How to identify your ransomware infection to find the right decrypter tool

blog_main_gillespie


Infected with ransomware? Check out our step-by-step removal guide: HERE


How would you feel if you opened your computer to find it had been locked with a ransom note demanding cash immediately? Ransomware attacks are the most common online threat of 2016, making up a huge percentage of today’s active threats. It has turned out to be one of the easiest and highest income earners for attackers. All other malware makes its developers money indirectly (by using or selling your computer power), but a ransomware attack directly asks you (the victim) for cash by putting you in a situation in which you feel forced to pay (like restoring access to your system in exchange for a fee).

The Emsisoft team spends a lot of time looking for ways to prevent ransomware from finding it’s way onto your computer. But, what if your system has experienced an attack and is already infected? Don’t panic. Trying to identify ransomware yourself or downloading various solutions tools to attempt to unlock your system or device will only make matters worse. If you have ransomware, look no further.

Emsisoft is proud to support Malware Hunter Team, a group of researchers who share our commitment to protecting you and your data from attacks.

Malware Hunter Team does a great job of raising awareness of not only online threats themselves, but how to remove them if you find yourself the victim. What does this mean for you? If your computer is infected, you can identify the ransomware strain you have and find out if there is a decryption tool available.

We spoke with Michael Gillespie at Malware Hunter Team, the creator of ID Ransomware, the website that will help you to figure out what kind of ransomware you have been infected with based on the key signatures that can be found in the ransom note you receive. He walked us through how to identify ransomware families.

Who are Malware Hunter Team and what do they/you do?

Malware Hunter Team is basically a small group of security researchers interested in tracking down malware and promoting cyber security. They do a great job of hunting phishing sites and other threats on a daily basis. I recently joined the team with my ransomware research, and have been coordinating with them on tracking and identifying new threats.

I personally coordinate with ransomware victims and try to hunt down new samples, and help with reverse engineering when I can – with the goal of trying to decrypt if at all possible of course.

So, if you detect ransomware on your computer, what is the first thing you should do?

I would say the first step is definitely quarantining the system – for an organization this may include finding the affected system. The system should be either shutdown, or put in ‘hibernate’ if possible. From there, the threat needs to be identified just like any other malware infection.

And that’s where you guys come in? My understanding is you specialise in working out what type of malware a user has?

Yes. Answering the question, “which ransomware do I have?” can sometimes be the tricky part, especially lately with new strains mimicking others, or flying under the radar.

With so many families and new strains, how do you identify ransomware? I saw you have 100’s that can be decrypted for free through your site.

Trying to identify ransomware is the hard part. In general, we’ll classify them by the symptoms – what extension does it use, what ransom note is left, etc. Sometimes we do have to get more technical with ransomware identification to recognize if it is the same author based on their coding style, or certain strings left in the malware.

And for a user, for example, they have a ransom lockout screen, they go to your site, what would they need to do? What is the process?

I’ve tried to make ID Ransomware as simple as possible for the user. They simply upload a ransom note left by the malware, and one of their encrypted files (I recommend something not confidential), and the website will use several methods of trying to identify which ransomware it is. If it is a positive match, it will provide an easy status on “can it be decrypted”, since that is the #1 thought to a victim at that time. It then gives a link to more information either way so they can learn more about what hit them, and possibly find how it came in in the first place.

I use a few techniques to identify by the filename of the ransom note, certain known email addresses or BitCoin addresses in the note, the pattern of the encrypted file’s name (e.g. a certain added extension), and even some hex patterns that some ransomware leave in the files. I also have some custom “plugins” for a few more advanced techniques, such as detecting an embedded image in one certain strain.

With the amount of work that goes into it. Why do you offer the service for free?

Part of it is inspiration from other volunteers in the area. I get most of my information from sources such as victims, Twitter, and Emsisoft Malware Lab. Also, I don’t want to hold a ransom on helping someone decrypt their files – that makes me no better than the criminals in some sense. The information itself should be free to all.

It seems like the appearance of ransomware is increasing constantly. What does the future of malware look like in your opinion?

I definitely see it becoming more and more of a threat in all sectors as we are seeing with the Internet of Things, and how insecure devices are found to be from the factory. In just the past year I’ve been involved with this, I’ve seen a lot of adaptations and “creativity”. We have recent ransomware we discovered that mimics a Windows Update while it encrypts, one that also creates a backdoor to the system, one that uploads passwords, etc. Malware authors are bundling more features together into one package it seems.

How should people best protect themselves?

The best protection is definitely awareness of what you are clicking on. Having good anti-malware protection is a great step, but knowing how to use it, and how to not HAVE to use it. I want to bluntly say “common sense” when it comes to what you are doing online and what you are trusting to run on your computer.

I also want to say BACKUPS BACKUPS BACKUPS. (The Emsisoft Team explored this in a recent article ‘Prevent Ransomware – Backup!’)

blog_content_breaker_gillespie

Which types of ransomwares are detected in ID Ransomware?

This service currently detects 358 different ransomwares. Here is a complete, dynamic list of what is currently detected:

777, 7ev3n, 7h9r, 7zipper, 8lock8, ACCDFISA v2.0, AdamLocker, AES_KEY_GEN_ASSIST, AES-NI, Al-Namrood, Al-Namrood 2.0, Alcatraz, Alfa, Alma Locker, Alpha, AMBA, AnDROid, AngryDuck, Anubis, Apocalypse, Apocalypse (New Variant), ApocalypseVM, ASN1 Encoder, AutoLocky, AxCrypter, BadBlock, BadEncript, BandarChor, BankAccountSummary, Bart, Bart v2.0, BitCrypt, BitCrypt 2.0, BitCryptor, BitStak, Black Feather, Black Shades, Blocatto, Booyah, BrainCrypt, Brazilian Ransomware, BTCamant, Bucbi, BuyUnlockCode, Cancer, Cerber, Cerber 2.0, Cerber 3.0, Cerber 4.0 / 5.0, CerberTear, Chimera, CHIP, CockBlocker, Coin Locker, CoinVault, Comrade Circle, Coverton, Cradle, Cripton, CrptXXX, Cry9, Cryakl, CryFile, CryLocker, CrypMic, CrypMic, Crypren, Crypt0, Crypt0L0cker, Crypt38, CryptConsole, CryptFuck, CryptInfinite, CryptoDefense, CryptoDevil, CryptoFinancial, CryptoFortress, CryptoHasYou, CryptoHitman, CryptoJacky, CryptoJoker, CryptoLocker3, CryptoLockerEU, CryptoLuck, CryptoMix, CryptoMix Revenge, CryptON, Crypton, CryptorBit, CryptoRoger, CryptoShield, CryptoShocker, CryptoTorLocker, CryptoWall 2.0, CryptoWall 3.0, CryptoWall 4.0, CryptoWire, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 4.0, CryPy, CrySiS, CTB-Faker, CTB-Locker, Damage, Deadly, DEDCryptor, DeriaLock, Dharma (.dharma), Dharma (.wallet), Digisom, DirtyDecrypt, DMA Locker, DMA Locker 3.0, DMA Locker 4.0, DMALocker Imposter, Domino, Done, DoNotChange, DXXD, DynA-Crypt, ECLR Ransomware, EdgeLocker, EduCrypt, El Polocker, EncrypTile, EncryptoJJS, Encryptor RaaS, Enigma, Enjey Crypter, EnkripsiPC, Erebus, Evil, Exotic, Fabiansomware, Fadesoft, Fantom, FenixLocker, FindZip, FireCrypt, FLKR, Flyper, FS0ciety, FuckSociety, FunFact, GC47, GhostCrypt, Globe, Globe (Broken), Globe3, GlobeImposter, GlobeImposter 2.0, GOG, GoldenEye, Gomasom, GPCode, GX40, HadesLocker, HappyDayzz, Heimdall, Help50, HelpDCFile, Herbst, Hermes, Hermes 2.0, Hi Buddy!, HollyCrypt, HolyCrypt, Hucky, HydraCrypt, IFN643, iRansom, Ishtar, Jack.Pot, Jager, JapanLocker, Jigsaw, Jigsaw (Updated), JobCrypter, JuicyLemon, Kaenlupuf, Karma, Karmen, Kasiski, KawaiiLocker, KeRanger, KeyBTC, KEYHolder, KillerLocker, KimcilWare, Kirk, Kolobo, Kostya, Kozy.Jozy, Kraken, KratosCrypt, Krider, Kriptovor, KryptoLocker, L33TAF Locker, LambdaLocker, LeChiffre, LLTP, LMAOxUS, Lock2017, Lock93, Locked-In, LockLock, Locky, Lortok, LoveServer, LowLevel04, MafiaWare, Magic, Maktub Locker, Marlboro, MarsJoke, Matrix, Meteoritan, MirCop, MireWare, Mischa, MNS CryptoLocker, Mobef, MOTD, MRCR1, n1n1n1, NanoLocker, NCrypt, NegozI, Nemucod, Nemucod-7z, Netix, Nhtnwcuf, NMoreira, NMoreira 2.0, NotAHero, Nuke, NullByte, NxRansomware, ODCODC, One, OpenToYou, OzozaLocker, PadCrypt, PayDay, PaySafeGen, PClock, PClock (Updated), Philadelphia, Pickles, PopCornTime, Potato, PowerLocky, PowerShell Locker, PowerWare, Pr0tector, PrincessLocker, PrincessLocker 2.0, Project34, Protected Ransomware, PyL33T, R980, RAA-SEP, Radamant, Radamant v2.1, RanRan, RansomCuck, RansomPlus, RarVault, Razy, REKTLocker, RemindMe, RenLocker, RensenWare, Roga, Rokku, RoshaLock, RotorCrypt, Roza, Russian EDA2, SADStory, Sage 2.0, Salsa, SamSam, Sanction, Sanctions, Satan, Satana, SerbRansom, Serpent, ShellLocker, Shigo, ShinoLocker, Shujin, Simple_Encoder, Smrss32, SNSLocker, Spora, Sport, SQ_, Stampado, SuperCrypt, Surprise, SZFLocker, Team XRat, Telecrypt, TeslaCrypt 0.x, TeslaCrypt 2.x, TeslaCrypt 3.0, TeslaCrypt 4.0, TowerWeb, ToxCrypt, Trojan.Encoder.6491, Troldesh / Shade, TrueCrypter, TrumpLocker, UCCU, UmbreCrypt, UnblockUPC, Ungluk, Unknown Crypted, Unknown Lock, Unknown XTBL, Unlock26, Unlock92, Unlock92 2.0, UserFilesLocker, USR0, Uyari, V8Locker, VaultCrypt, VenisRansomware, VenusLocker, VindowsLocker, Vortex, VxLock, WannaCryptor, WildFire Locker, Winnix Cryptor, WinRarer, WonderCrypter, X Locker 5.0, XCrypt, Xorist, Xort, XRTN, XTP Locker 5.0, XYZWare, YouAreFucked, YourRansom, zCrypt, Zekwacrypt, ZeroCrypt, ZimbraCryptor, ZinoCrypt, Zyklon

If you have been infected by ransomware head straight to our complete Ransomware Removal Guide.

If you want to learn more about Malware Hunter Team you can visit them at malwarehunterteam.com.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a great (malware-free) day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next