The government of India has issued a ‘Virus Alert’ via The Indian Computer Emergency Response Team (CERT-In) after a new type of ransomware was found spreading through email. The ransomware is targeting Windows computers and once the payload is delivered it locks the PC remotely and asks for money from the user. For those unaware, ransomware is a type of sophisticated malware which locks the system entirely or important files and then blackmails the users to transfer money (via Bitcoins). If the user doesn’t transfer the ransom then the files are usually deleted or the PC may be rendered useless.
CERT-In in its latest advisory warned about the ransomware called Diavol. According to the advisory, thai ransomware is compiled with Microsoft Visual C/C++ Compiler. “It is encrypting files using user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm,” it said.
Also read: Update Your Apple iPhone, MacBook, Watch Immediately
How does the new Diavol ransomware operate
As per CERT-In, the Diavol malware has been spreading via email, which includes a link to OneDrive. The OneDrive link directs the user to download a zipped file which included an ISO file containing a LNK file and a DLL. Once opened (mounted) on the users system, the LNK file masqueraded as a Document entices the user to click/open it. Once the user executes the LNK file, the malware infection will be initiated.
What happens after Diavol ransomware infects a PC
After the Diavol malware infects a PC, it carries out pre-processing on the victim system including registering the victim device with a remote server, terminating running processes, finding local drives and files in the system to encrypt, and preventing recovery by deleting shadow copies. Then, the files are locked and desktop wallpaper is changed with a ransom message.
“Diavol also lacks any obfuscation as it doesn’t use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images.
When executing on a compromised machine, the ransomware extracts the code from the images’ PE resource section and loads it within a buffer with execution permissions,” it added.
Also read: Delete These 7 Apps From Your Android Phone Right Now
How to stay safe from Diavol ransomware
In order to stay safe from this ransomware it is crucial that users update software and operating systems with the latest patches.Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
Other methods include, network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
“Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network. Configure firewalls to block access to known malicious IP addresses. Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP,” said CERT-In.
Read all the Latest News, Breaking News and Coronavirus News here.