Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Most people are aware of ransomware by now, certainly those who regularly read the Comodo blog section and similar publications. For those who don’t, ransomware is an attack whereby the attacker encrypts all the files on a victim’s computer or server, making them completely unusable. The attacker then demands a fee, a ransom usually in Bitcoins, to de-crypt the files. The beauty of the attack from the criminal’s point of view is that there is almost never a solution for victim once the encryption has taken place. No antivirus, no help from technical experts, no police force, and no amount of crying can ever recover those files for you. You must have the decryption key or kiss goodbye to your files.
When staring down the unforgiving barrel of this gun, many high-profile victims find they have no choice but to pay the fee. They need those files to continue in business or to provide their services to society, and they cannot afford any downtime at all. Hospitals, government departments, charities, universities, magistrate courts and newspaper offices are just a few examples of major institutions that have relented and paid the ransom.
Ransomware is usually spread in the form of a Trojan horse program. These are programs that trick you into thinking they are a normal program when you install them but are actually a malicious executable which encrypts your drives. Each piece of ransomware has its own unique way of infecting the target machine, and each uses several levels of obfuscation to avoid detection. This blog is a deep-dive from one of Comodo’s leading engineers into the inner workings of one such piece of ransomware – WONSYS.
Wonsys is a strain of malware that is either obfuscated by cryptor software, or packed into a file like UPX, ASPROTECT or VMPROTECT. The actual executable, wonsys.exe, is buried deep inside another, apparently innocent, program, so it is one of those trojans we mentioned earlier. This is a common method used by a criminal to help it avoid detection by antivirus products.
The malware drops itself onto the target computer and runs using the SHELL32 API, ShellExecuteW:
Once the ransomware is run by the user, it creates a “RunOnce” key in the registry:
It also counts all drives on the target machine so it can encrypt them all:
Wonsys then creates a ‘kill-list’ of processes that it needs to shut-down. These are programs that, if left running, could potentially prevent Wonsys from infecting the entire system. Specifically, they are programs like Word, PowerPoint, Notepad, Thunderbird which can ‘lock’ files and so prevent their encryption. After closing them these programs, Wonsys also deletes the shadow copy of the files so the user can’t restore them:
The command prompt window is opened through COMSPEC in the system32 folder with administrator privileges:
The attacker also collects the date, time format, system name and locale info using API functions and pings the iplogger.org site, thus collecting detailed info on the machine.
Wonsys now has all the information it needs. The screenshot below shows that ‘dccdc’ is the extension it will add to all filenames after encryption, ‘PC-Administrator’ is the computer name, and drive ‘C:’ is the drive it will infect:
Finally, the WONSYS ransomware unleashes its payload, encrypting all files on the machine. All files are left with the ‘.dccdc’ extension apart a single, unencrypted file which the user can open – ‘CLICK_HERE-dccdc.txt’:
This .txt file is how the attacker tells the victim what to do next. Each infected machine is given its own ID and personal key. The note tells the user to visit a web page where they will need this info to login to a chat service:
The note tries to create the impression that the chat is a friendly service with a kindly operator who will help them recover their files. In reality, the chat is where the hacker demands their payment in Bitcoin or else the victim’s files are lost forever.
Ransomware Attack
Website Malware Scanner
Ransomware Protection Software
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP