RANSOMWARE

 RANSOMWARE


Ransomware is a type of malicious software (malware) that encrypts a victim's files, systems, or networks, making them inaccessible. The attackers then demand a "ransom" payment, typically in cryptocurrency, in exchange for a decryption key that would supposedly restore access to the data.

First of all, let's go to set up the windows7 machine to explain the ransomware, for it we have to go to settings and we should activate Nat as you can see in below.

Now, we have to create files which will be encrypt with the ransomware as you can see  in the both pictures below.



In addition, we must go to web browser and search this URL which is where we have to search Tesla crypt as you can see below and we can see other link:

Now, we have to download the zip as you can see below.


In the next step we have to extract the file but we need a password which is infected.



Before  executing the virus we have to quit the Nat because, we don't want to deploy around the network as you can see below which the Not attached configuration.



Now we can  extract the ransomware which the password which is infected.



In this step we should use in the first file the extension .exe.


Now if we execute the file, we shouldn't be able to be access important files as you can see in the second picture below.




Ransomware Remediation and Prevention Strategies
Ransomware attacks can be devastating, so a multi-layered approach focusing on both prevention and rapid remediation is essential.
Prevention (Stopping Attacks Before They Happen):
  1. Regular Data Backups (and 3-2-1 Rule):
    • Description: This is your strongest defense. Regularly back up all critical data to an external drive or cloud storage.
    • 3-2-1 Rule: Keep 3 copies of your data, on 2 different storage types, with 1 copy kept off-site/offline (air-gapped). This prevents ransomware from encrypting your backups.
    • Why it helps: If attacked, you can wipe your systems and restore from clean backups without paying the ransom.
  2. Software Updates and Patching:
    • Description: Keep your operating systems (Windows, macOS, Linux), web browsers, antivirus software, and all other applications updated to the latest versions.
    • Why it helps: Attackers often exploit known vulnerabilities (bugs) in outdated software. Patches fix these weaknesses.
  3. Strong Endpoint Protection (Antivirus/Anti-malware/EDR):
    • Description: Use reputable antivirus, anti-malware, and Endpoint Detection and Response (EDR) solutions on all your devices. These tools can detect and block malicious activity.
    • Why it helps: They provide real-time protection against known ransomware variants and can often detect suspicious behavior even from new, unknown threats.
  4. Email Security and User Awareness Training:
    • Description: Be extremely cautious with emails, especially those with attachments or links from unknown or suspicious senders. Never click on suspicious links or open unverified attachments.
    • Why it helps: Phishing emails are a primary delivery method for ransomware. User education is crucial to recognizing and avoiding these traps.
  5. Multi-Factor Authentication (MFA):
    • Description: Enable MFA for all online accounts, especially for critical systems and remote access. This requires a second form of verification (like a code from your phone) in addition to a password.
    • Why it helps: Even if an attacker steals your password, they can't access your account without the second factor.
  6. Network Segmentation:
    • Description: Divide your network into smaller, isolated segments. Restrict traffic between these segments.
    • Why it helps: If ransomware infects one segment, it will be harder for it to spread laterally to other critical parts of your network.
  7. Principle of Least Privilege:
    • Description: Grant users and systems only the minimum necessary permissions to perform their tasks. Avoid giving administrative rights unnecessarily.
    • Why it helps: This limits the damage ransomware can do if an account is compromised, as it won't have widespread access.
  8. Disable Macros by Default:
    • Description: Many ransomware strains are delivered via malicious macros in Microsoft Office documents. Configure Office to disable macros by default or only allow digitally signed macros.
    • Why it helps: This significantly reduces a common attack vector.
  9. Web Filtering and DNS Security:
    • Description: Block access to known malicious websites and enforce safe Browse policies. Use DNS security services to prevent connections to command-and-control servers.
    • Why it helps: Prevents users from accidentally downloading malware or connecting to attacker infrastructure.
Remediation (Responding After an Attack):
  1. Isolate Infected Systems:
    • Description: Immediately disconnect any infected devices from the network (unplug Ethernet cables, disable Wi-Fi).
    • Why it helps: This prevents the ransomware from spreading to other computers or network shares.
  2. Incident Response Plan Activation:
    • Description: Have a pre-defined and tested incident response plan. This plan should outline roles, responsibilities, communication strategies, and technical steps for containment, eradication, and recovery.
    • Why it helps: A clear plan ensures a swift, coordinated, and effective response, minimizing downtime and damage.
  3. Secure Evidence and Notify Authorities:
    • Description: Collect logs, ransom notes, and any other indicators of compromise for forensic analysis. Notify relevant law enforcement agencies (e.g., local police, cybercrime units) and cybersecurity authorities.
    • Why it helps: Evidence can help in understanding the attack, identifying the perpetrators, and potentially aiding recovery efforts. Reporting helps authorities track and combat cybercrime.
  4. Do NOT Pay the Ransom (Generally Recommended):
    • Description: While tempting, paying the ransom offers no guarantee of data recovery and encourages further attacks. It also funds criminal organizations.
    • Why it helps: Relying on robust backups and recovery strategies is the preferred approach.
  5. Identify and Remove the Ransomware:
    • Description: Use your endpoint protection tools or specialized ransomware removal tools to identify and remove the malicious software from all affected systems.
    • Why it helps: Ensures that the threat is no longer active on your systems.
  6. Restore from Clean Backups:
    • Description: Once systems are clean, restore your data from your secure, uninfected backups.
    • Why it helps: This is the most reliable way to recover your data without paying the ransom.
  7. Post-Incident Review and Strengthen Defenses:
    • Description: After recovery, conduct a thorough analysis of how the attack occurred. Identify weaknesses in your security posture and implement stronger controls to prevent future incidents.
    • Why it helps: Learn from the incident to improve your overall cybersecurity resilience. This includes updating policies, improving training, and investing in new security technologies.
Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »