Table of Contents
What is Ransomware?
Ransomware is a type of malware that encrypts files on a computer or files on a device, and then demands payment in order to get the decryption key. Ransomware is most often spread through phishing attacks, but it can also be spread through drive-by downloads or downloading an attachment or program from a website that doesn't require an email address. Once the malware is on a device, it can spread rapidly, with millions of infections per day on average worldwide.
About Cortex Ransomware
Cortex ransomware is malicious software known as Ransomware. Cortex ransomware encrypts all the files in a computer until the user pays a ransom. Cortex ransomware drops a file named Cortex drops a file named read_it.txt, containing the ransom note. , containing the ransom note. Cortex ransomware is delivered through a Win32 EXE file.
On top of encrypting files, Cortex ransomware tries to steal browser information (history, passwords, etc) and create a window with clipboard capturing capabilities. It may delete shadow drive data (may be related to ransomware) and create a start menu entry (Start Menu\\Programs\\Startup). It may create files inside the volume driver (system volume information) and try to detect virtual machines. Cortex can also store files to the Windows startup directory and modify the Windows boot settings.
Cortex Ransomware Capabilities
- Creates a process in suspended mode (likely to inject code)
- Writes ini files Queries a list of all running processes
- Monitors certain registry keys / values for changes (often done to protect autostart functionality)
- Sample monitors Window processes.
- Creates COM task schedule object (often to register a task for autostart)
- May delete shadow drive data (may be related to ransomware)
- Creates a start menu entry (Start Menu\\Programs\\Startup)
- Tries to harvest and steal browser information (history, passwords, etc)
- Creates guard pages, often used to prevent reverse engineering and debugging
- Creates files inside the volume driver (system volume information)
- Contains capabilities to detect virtual machines
- Uses bcdedit to modify the Windows boot settings Contains capabilities to detect virtual machines
- Stores files to the Windows startup directory
- Queries the volume information (name, serial number etc) of a device
- Tries to harvest and steal browser information (history, passwords, etc)
- Creates a window with clipboard capturing capabilities Overwrites Mozilla Firefox settings Writes a notice file (html or txt) to demand a ransom.
How to Protect Against Ransomware?
If you want to protect against ransomware, there are a few things you can do. The first is to make sure you have a backup of your files. If you don't, then you can't really remove the ransomware. The next thing is to make sure that your anti-virus software is up-to-date. Finally, make sure that you have sufficient disk space, as the ransomware will eventually spread to the space on your computer. Here are a few general steps to follow:
- Open your computer's antivirus program and scan for malicious files
- Remove the infected program from your computer by following the instructions on your antivirus' tool
- Use a reliable anti-malware program to remove the ransomware
- If you're the owner of a mobile device, make sure to remove the infected programs from your device
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.