Avoiding (and Surviving) Ransomware

By far, the biggest story in malware over the past two years or more is the rise of ransomware. This species of malicious software seeks to encrypt a computer or user's files then hold them hostage, demanding a ransom in order to provide the key to decrypt the data.

While the first modern ransomware began to appear in 2005, it was the emergence of the CryptoLocker ransomware in 2013 that began the sharp increase in ransomware incidents that we are still observing today. Today, ransomware has largely displaced "banking trojans" and other financial and credit card information stealing malware as the most common form of financially-motivated malware in use today.

How to Be Prepared for Ransomware Attacks
  • Have adequate backup and restoration capability. While obviously we hope to avoid being hit by ransomware, we want to be prepared in case it does successfully strike us. Ensure that backups are frequent, and (very importantly) that backup file locations are NOT in writeable mode from any computers via normal file access means. If your backup locations can be written to from a workstation via a file share, you may go to restore backups in a ransomware situation only to find that the backups have also been encrypted! Also, ensure that file restore capability is tested and rehearsed on a regular basis, to ensure that the technology works and that staff know how to operate it.

  • Install workstation application updates promptly. As ransomware has become more popular, the variety of means by which it makes its way onto computers has increased. Most commonly, ransomware gets on by exploiting vulnerabilities in web browsers and browser plugins (such as Adobe Flash), and also via malicious email file attachments. Most often, the vulnerabilities being exploited are known software bugs for which the companies already have updates available. Timely installation of updates for software applications will avoid a large majority of malware infections, including ransomware. The most vital applications to patch are web browsers, any web browser add-ons and plugins, and any document editing an viewing applications (Adobe Acrobat or Reader and Microsoft Office are the most-frequently exploited applications in this category.)

  • Use good anti-malware software, and keep it updated. With ransomware being such a common threat, anti-virus software makers are obviously working hard to identify and detect new strains of ransomware. A good anti-virus program can provide a high degree of protection against common ransomware threats, so it is important to keep your anti-virus software updated and to test it regularly to ensure it is functioning and that it sends alerts to the appropriate parties in the organization when it detects a problem. A strong alternative to anti-virus is next-generation endpoint protection or anti-malware software. This emerging category of protective software detects malware based on how it behaves rather than by matching it against known samples of malware. This enables the software to detect the latest threats before any anti-virus software maker is even aware of them.

  • Limit file shares and files to which users have access. It is common in organizations to find that most of their network file shares are fully accessible to all users. This is obviously a convenient and easy-to-manage setup, but it is risky for many reasons. The most obvious is simply that doing this most likely gives some users access to some files to which they really do not need access, and to which they perhaps SHOULD not have access. The ransomware threat gives another motivation for organizations to better segment off access to file shares -- an exploited user's PC and account can only be used to encrypt files to which they have access. Limiting users' accesses limits the damage they can do if they become infected with ransomware. Using web-based file sharing or document management systems may also provide some protection; most ransomware seen to date only encrypts local files and files in shares mapped as drives.

 How to Survive a Ransomware Attack
  • Identify the source. Most ransomware will pop up a message on the infected workstation, but you may discover you have a problem first by seeing files that have been encrypted. Windows should show you the last user who edited the files, and that should be enough info to track down the source of the problem.

  • Disconnect the source. If you have caught a ransomware infection early enough, the infected computer may still be encrypting more documents. You can limit the damage by disconnecting the infected machine from the network. If possible, you should avoid shutting down the infected computer, as it may hold vital information to identifying the type of malware involved and other important information.

  • Identify the damage and restore files. If your backups are offline, current, and tested, this should be a smooth and successful fix.

Paying a Ransom

If all the above fails, and you are unable to restore your files, what to do? Are you crazy for considering paying a ransom?

Paying a ransom is definitely something you want to avoid, but it is not crazy and is not the end of the world. Organizations that have ended up having to pay include hospitals, school systems, and even police departments. The FBI has even, in the past, said that if all else fails then paying a ransom may be the thing to do (their more recent advice is to NOT pay ransoms, largely because doing so only encourages the criminals to keep doing this sort of thing, possibly even to you.) The FBI does warn that in some cases people have paid ransoms and still not gotten their data back, it seems that in the vast majority of cases paying the ransom will get you your files decrypted. If you DO end up going this route, though, please let it be a motivator to increase your preparedness so that it is the LAST ransom you ever pay.

References:
"RANSOMWARE: PAST, PRESENT, AND FUTURE"
http://blog.talosintel.com/2016/04/ransomware.html

"Incidents of Ransomware on the Rise​" FBI Warning.
https://ww.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more