Questions tagged [ransomware]
Ransomware is a lethal kind of Malware that Encrypts your harddrive(s) and holds them hostage, providing the decryption key if you pay the hostage-taker(s) money (well-known variants are the FBI Virus and the Police Virus).
291 questions
16 votes
4 answers
4k views
"Immutable backups": an important protection against ransomware or yet another marketing product?
I'm seeing more and more cloud service providers advertising what would be "Immutable backups" and calling alternatives "Legacy backups". (see Immutable backup on search engines) ...
- 335
0 votes
0 answers
384 views
How does ransomware store their decryption keys? [duplicate]
I've recently got into cyber security and really got into malware, more specifically, ransomware. While studying some of the strongest ransomware ever (example: WannaCrypt, CryptoLocker, etc...) I've ...
0 votes
1 answer
219 views
Why Ransomware generate keypair in victim?
I read this answer Ransomware encryption keys and understood how wannacry works. But I still have a question: as I understand, the hacker will put the hacker's RSA public key in the malware, the ...
- 1
0 votes
0 answers
150 views
Very frequent calls to same Windows API function by malware
Here I have a malware sample that calls RegQueryValueEx quite frequently, without any time interruption. And as we can see, the result is quite often "BUFFER OVERFLOW". In another topic I ...
0 votes
2 answers
347 views
Why don't we sandbox email clients company-wide?
Following on to questions like Sandbox for attachment accessment and How do I safely inspect a suspicious email attachment?. Why don't we sandbox email clients company-wide? I must be missing ...
- 190
0 votes
0 answers
431 views
Sophos home blocks explorer.exe from encrypting several files (ransomware?)
Here's what happened: I was transferring a quite large number of small files (.CSV, .PNG above all) from an old USB stick that never gave me any problem from one (allegedly safe) laptop (win10, win ...
- 101
0 votes
1 answer
225 views
Why some ransomware adds padding to headers
Does anyone know why some ransomware families (e.g. Cuba but also Phobos if I am not mistaken) pad the file header to get to 1024 bytes? I mean what would be a reason for the ransomware developer to ...
0 votes
0 answers
795 views
Why did the WannaCry ransomware kill switch check whether it was within a virtual environment in this manner?
I have been researching the Wannacry ransomware, and have seen an example of the kill switch within Ghidra. What baffles me is, why did they implement the kill switch as a web domain instead of any ...
1 vote
1 answer
2k views
How to decrypt LockBit encrypted files
I've got an emergency on my PC. I remotely connected to it using Remote Desktop Connection a couple of days ago and I worked on my PC for a while and logged off. Later, when I went to log back on, I ...
0 votes
2 answers
203 views
Why ransomware infects all computers in the company's network except one?
If the cybercriminal succeeded in gaining a foothold in the company's network, why are the whole network and other computers infected with ransomware except the one on which he gained a foothold?
- 1
2 votes
1 answer
196 views
How to make sure that your backups are not encrypted?
Say a ransomware encrypts your database but hides the fact (by secretly decrypting everything you ask for). Then your backups become rubbish once the attacker deletes the key. What are good measures ...
- 173
14 votes
1 answer
4k views
If a ransomware is currently encrypting my files, should I power off my computer?
I wondered what to do if there is a currently ongoing ransomware execution on my computer. Assuming that I'm "spotting" it while it is encrypting my files, should I power my computer off? I ...
- 161
1 vote
0 answers
660 views
API hooking with Microsoft Detours
I want to hook certain API calls, e.g. CreateFile (or NtCreateFile if I hook ntdll.dll), but there are some issues. I can use several methods to achieve this goal, e.g. DLL injection, Inline hooking ...
- 55
0 votes
1 answer
295 views
How does Ransomware encrypt files? [duplicate]
I have a question about how ransomware works. According to the authors of this paper: https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf (page 2 - 3) , class C is: ransomware reads the ...
4 votes
1 answer
1k views
Where can I find the launcher for this virus that uses Powershell?
On my Windows 10 PC after about 30 minutes of being turned on I always get a powershell window that immediately hides and consumes a lot of RAM. So I went to the powershell directory: "C:\Windows\...
- 41