1.
Ransomware
Prevention and Removal

2.
What is ransomware?
• 'Ransomware' is a type of malware that attempts to extort money
from a computer user by infecting and taking control of the victim's
machine, or the files or documents stored on it.
• Typically, the ransomware will either 'lock' the computer to prevent
normal usage, or encrypt the documents and files on it to prevent
access to the saved data.

3.
History
• The first known ransomware was the 1989 "AIDS" trojan (also known as "PC Cyborg") written by
Joseph Popp.
• Extortionate ransomware became prominent in May 2005.
• By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive
began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes.
• In 2011, a ransomware worm imitating the Windows Product Activation notice surfaced.
• In February 2013, a ransomware worm based off the Stamp.EK exploit kit surfaced.
• In July 2013, an OS X-specific ransomware worm surfaced.
• CryptoLocker has raked in around 5 million dollars in the last 4 months of 2013.

4.
How do criminals install ransomware?
• Ransomware generates a pop-up window, webpage, or email warning
from what looks like an official authority.
• Ransomware is usually installed when you open
A malicious email attachment
Click a malicious link in
an email message
an instant message
on social networking site
• Ransomware can even be installed when you visit a malicious website.

5.
Types of Ransomware
• Encryption Ransomware
• Lock Screen Ransomware
• Master Boot Record (MBR) Ransomware

6.
Encryption Ransomware
• Encrypts personal files/folders (e.g., the contents of your My Documents
folder - documents, spreadsheets, pictures, videos).
• Files are deleted once they are encrypted and generally there is a text file in
the same folder as the now-inaccessible files with instructions for payment.
• You may see a lock screen but not all variants show one.
• Instead you may only notice a problem when you attempt to open your files.
• This type is also called 'file encryptor' ransomware.

7.
Lock Screen Ransomware
• 'Locks' the screen and demands payment.
• Presents a full screen image that blocks all other windows.
• This type is called 'WinLocker' ransomware.
• No personal files are encrypted.

8.
Master Boot Record (MBR) Ransomware
• The Master Boot Record (MBR) is a section of the computer's hard
drive that allows the operating system to boot up.
• MBR ransomware changes the computer's MBR so the normal boot
process is interrupted.
• A ransom demand is displayed on screen instead.

9.
Reveton
• In 2012, a major ransomware worm known as Reveton began to spread.
• It is also known as "police trojan".
• Its payload displays a warning purportedly from a law enforcement agency.
• claiming that the computer had been used for illegal activities, such as downloading pirated
software, promoting terrorism, copyright etc.
• The warning informs the user that to unlock their system they would have to pay a fine.
• To increase the illusion that the computer is being tracked by law enforcement, the screen also
displays the computer's IP address and footage from a computer's webcam.

10.
CryptoLocker
• A Encrypting ransomware reappeared in 2013.
• Distributed either as an attachment to a malicious e-mail or as a drive-by download.
• encrypts certain types of files stored on local and mounted network drives using RSA public-key
cryptography.
• The private key stored only on the malware's control servers.
• Offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a
stated deadline.
• threatens to delete the private key if the deadline passes.
• If the deadline is not met, the malware offers to decrypt data via an online service provided by the
malware's operators, for a significantly higher price in Bitcoin.

11.
Health Care and Ransomware(2016)
• As of August 2016, 88% of ransomware attacks hit hospitals/medical facilities
Health care facilities seem to be hit regularly:
• Hollywood Presbyterian
• USC hospitals
• MedStar Health (Washington DC area)
Effects of ransomware attacks:
• Employees cannot log in
• Patient appointments had to be cancelled
• No electronic records or prescriptions

12.
WannaCry Ransomware(2017)
• One of the largest cyberattacks ever is currently eating the web, hitting
PCs in countries and businesses around the world.
• Well, a vulnerability first uncovered by the National Security Agency and
then released by hackers on the internet is now being used in one of the
most prolific cyberattacks ever around the globe.
• We found out about it because a group of hackers, known as Shadow
Brokers, in April released a cache of stolen NSA documents on the
internet, including details about the WannaCry vulnerability.

13.
Cont…
• It's called WannaCry, and it's brought computer systems from Russia
to China to the UK and the US to their knees, locking people out of
their data and demanding they pay a ransom or lose everything. So
far, more than 200,000 computers in 150 countries have been
affected, with victims including hospitals, banks, telecommunications
companies and warehouses.
• This exploit called EternalBlue.
• The ransomware is spread through standard file sharing technology
used by PCs called Microsoft Windows Server Message Block, or
"SMB" for short.

14.
How to prevent ransomware ?
• Keep all of the software on your computer up to date.
• Make sure automatic updating is turned on to get all the latest Microsoft
security updates and browser-related components (Java, Adobe, and the
like).
• Keep your firewall turned on.
• Don't open spam email messages or click links on suspicious websites.
(CryptoLocker spreads via .zip files sent as email attachments, for
example.)

15.
Cont…
• Download Microsoft Security Essentials, which is free, or use another
reputable antivirus and anti-malware program.
• If you run Windows 8 you don’t need Microsoft Security Essentials.
• Scan your computer with the Microsoft Safety Scanner.
• Keep your browser clean.
• Always have a good backup system in place, just in case your PC does
become infected and you can’t recover your files.

16.
Identify The Ransomware
Most commonly, ransomware is saved to one of the following locations:
• C:Programdata(random alpha numerics).exe
• C:Users(username)0.(random numbers).exe
• C:UsersUsernameAppData(random alpha numerics).exe

17.
Removal – Microsoft Procedure
The following Microsoft products can detect and remove this threat:
• Windows Defender (built into Windows 8)
• Microsoft Security Essentials
• Microsoft Safety Scanner
• Windows Defender Offline (Some ransomware will not allow you to use the
products listed here, so you might have to start your computer from a
Windows Defender Offline disk.)

18.
Removal – Other Anti-Malware Programs
1. Start your computer in “Safe Mode with Networking”.
2. Stop and clean malicious running processes.
• Download and save "RogueKiller" utility on your computer'* (e.g. your Desktop).
• Double Click to run RogueKiller.
• Let the prescan to complete and then press on "Scan" button to perform a full
scan.
• When the full scan is completed, press the "Delete" button to remove all malicious
items found.
• Close RogueKiller and proceed to the next Step.

19.
Clean Remaining Malicious Threats
• Download and install a reliable FREE/Pro anti malware programs to clean your
computer from remaining malicious threats. E.g. Malwarebytes Anti-Malware,
Norton etc.
• Run "Anti-Malware" and allow the program to update to it's latest version and
malicious database if needed.
• let the program scan your system for threats.
• Select all threats in result scan and remove all.
• When the removal of infected objects process is complete, "Restart your system
to remove all active threats properly“.

20.
Delete Cryptolocker Hidden Files
• Enable the hidden files view from control panel.
• Navigate to the following paths and delete all Cryptolocker Hidden files:
For Windows XP
• C:Documents and Settings<YOUR USERNAME>Application DataRandomFileName.exe
• e.g. {DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe
• C:WINDOWSsystem32msctfime.ime
For Windows Vista or Windows 7
• C:Users<YOUR USERNAME>AppDataRoamingRandomFileName.exe
• e.g. {DAEB88E5-FA8E-E0D1-8FCD-BFC7D2F6ED25}.exe
• C:WINDOWSsystem32msctfime.ime

21.
Delete Temporary files
Finally delete all files and folders under your TEMP folders:
For Windows XP
• C:Documents and Settings<YOUR USERNAME>Local SettingsTemp
• C:WindowsTemp
For Windows Vista or Windows 7
• C:Users<YOUR USERNAME>AppDataLocalTemp
• C:WindowsTemp

22.
File Restore- Shadow Copies
1. Navigate to the folder or the file that you want to restore in a previous state and
right-click on it.
2. From the drop-down menu select “Restore Previous Versions”. *
Notice* for Windows XP users: Select “Properties” and then the “Previous Versions” tab.
3. Then choose a particular version of folder or file and the press the:
• “Open” button to view the contents of that folder/file.
• “Copy” to copy this folder/file to another location on your computer (e.g. you external hard
drive).
• “Restore” to restore the folder file to the same location and replace the existing one.

23.
Removing Reveton
• Name- Trojan:W32/Reveton and Trojan:W32/Urausy
• Boot the system into 'Safe Mode with Command Prompt.'
• In the command prompt, type "regedit" and press Enter.
• Look for the following registry values and remove them.
For Reveton, delete the "ctfmon.exe" registry value from
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

24.
For Urausy, delete the "shell" registry value from
HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWinlogon
ONLY IF these two conditions are met:
1. The "shell" registry value is located under HKEY_CURRENT_USER and
Not “ HKEY_LOCAL_MACHINE”.
WARNING! Deleting the "shell" value if it is listed under HKEY_LOCAL_MACHINE may break the Windows system.
2. There is a reference to a .dat file (e.g. skype.dat) in the value data.
• Reboot the system again, this time into Normal mode.
• Finally, run a full computer scan to repair any remaining files.

25.
Conclusion
When it comes to malware attacks, knowledge is the best possible
weapon to prevent them. Be careful what you click!! Preventive
measures should be taken before ransomewares establish strong hold.
Keeping all the software updated and getting latest security updates
might help to prevent the attacks. Use of antivirus and original
software is highly recommended. Creating software restriction policy is
the best tool to prevent a Cryptolocker infection in the first place in
networks.

26.
References
• http://www.microsoft.com/security/resources/ransomware-whatis.aspx
• http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
• http://www.sophos.com/en-us/support/knowledgebase/119006.aspx
• http://us.norton.com/ransomware
• http://en.wikipedia.org/wiki/Ransomware
For details in removal and recovery solutions visit:
• http://www.wintips.org/how-to-remove-cryptolocker-ransomware-and-
restore-your-files/
• http://www.f-secure.com/en/web/labs_global/removal/removing-ransomware

27.
Thank You!!!