Digital Forensic Scientist

3 minute read

Originally Published in Korean at NewsTapa.org

Last week a large outbreak of ransomware infected major organizations in over 74 countries, with Russia and the UK hit the hardest [1]. At the time of this writing, it appears that at least one University Hospital in Korea has been infected with ransomware [2].

Ransomware is a type of computer virus that locks (encrypts) a user’s files. Ransomware authors usually leave a note demanding payment to unlock your data. Most of the time data cannot be recovered even if payment is made.

In 2015, Korea was labeled as “Low Risk” for ransomware infections [3]. However, Korean-language ransomware soon emerged, and the number of ransomware infections in Korea has been steadily increasing. The primary reason for this is that victims often pay attackers to try to have their data unlocked. Paying, however, does not usually recover the data, and funds attackers in future ransomware campaigns and capabilities.

If you are a victim of ransomware

If you are already a victim of ransomware, do not pay the criminals. The chance of recovering your data is very low, even if you pay.

Ransomware is very complicated to investigate, and takes a lot of time. You can make a claim to the Korean National Police Agency, but they are unlikely to quickly find the criminals and cannot help you recover your data.

Visit the free service https://nomoreransom.org/ and follow the instructions. If the ransomware is known, this website will provide the decryption key. NoMoreRansom.org was founded by Europol, the Netherlands Police Agency, Kaspersky Lab and Intel Security. The Korean National Police Agency is a supporting partner.

If you need further assistance, contact the Legal Informatics and Forensic Science Institute at Hallym University in Chuncheon.

How to Protect Yourself

There are a few things you can do to help protect yourself (and your company) from ransomware. First, a large number of ransomware comes from infected emails. Do not download and open files from people you do not know. If you must open files, like PDF documents, open them with Google Chrome.

Next, some ransomware (like that in Russia and the UK) exploit vulnerabilities in Windows. Make sure your computer has the latest security updates from Microsoft. Look for ‘Windows Update’, and make sure it is set to update your computer automatically. Also, make sure your antivirus program is set to receive updates automatically.

You should also be running the newest version of Windows (Windows 10). Windows 7 is out of mainstream support, and Windows 8 mainstream support ends in January 2018. Upgrade to Windows 10 if you have not yet done so.

Finally, and potentially the most difficult, is to keep a backup of your files. If your files are backed-up properly, ransomware doesn’t matter very much. Programs like Dropbox or Naver Cloud (Ndrive) automatically sync files with the server. The problem is that encrypted files will also be automatically synced on the server. Recovery of prior versions of uploaded files may be impossible.

Instead of using a real-time syncing service, use a backup solution like CrashPlan [4] to back up your data every day. CrashPlan supports file versions, so if encrypted files are backed up, you can still easily recover your old data. CrashPlan is free if you use your own hard drives. You can even back up to a friend’s computer. CrashPlan also has paid options, and their own secure cloud storage specifically for backups1.

Keeping your computer up to date, and backing up important files might seem annoying, but loosing all your data is much more annoying. Take the time to protect yourself to avoid a huge loss later.

Korean translation by Sungmi Park.

  1. https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
  2. http://www.cnbc.com/2017/05/13/reuters-america-asia-assesses-ransomware-assault-extent-may-not-be-known-until-monday.html
  3. https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/
  4. https://www.crashplan.com

1The author uses CrashPlan as a backup service, and has no other connection with the company.

You may also enjoy

iLEAPP and RLEAPP updates and dev thoughts

4 minutes to read

Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...

What data can you find in RAM?

4 minutes to read

To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.

Modular artifact scripts coming to iLEAPP

4 minutes to read

kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...