<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Marek „Netbe” Lampart </title>
    <description>The latest articles on DEV Community by Marek „Netbe” Lampart  (@cyberbezpieczenstwo).</description>
    <link>https://dev.to/cyberbezpieczenstwo</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4016285%2F765dbd3e-d62f-4d3b-afa7-101393c54515.jpg</url>
      <title>DEV Community: Marek „Netbe” Lampart </title>
      <link>https://dev.to/cyberbezpieczenstwo</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/cyberbezpieczenstwo"/>
    <language>en</language>
    <item>
      <title>DNS Security: Why Your Domain Configuration Can Become a Cybersecurity Problem</title>
      <dc:creator>Marek „Netbe” Lampart </dc:creator>
      <pubDate>Tue, 07 Jul 2026 16:22:41 +0000</pubDate>
      <link>https://dev.to/cyberbezpieczenstwo/dns-security-why-your-domain-configuration-can-become-a-cybersecurity-problem-1olc</link>
      <guid>https://dev.to/cyberbezpieczenstwo/dns-security-why-your-domain-configuration-can-become-a-cybersecurity-problem-1olc</guid>
      <description>&lt;p&gt;When people think about cybersecurity, they usually focus on passwords, malware, vulnerabilities, and firewalls.&lt;/p&gt;

&lt;p&gt;DNS is rarely the first thing that comes to mind.&lt;/p&gt;

&lt;p&gt;However, DNS is one of the most important components of modern infrastructure. Almost every web application, API, email system, and cloud service depends on correct DNS configuration.&lt;/p&gt;

&lt;p&gt;A small DNS mistake can create serious security problems.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is DNS and why does it matter?
&lt;/h2&gt;

&lt;p&gt;DNS (Domain Name System) translates human-readable domain names into IP addresses.&lt;/p&gt;

&lt;p&gt;Instead of remembering:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;142.250.xxx.xxx
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;users can access:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;But DNS does more than just resolve domains.&lt;/p&gt;

&lt;p&gt;It also tells the internet:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;where your website is hosted,&lt;/li&gt;
&lt;li&gt;where your email servers are located,&lt;/li&gt;
&lt;li&gt;which services exist,&lt;/li&gt;
&lt;li&gt;which external providers are trusted.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Because of this, DNS becomes part of your security perimeter.&lt;/p&gt;




&lt;h1&gt;
  
  
  Common DNS security problems
&lt;/h1&gt;

&lt;h2&gt;
  
  
  1. Forgotten subdomains
&lt;/h2&gt;

&lt;p&gt;One of the most common problems is abandoned subdomains.&lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;dev.example.com
test.example.com
old.example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A company may stop using a service but leave the DNS record behind.&lt;/p&gt;

&lt;p&gt;If that service is removed but the DNS entry remains, attackers may attempt a &lt;strong&gt;subdomain takeover&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The problem is simple:&lt;/p&gt;

&lt;p&gt;DNS says:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;dev.example.com → external-service.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;but nobody controls that external resource anymore.&lt;/p&gt;




&lt;h1&gt;
  
  
  2. Missing SPF, DKIM and DMARC records
&lt;/h1&gt;

&lt;p&gt;Email security heavily depends on DNS.&lt;/p&gt;

&lt;p&gt;Without proper email authentication, attackers can spoof your domain.&lt;/p&gt;

&lt;p&gt;Common protections:&lt;/p&gt;

&lt;h3&gt;
  
  
  SPF
&lt;/h3&gt;

&lt;p&gt;Defines which servers can send email for your domain.&lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;example.com TXT

v=spf1 include:_spf.google.com ~all
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  DKIM
&lt;/h3&gt;

&lt;p&gt;Adds cryptographic signatures to emails.&lt;/p&gt;

&lt;h3&gt;
  
  
  DMARC
&lt;/h3&gt;

&lt;p&gt;Defines what receivers should do when SPF or DKIM checks fail.&lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;_dmarc.example.com TXT

v=DMARC1; p=quarantine
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;These mechanisms do not stop every phishing attempt, but they significantly improve domain protection.&lt;/p&gt;




&lt;h1&gt;
  
  
  3. Exposed internal information
&lt;/h1&gt;

&lt;p&gt;DNS records can reveal information about infrastructure.&lt;/p&gt;

&lt;p&gt;Examples:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;vpn.example.com
admin.example.com
backup.example.com
dev.example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This does not automatically mean a vulnerability exists.&lt;/p&gt;

&lt;p&gt;However, attackers use DNS information during reconnaissance.&lt;/p&gt;

&lt;p&gt;Before attacking systems, they first try to understand the environment.&lt;/p&gt;




&lt;h1&gt;
  
  
  4. Weak DNS configuration
&lt;/h1&gt;

&lt;p&gt;Common configuration mistakes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;outdated nameservers,&lt;/li&gt;
&lt;li&gt;missing DNSSEC,&lt;/li&gt;
&lt;li&gt;incorrect TTL values,&lt;/li&gt;
&lt;li&gt;forgotten records,&lt;/li&gt;
&lt;li&gt;publicly exposed development environments.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A domain can work perfectly and still have security problems.&lt;/p&gt;




&lt;h1&gt;
  
  
  DNSSEC - protecting DNS integrity
&lt;/h1&gt;

&lt;p&gt;DNS itself was not originally designed with strong authentication.&lt;/p&gt;

&lt;p&gt;DNSSEC adds cryptographic verification to DNS responses.&lt;/p&gt;

&lt;p&gt;It helps protect against attacks where someone tries to modify DNS responses and redirect users somewhere else.&lt;/p&gt;

&lt;p&gt;DNSSEC does not encrypt DNS traffic.&lt;/p&gt;

&lt;p&gt;Its purpose is integrity and authenticity.&lt;/p&gt;




&lt;h1&gt;
  
  
  How to perform a basic DNS security audit
&lt;/h1&gt;

&lt;p&gt;A simple audit should check:&lt;/p&gt;

&lt;h2&gt;
  
  
  Domain records
&lt;/h2&gt;

&lt;p&gt;Review:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A records&lt;/li&gt;
&lt;li&gt;AAAA records&lt;/li&gt;
&lt;li&gt;MX records&lt;/li&gt;
&lt;li&gt;NS records&lt;/li&gt;
&lt;li&gt;TXT records&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Email protection
&lt;/h2&gt;

&lt;p&gt;Verify:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;SPF&lt;/li&gt;
&lt;li&gt;DKIM&lt;/li&gt;
&lt;li&gt;DMARC&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Old resources
&lt;/h2&gt;

&lt;p&gt;Look for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;unused subdomains,&lt;/li&gt;
&lt;li&gt;forgotten services,&lt;/li&gt;
&lt;li&gt;old cloud resources.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Nameserver security
&lt;/h2&gt;

&lt;p&gt;Check:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;provider reliability,&lt;/li&gt;
&lt;li&gt;DNSSEC support,&lt;/li&gt;
&lt;li&gt;account protection.&lt;/li&gt;
&lt;/ul&gt;




&lt;h1&gt;
  
  
  Useful tools for DNS analysis
&lt;/h1&gt;

&lt;p&gt;Some commonly used tools:&lt;/p&gt;

&lt;h2&gt;
  
  
  dig
&lt;/h2&gt;

&lt;p&gt;Linux users can query DNS directly:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Check MX records:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig MX example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Check TXT records:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig TXT example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  nslookup
&lt;/h2&gt;

&lt;p&gt;A simpler alternative:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;nslookup example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  Online DNS checkers
&lt;/h2&gt;

&lt;p&gt;Online tools are useful for quick verification:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;DNS record lookup&lt;/li&gt;
&lt;li&gt;MX verification&lt;/li&gt;
&lt;li&gt;SPF checking&lt;/li&gt;
&lt;li&gt;propagation testing&lt;/li&gt;
&lt;/ul&gt;




&lt;h1&gt;
  
  
  DNS is often forgotten security layer
&lt;/h1&gt;

&lt;p&gt;Many organizations invest heavily in:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;endpoint protection,&lt;/li&gt;
&lt;li&gt;firewalls,&lt;/li&gt;
&lt;li&gt;monitoring,&lt;/li&gt;
&lt;li&gt;vulnerability scanners.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But DNS configuration is often treated as "just networking".&lt;/p&gt;

&lt;p&gt;That is a mistake.&lt;/p&gt;

&lt;p&gt;DNS controls how users and systems find your services.&lt;/p&gt;

&lt;p&gt;If DNS is wrong, everything built on top of it can become unreliable or unsafe.&lt;/p&gt;




&lt;h1&gt;
  
  
  Final thoughts
&lt;/h1&gt;

&lt;p&gt;Security is not only about preventing attacks.&lt;/p&gt;

&lt;p&gt;It is also about reducing unnecessary exposure.&lt;/p&gt;

&lt;p&gt;A properly configured DNS environment:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;reduces attack surface,&lt;/li&gt;
&lt;li&gt;improves email security,&lt;/li&gt;
&lt;li&gt;prevents accidental exposure,&lt;/li&gt;
&lt;li&gt;makes infrastructure easier to manage.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;DNS may look simple from the outside, but it is one of the foundations of modern cybersecurity.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Author&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Marek "Netbe" Lampart&lt;/p&gt;

&lt;p&gt;Cybersecurity | Linux | Networking | Infrastructure Security&lt;/p&gt;

&lt;p&gt;&lt;a href="https://netbe.pl" rel="noopener noreferrer"&gt;https://netbe.pl&lt;/a&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>Ransomware explained: how modern attacks really work in 2026 (not theory)</title>
      <dc:creator>Marek „Netbe” Lampart </dc:creator>
      <pubDate>Sun, 05 Jul 2026 15:09:19 +0000</pubDate>
      <link>https://dev.to/cyberbezpieczenstwo/ransomware-explained-how-modern-attacks-really-work-in-2026-not-theory-2em6</link>
      <guid>https://dev.to/cyberbezpieczenstwo/ransomware-explained-how-modern-attacks-really-work-in-2026-not-theory-2em6</guid>
      <description>&lt;p&gt;Ransomware is often explained in a very simple way:&lt;/p&gt;

&lt;p&gt;“It encrypts your files and demands payment.”&lt;/p&gt;

&lt;p&gt;That description is technically correct — but it hides how complex modern ransomware actually is.&lt;/p&gt;

&lt;p&gt;In 2026, ransomware is not just malware.&lt;br&gt;
It is a multi-stage cybercrime operation combining intrusion, persistence, data theft, and extortion.&lt;/p&gt;

&lt;p&gt;Let’s break it down realistically.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Ransomware starts long before encryption&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Most people think ransomware “just appears” and starts encrypting files.&lt;/p&gt;

&lt;p&gt;In reality, encryption is usually the final stage.&lt;/p&gt;

&lt;p&gt;Attackers first need access, which is typically gained through:&lt;/p&gt;

&lt;p&gt;🔹 Phishing&lt;br&gt;
fake login pages&lt;br&gt;
malicious attachments&lt;br&gt;
credential harvesting&lt;br&gt;
🔹 Exploited vulnerabilities&lt;br&gt;
unpatched VPNs&lt;br&gt;
exposed RDP services&lt;br&gt;
software zero-days&lt;br&gt;
🔹 Stolen credentials&lt;br&gt;
leaked passwords&lt;br&gt;
credential stuffing attacks&lt;br&gt;
reused passwords across services&lt;/p&gt;

&lt;p&gt;👉 At this stage, attackers are already inside the system — ransomware is just the final payload.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Initial execution and system analysis&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Once inside, the ransomware binary is executed.&lt;/p&gt;

&lt;p&gt;Before doing anything destructive, it often:&lt;/p&gt;

&lt;p&gt;checks if it is running in a virtual machine&lt;br&gt;
detects security tools (Defender, EDR, sandbox)&lt;br&gt;
escalates privileges to admin/system level&lt;br&gt;
delays execution to avoid detection&lt;/p&gt;

&lt;p&gt;👉 This is why many infections are not immediately visible.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Network and file system reconnaissance&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Modern ransomware does not encrypt randomly.&lt;/p&gt;

&lt;p&gt;It first maps the environment:&lt;/p&gt;

&lt;p&gt;local drives (C:, D:)&lt;br&gt;
network shares&lt;br&gt;
backup locations&lt;br&gt;
cloud-synced folders&lt;/p&gt;

&lt;p&gt;It also identifies valuable file types:&lt;/p&gt;

&lt;p&gt;documents (.docx, .pdf)&lt;br&gt;
databases (.sql, .db)&lt;br&gt;
archives (.zip, .bak)&lt;/p&gt;

&lt;p&gt;👉 The goal is maximum impact with minimum effort.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The encryption model (hybrid cryptography)&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Modern ransomware uses hybrid encryption, not simple file locking.&lt;/p&gt;

&lt;p&gt;Step 1: Fast encryption per file&lt;/p&gt;

&lt;p&gt;Each file is encrypted using:&lt;/p&gt;

&lt;p&gt;AES (Advanced Encryption Standard)&lt;br&gt;
ChaCha20 (in newer variants)&lt;/p&gt;

&lt;p&gt;This allows fast processing of large data volumes.&lt;/p&gt;

&lt;p&gt;Step 2: Key protection&lt;/p&gt;

&lt;p&gt;The AES keys are then encrypted using:&lt;/p&gt;

&lt;p&gt;RSA&lt;br&gt;
ECC (Elliptic Curve Cryptography)&lt;/p&gt;

&lt;p&gt;The attacker holds the private key.&lt;/p&gt;

&lt;p&gt;👉 Without the private key, recovery is practically impossible.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;File encryption in practice&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The ransomware loops through files and:&lt;/p&gt;

&lt;p&gt;opens file&lt;br&gt;
reads content into memory&lt;br&gt;
encrypts data&lt;br&gt;
overwrites or replaces original file&lt;br&gt;
renames file (often adding custom extension)&lt;/p&gt;

&lt;p&gt;Example:&lt;/p&gt;

&lt;p&gt;report.docx → report.docx.lockbit&lt;/p&gt;

&lt;p&gt;It usually avoids system-critical files to keep the OS running.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Destruction of recovery options&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;To prevent easy recovery, ransomware often:&lt;/p&gt;

&lt;p&gt;deletes shadow copies&lt;br&gt;
disables system restore&lt;br&gt;
removes backup snapshots&lt;br&gt;
stops recovery tools&lt;br&gt;
clears event logs&lt;/p&gt;

&lt;p&gt;Example commands used in attacks:&lt;/p&gt;

&lt;p&gt;vssadmin delete shadows&lt;br&gt;
wbadmin delete catalog&lt;/p&gt;

&lt;p&gt;👉 This ensures victims cannot restore data easily.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Double extortion: the modern standard&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;In 2026, encryption alone is not enough for attackers.&lt;/p&gt;

&lt;p&gt;Most groups now use double extortion:&lt;/p&gt;

&lt;p&gt;Step 1: Data theft&lt;/p&gt;

&lt;p&gt;Before encryption:&lt;/p&gt;

&lt;p&gt;files are copied&lt;br&gt;
sensitive databases extracted&lt;br&gt;
credentials stolen&lt;br&gt;
Step 2: Encryption&lt;/p&gt;

&lt;p&gt;System is locked locally.&lt;/p&gt;

&lt;p&gt;Step 3: Blackmail&lt;/p&gt;

&lt;p&gt;If ransom is not paid:&lt;/p&gt;

&lt;p&gt;stolen data is published or sold&lt;/p&gt;

&lt;p&gt;👉 Even backups do not fully protect against this model.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Ransom note and communication system&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;After encryption, victims typically see:&lt;/p&gt;

&lt;p&gt;ransom note files in folders&lt;br&gt;
changed desktop wallpaper&lt;br&gt;
instructions for payment&lt;/p&gt;

&lt;p&gt;Modern groups also use:&lt;/p&gt;

&lt;p&gt;Tor-based negotiation portals&lt;br&gt;
live chat systems&lt;br&gt;
“customer support” style communication&lt;/p&gt;

&lt;p&gt;👉 Ransomware gangs now operate like service platforms.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Why recovery is extremely difficult&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The key reason:&lt;/p&gt;

&lt;p&gt;👉 asymmetric cryptography&lt;/p&gt;

&lt;p&gt;AES/ChaCha20 = fast encryption&lt;br&gt;
RSA/ECC = locks decryption keys&lt;/p&gt;

&lt;p&gt;Without the private key:&lt;/p&gt;

&lt;p&gt;brute force is computationally impossible&lt;br&gt;
decryption is not realistic&lt;/p&gt;

&lt;p&gt;Even advanced recovery tools usually fail.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Real-world insight: ransomware is not just malware&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Modern ransomware is best understood as:&lt;/p&gt;

&lt;p&gt;a structured cybercrime business model combining intrusion, automation, encryption, and extortion&lt;/p&gt;

&lt;p&gt;It is not random malware anymore — it is organized infrastructure.&lt;/p&gt;

&lt;p&gt;Final thoughts&lt;/p&gt;

&lt;p&gt;Ransomware in 2026 is no longer just about locking files.&lt;/p&gt;

&lt;p&gt;It is about:&lt;/p&gt;

&lt;p&gt;stealing data&lt;br&gt;
disabling recovery&lt;br&gt;
applying psychological pressure&lt;br&gt;
monetizing access in multiple ways&lt;/p&gt;

&lt;p&gt;And the key takeaway is simple:&lt;/p&gt;

&lt;p&gt;👉 once encryption starts, the real failure already happened earlier — at the access stage.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>infosec</category>
      <category>security</category>
    </item>
    <item>
      <title>How ransomware actually encrypts files (real-world explanation, not theory)</title>
      <dc:creator>Marek „Netbe” Lampart </dc:creator>
      <pubDate>Sun, 05 Jul 2026 14:48:24 +0000</pubDate>
      <link>https://dev.to/cyberbezpieczenstwo/how-ransomware-actually-encrypts-files-real-world-explanation-not-theory-4g1n</link>
      <guid>https://dev.to/cyberbezpieczenstwo/how-ransomware-actually-encrypts-files-real-world-explanation-not-theory-4g1n</guid>
      <description>&lt;p&gt;Ransomware is often described in a very simplified way: &lt;em&gt;“it encrypts your files and demands payment.”&lt;/em&gt;&lt;br&gt;
That explanation is correct, but completely useless if you want to understand what actually happens on a technical level.&lt;/p&gt;

&lt;p&gt;In this article, I’ll break down how modern ransomware really works in practice — based on real attack patterns used by families like LockBit, BlackCat, and others.&lt;/p&gt;




&lt;h1&gt;
  
  
  1. Initial access – how ransomware gets into the system
&lt;/h1&gt;

&lt;p&gt;Before encryption even starts, attackers need access. This usually happens in one of these ways:&lt;/p&gt;

&lt;h3&gt;
  
  
  🔹 Phishing
&lt;/h3&gt;

&lt;p&gt;A user opens:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;malicious email attachment (PDF, DOCX, ZIP)&lt;/li&gt;
&lt;li&gt;fake login page&lt;/li&gt;
&lt;li&gt;macro-enabled document&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  🔹 Exploiting vulnerabilities
&lt;/h3&gt;

&lt;p&gt;Unpatched systems are often targeted:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;exposed RDP&lt;/li&gt;
&lt;li&gt;VPN vulnerabilities&lt;/li&gt;
&lt;li&gt;Windows zero-days&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  🔹 Stolen credentials
&lt;/h3&gt;

&lt;p&gt;Attackers log in directly using:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;leaked passwords&lt;/li&gt;
&lt;li&gt;credential stuffing&lt;/li&gt;
&lt;li&gt;reused passwords&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;👉 Important: ransomware is rarely “random”. It’s usually a &lt;strong&gt;planned intrusion&lt;/strong&gt;.&lt;/p&gt;




&lt;h1&gt;
  
  
  2. Payload execution – the ransomware is launched
&lt;/h1&gt;

&lt;p&gt;Once inside, the attacker deploys the ransomware binary.&lt;/p&gt;

&lt;p&gt;At this stage, it typically:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;checks system environment (VM detection, sandbox evasion)&lt;/li&gt;
&lt;li&gt;disables security tools (Defender, logs, recovery tools)&lt;/li&gt;
&lt;li&gt;escalates privileges (admin rights)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Some variants even sleep for hours or days to avoid detection.&lt;/p&gt;




&lt;h1&gt;
  
  
  3. Reconnaissance – mapping the system
&lt;/h1&gt;

&lt;p&gt;Before encryption, ransomware “explores”:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;drives (C:, D:, network shares)&lt;/li&gt;
&lt;li&gt;connected devices&lt;/li&gt;
&lt;li&gt;file types (documents, databases, backups)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It builds a target list in memory.&lt;/p&gt;

&lt;p&gt;👉 This is why network drives often get encrypted too.&lt;/p&gt;




&lt;h1&gt;
  
  
  4. Key generation – the most important part
&lt;/h1&gt;

&lt;p&gt;Modern ransomware uses &lt;strong&gt;hybrid encryption&lt;/strong&gt;:&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1: Fast symmetric encryption
&lt;/h3&gt;

&lt;p&gt;Each file is encrypted with:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;AES (most common)&lt;/li&gt;
&lt;li&gt;ChaCha20 (in newer strains)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is fast and used for bulk encryption.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 2: Public key encryption
&lt;/h3&gt;

&lt;p&gt;The symmetric keys are then encrypted using:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;RSA&lt;/li&gt;
&lt;li&gt;ECC (Elliptic Curve Cryptography)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The attacker keeps the private key.&lt;/p&gt;

&lt;p&gt;👉 This is why you cannot “reverse engineer” encryption easily.&lt;/p&gt;




&lt;h1&gt;
  
  
  5. File-by-file encryption process
&lt;/h1&gt;

&lt;p&gt;Now the ransomware starts looping through files:&lt;/p&gt;

&lt;p&gt;For each file:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;open file&lt;/li&gt;
&lt;li&gt;read content into memory&lt;/li&gt;
&lt;li&gt;encrypt with AES/ChaCha20&lt;/li&gt;
&lt;li&gt;overwrite original file or create new encrypted copy&lt;/li&gt;
&lt;li&gt;rename file (often adding extension like &lt;code&gt;.lockbit&lt;/code&gt;, &lt;code&gt;.enc&lt;/code&gt;)&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;It usually targets:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;documents (.docx, .pdf)&lt;/li&gt;
&lt;li&gt;databases (.sql, .db)&lt;/li&gt;
&lt;li&gt;backups&lt;/li&gt;
&lt;li&gt;archives (.zip, .rar)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It often avoids system-critical files to keep Windows running.&lt;/p&gt;




&lt;h1&gt;
  
  
  6. Deleting recovery options
&lt;/h1&gt;

&lt;p&gt;To make recovery harder, ransomware often:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;deletes shadow copies (&lt;code&gt;vssadmin delete shadows&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;disables recovery tools&lt;/li&gt;
&lt;li&gt;removes backups if accessible&lt;/li&gt;
&lt;li&gt;clears logs&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is why system restore often stops working.&lt;/p&gt;




&lt;h1&gt;
  
  
  7. Ransom note delivery
&lt;/h1&gt;

&lt;p&gt;After encryption:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;text file is dropped in every folder&lt;/li&gt;
&lt;li&gt;desktop wallpaper is changed&lt;/li&gt;
&lt;li&gt;instructions are shown&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Usually includes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Tor payment site&lt;/li&gt;
&lt;li&gt;Bitcoin/Monero address&lt;/li&gt;
&lt;li&gt;countdown timer&lt;/li&gt;
&lt;/ul&gt;




&lt;h1&gt;
  
  
  8. Data exfiltration (modern ransomware trend)
&lt;/h1&gt;

&lt;p&gt;Many modern attacks are &lt;strong&gt;double extortion&lt;/strong&gt;:&lt;/p&gt;

&lt;p&gt;Before encryption, attackers also:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;copy sensitive files&lt;/li&gt;
&lt;li&gt;steal databases&lt;/li&gt;
&lt;li&gt;exfiltrate credentials&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Even if you restore backups, data can still be leaked.&lt;/p&gt;




&lt;h1&gt;
  
  
  9. Why recovery without key is nearly impossible
&lt;/h1&gt;

&lt;p&gt;Because of hybrid encryption:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;AES/ChaCha20 = fast encryption per file&lt;/li&gt;
&lt;li&gt;RSA/ECC = protects AES keys&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without private key:&lt;br&gt;
👉 brute force is computationally impossible&lt;/p&gt;




&lt;h1&gt;
  
  
  10. Real-world insight (important)
&lt;/h1&gt;

&lt;p&gt;Ransomware is not “magic encryption malware”.&lt;/p&gt;

&lt;p&gt;It is closer to:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;a structured automated data destruction system combined with extortion logic&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Modern groups operate like companies:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;affiliates&lt;/li&gt;
&lt;li&gt;infrastructure teams&lt;/li&gt;
&lt;li&gt;negotiation portals&lt;/li&gt;
&lt;li&gt;customer support (!)&lt;/li&gt;
&lt;/ul&gt;




&lt;h1&gt;
  
  
  Final thoughts
&lt;/h1&gt;

&lt;p&gt;Understanding ransomware at this level shows something important:&lt;/p&gt;

&lt;p&gt;👉 prevention is far easier than recovery&lt;/p&gt;

&lt;p&gt;Because once encryption starts, the system is already compromised at multiple layers.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>infosec</category>
      <category>security</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>Checker portów IP i DNS – jak sprawdzić bezpieczeństwo i konfigurację sieci online</title>
      <dc:creator>Marek „Netbe” Lampart </dc:creator>
      <pubDate>Sun, 05 Jul 2026 14:33:49 +0000</pubDate>
      <link>https://dev.to/cyberbezpieczenstwo/checker-portow-ip-i-dns-jak-sprawdzic-bezpieczenstwo-i-konfiguracje-sieci-online-55cf</link>
      <guid>https://dev.to/cyberbezpieczenstwo/checker-portow-ip-i-dns-jak-sprawdzic-bezpieczenstwo-i-konfiguracje-sieci-online-55cf</guid>
      <description>&lt;p&gt;W sieci działa ogromna liczba usług, które komunikują się ze sobą przez konkretne porty i rekordy DNS. W praktyce większość problemów z bezpieczeństwem infrastruktury nie wynika z zaawansowanych exploitów, tylko z prostych błędów konfiguracji — np. otwartych portów, nieświadomie wystawionych usług albo błędnych rekordów DNS.&lt;/p&gt;

&lt;p&gt;Dlatego narzędzia typu port checker / IP checker / DNS lookup stały się jednym z podstawowych sposobów szybkiej diagnostyki sieci.&lt;/p&gt;

&lt;p&gt;W tym artykule wyjaśniam, jak działają takie narzędzia i jak można je wykorzystać do analizy bezpieczeństwa własnej infrastruktury.&lt;/p&gt;


&lt;div class="crayons-card c-embed text-styles text-styles--secondary"&gt;
    &lt;div class="c-embed__content"&gt;
        &lt;div class="c-embed__cover"&gt;
          &lt;a href="https://netbe.pl/checker-portow-ip-i-dns-jak-sprawdzic-bezpieczenstwo-i-konfiguracje-sieci-online/" class="c-link align-middle" rel="noopener noreferrer"&gt;
            &lt;img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fnetbe.pl%2Fwp-content%2Fuploads%2F2026%2F07%2FChecker-portow-IP-i-DNS-%25E2%2580%2593-jak-sprawdzic-bezpieczenstwo-i-konfiguracje-sieci-online.webp" height="450" class="m-0" width="800"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="c-embed__body"&gt;
        &lt;h2 class="fs-xl lh-tight"&gt;
          &lt;a href="https://netbe.pl/checker-portow-ip-i-dns-jak-sprawdzic-bezpieczenstwo-i-konfiguracje-sieci-online/" rel="noopener noreferrer" class="c-link"&gt;
            Checker portów, IP i DNS – jak sprawdzić bezpieczeństwo i konfigurację sieci online
          &lt;/a&gt;
        &lt;/h2&gt;
          &lt;p class="truncate-at-3"&gt;
            Checker portów, IP i DNS – jak sprawdzić bezpieczeństwo i konfigurację sieci online
          &lt;/p&gt;
        &lt;div class="color-secondary fs-s flex items-center"&gt;
            &lt;img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fnetbe.pl%2Fwp-content%2Fuploads%2F2023%2F01%2Fcropped-favicon-32x32-1-32x32.png" width="32" height="32"&gt;
          netbe.pl
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
&lt;/div&gt;


</description>
    </item>
  </channel>
</rss>
