2.1 How does ScreenLocker ransomware work on Windows OS?

The following points give a brief idea of how the ransomware achieves the screen locking functionality. Some keywords are used that are related to programming:

  • A ransomware can use the EnumWindows() API to find out all windows (GUIs of other processes) after which it puts all the windows in the background. Finally, the ransomware window remains at the top of other windows.
  • Ransomware window covers the full screen.
  • The victim should not be able to resize the window or minimize it. This kind of ransomware generally uses dialog-related Windows APIs such as showDialog, GetDlgItem, SetWindowsPos, and so on to achieve the goals related to the ransomware dialog box.
  • Also, some ransomware, such as eurausy and reveton, download images from their servers and create ScreenLockers dynamically.
  • The victim should not be able to switch to other windows. Windows has hot keys Alt + Tab to switch windows. This should be disabled. The RegisterHotKey() API is used to perform this action.

Other than the ransomware locking the screen, it should protect itself from antiviruses. It can make the following changes to the system to protect itself. Technical details of the mentioned techniques are common to most other malware too and described in Chapter 1, Malware from Fun to Profit, under the components of malware section.

  • Ransomware should not be easily terminated by the task manager. So, malware disables the task manager.
  • It disable registry access.
  • It kill Antivirus process.
  • It block access to security update sites.
  • System restore logically should be disabled by most ransomware. This can be achieved by modifying the HKLMSOFTWAREPoliciesMicrosoftWindows NTSystemRestore registry key.
  • SafeBoot or Safe mode is meant for troubleshooting purposes. In safe mode, the boot window runs with minimal drives. A lot of malware fail to start when booted in safe mode. Such malware can be easily removed in safe mode, by deleting the files and registries related to the malware. Also, safe mode with networking can be used to update security software, which is otherwise disabled by the ransomware. To disable safe boot, the malware can alter the registry key related to safe mode: HKLMSYSTEMCurrentControlSetControlSafeBoot.

Malware needs to start itself when the system reboots to be sure that the system remains infected. This is common in a lot of malware mentioned in Chapter 1, Malware from Fun to Profit. Here are a few persistence mechanisms:

  • Copies itself into the startup folder
  • Creates Run entries in registries
  • Creates an entry for itself in the Windows task scheduler
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.93.44