953-c99083e6a84f\" title=\"Instructions on how to delete or restore files and folders from your OneDrive\">Delete or restore files and folders<\/a><\/li>\n<\/ul>\n<p>4. Recover your files in your OneDrive for Business.<\/p>\n<p style=\"padding-left: 30px\">If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:<\/p>\n<h4 style=\"padding-left: 30px\"><em>Restoring the files using the Portal<\/em><\/h4>\n<p style=\"padding-left: 30px\">Users can restore previous version of the file through the user interface. To do this you can:<\/p>\n<p style=\"padding-left: 60px\">1. Go to <strong>OneDrive for Business<\/strong> in the office.com portal.<\/p>\n<p style=\"padding-left: 60px\">2. Right click the file you want to recover, and select <strong>Version History.<\/strong><\/p>\n<p style=\"padding-left: 60px\">3. Click the dropdown list of the version you want to recover and select restore.<\/p>\n<p>&nbsp;<\/p>\n<p>If you want to learn more about this feature, take a look at the <a href=\"https:\/\/support.office.com\/en-us\/article\/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893\">Restore a previous version of a document in OneDrive for Business<\/a> support article.<\/p>\n<h4><em>Site Collection Restore service request<\/em><\/h4>\n<p>If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a \u2018Site Collection Restore\u2019. This request can restore up to 14 days in the past. To learn how to do this please take a look at the <a href=\"https:\/\/blogs.technet.microsoft.com\/akieft\/2012\/01\/09\/restore-options-in-sharepoint-online\/\">Restore Option in SharePoint Online<\/a> blog post.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Microsoft Malware Protection Center<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/18\/the-5ws-and-1h-of-ransomware\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada. The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ransomware.\u00a0Due to the global ransomware incidents, the&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10883,10884,3765,10885,10886,10887,10888,10889,10762,10788],"class_list":["post-6319","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-detect-ransomware","tag-microsoft-ransomware-faqs","tag-ransomware","tag-ransomware-detection","tag-ransomware-faq","tag-ransomware-infographic","tag-ransomware-prevention","tag-ransomware-recovery","tag-windows-defender","tag-windows-defender-blogs-for-home-users-and-small-businesses"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6319"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6319\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6319"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}