WhisperGate ransomware is a type of malware that encrypts all the files in a computer until the user pays a ransom. Files encrypted by WhisperGate will have a .pysa extension appended at the end of the file name. WhisperGate is delivered through a Win32 EXE file and has been spotted inside the following files and processes: ['m82hr78cg.dll', 'unknown']
What is Ransomware?
Ransomware is a type of malicious software that encrypts a victim's data and holds it hostage until the victim pays a ransom. The first versions of ransomware appeared in the 1980s, but the first major outbreak of ransomware appeared in 1989. Since then, ransomware has been a constant threat to computer users. There are many ways that ransomware can spread, but phishing emails, social engineering, and drive-by downloading are the most common.
WhisperGate Ransomware Capabilities:
WhisperGate ransomware uses System Information Discovery techniques to gather detailed system information about the target in order to determine if the system is vulnerable to attack and what actions to take next. WhisperGate ransomware uses a variety of techniques to evade detection and analysis, including changing its behaviour based on the results of checks for the presence of artifacts indicative of a virtual machine environment or sandbox. It may also search for virtual machine environment artifacts before dropping secondary or additional payloads.
Mitigations Against WhisperGate ransomware:
WhisperGate ransomware can be mitigated by using network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware. WhisperGate ransomware can be mitigated by properly configuring firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.
How to Remove Ransomware?
There are a few ways to remove ransomware. One is to restore your data from a backup. But if you don't have a backup, you can try to restore your system from a system restore point. If you don't have one, you'll need to reinstall your operating system. You can also try to remove the ransomware by running antivirus software that has ransomware removal features.
- Disconnect from the internet. Remove all external connections, such as USBs, Bluetooth and Wi-Fi. This will prevent the ransomware from spreading.
- Use anti-virus software to remove the ransomware from your computer. This will remove the malware and protect your computer from other malware that might come your way.
- If you have a backup, you can use it to restore your computer and get back to work.
How to Protect Against Ransomware?
- Don’t click on links in emails or social media messages from untrusted sources.
- Install antivirus software on all devices. Make sure that it’s always up to date.
- Practice safe browsing habits. Only visit sites that have a secure HTTPS connection.
- Use caution when opening attachments in email messages.
- Use strong passwords on all devices.
- Use two-factor authentication.