Wednesday, March 22, 2017

OFFLINE Backup is becoming more and more important (Ransomware is getting smarter)


From the article:

The attacks also use a process known as Process Hollowing to execute the installer. Here, attackers create processes in a suspended state and replace the process image with one that the attacker wants to remain hidden. The installer, he said, is also encrypted inside the NSIS installer and decrypted at runtime. Even this particular technique is a riff on traditional Process Hollowing, he said.

Everything happens inside of memory. I’m executing the process in a suspended state, replacing the image with the image of the ransomware and redirecting the entry point of the new process to my code,” Nipravsky said. “What happens when I resume the process is that it goes to my code and not the original code.”


For more details:

No comments:

Post a Comment