Your files are encrypted!!! Pay the Ransom!!

              Ransomware - Pay or lose all your files.

Ransomware - Malware which primarily encrypts the files in the systems and asks for the ransom to be paid within some "estimated" time in exchange for decryption key. 

Ransomware is spread across victims by email or botnets. Malware is sent as a attachment in a email or as "drive-by download" by some malicious website.

Once the malware is downloaded into the system, it starts installation in the background. Then creates a "system id" by creating "hash of the system config parameters" so that it would be unique to each system the malware infects. Then it tries to connect to "C & C server" controlled by the attacker or the malware's author. It sends the "system id" to the C&C, which in turn creates a public key and private key pair for the system and saves it in the server. The public key is sent to the malware in infected system. 

The malware uses the pub key to encrypt all the files(with .pdf, .jpg, .doc extensions) in the system. Once the encryption is done, the malware shows a alert that says "All the files are encrypted." and ransom has to be paid within the said time, or else the decrypted key saved in the remote server would be deleted and thus all the files would be lost forever.

If there are other systems connected to the infected system, then the whole infrastructure would be compromised and encrypted.  

Once the system is compromised, there is no other way to get the files back other than getting the decryption key.
Over time, malware has evolved along with the anti-virus, anti-malware protections.  These were perfected to be hidden, country specific, target specific, etc.
Most commonly known ransomwares are cryptolocker, cryptowall, CTB.

More on specifics of malware analysis and detection in the next post!

In security, with time trending becomes obsolete soon!!!!