The ransomware epidemic and what you can do

what is ransomware

Ransomware is an ongoing epidemic based on an insidious piece of malware that cybercriminals use to extort money from you by holding your computer or computer files for ransom and demanding you pay to get them back. Unfortunately, Ransomware is quickly becoming an increasingly popular way for malware authors to extort money from businesses and consumers alike. If this trend is allowed to continue, Ransomware will soon affect IoT devices, automobiles, ICS and SCADA systems, as well as computer terminals. There are a number of ways ransomware can get onto someone’s computer, but most are the result of a social engineering tactic or the use of software vulnerabilities to silently install itself on a victim’s machine.

Since last year and even earlier, malware authors have sent waves of spam emails targeting various groups. There is no geographic limit on who can be affected, and while initially the emails were aimed at individual end users, then at small and medium-sized businesses, now the enterprise is the mature target.

In addition to phishing and spear-phishing social engineering, ransomware also spreads via remote desktop ports. Ransomware also affects files that can be accessed on mapped drives, including external hard drives such as USB sticks, external drives, or folders on the network or in the cloud. If you have a OneDrive folder on your computer, those files may be affected and then synced to cloud versions.

No one can say with any certainty exactly how much malware of this type exists. Since much of it exists in unopened emails and many infections go unreported, it’s hard to tell.

The impact for those who were affected is that the data files were encrypted and the end user is forced to decide, based on a clock, whether to pay the ransom or lose the data forever. The affected files are usually popular data formats such as Office files, music, PDFs, and other popular data files. More sophisticated strains remove “shadow copies” from the computer that would otherwise allow the user to go back to an earlier point in time. In addition, the “restore points” of the computer are being destroyed, as well as the backup files that can be accessed. The way the criminal manages the process is that he has a command and control server that contains the private key of the user’s files. They apply a timer to the destruction of the private key, and the demands and countdown timer are displayed on the user’s screen with a warning that the private key will be destroyed at the end of the countdown unless the ransom is paid. . The files themselves continue to exist on the computer, but they are encrypted, inaccessible even by brute force.

In many cases, the end user simply pays the ransom and sees no way out. The FBI recommends against paying the ransom. By paying the ransom, you are funding more such activities, and there is no guarantee that you will get any of your files back. Also, the cyber security industry is getting better at handling Ransomware. At least one major antimalware vendor released a “decryptor” product last week. It remains to be seen, however, how effective this tool will be.

What to do now

There are multiple perspectives to consider. The individual wants to recover his files. At the enterprise level, they want to recover files and protect assets. At the enterprise level, they want all of the above and need to be able to demonstrate due diligence performance to prevent others from being infected with anything that is deployed to or shipped from the enterprise to protect them from the mass torts that will inevitably occur in the future. so far.

Generally speaking, once encrypted, the files are unlikely to be decryptable. The best tactic, therefore, is prevention.

Back up your data

The best thing to do is make regular backups to offline media, keeping multiple versions of the files. With offline media, such as a backup service, tape, or other media that supports monthly backups, you can always go back to earlier versions of your files. Also, be sure to back up all data files; some may be on USB drives, mapped drives, or USB keys. As long as files can be accessed by malware with write-level access, they can be encrypted and held for ransom.

Education and Awareness

A critical component in the Ransomware infection prevention process is making end users and staff aware of attack vectors, specifically SPAM, phishing, and spear-phishing. Almost all ransomware attacks succeed because an end user clicked on a link that seemed innocuous or opened an attachment that appeared to come from a known person. By raising awareness and educating staff about these risks, they can become a critical line of defense against this insidious threat.

Show hidden file extensions

Windows usually hides known file extensions. If you enable the ability to view all file extensions in email and on your file system, you can more easily detect suspicious malware code files that masquerade as friendly documents.

Filter executable files in email

If your gateway mail scanner has the ability to filter files by extension, you may want to reject emails sent with *.exe attachments. Use a trusted cloud service to send or receive *.exe files.

Disable executing files from temporary file folders

First, you need to allow hidden files and folders to show in explorer so that you can see the app data and program data folders.

Your anti-malware software allows you to create rules to prevent executables from running from your profile’s local and application data folders, as well as the computer’s program data folder. Exclusions can be set for legitimate programs.

disable RDP

If it’s practical to do so, disable RDP (Remote Desktop Protocol) on mature targets, such as servers, or block them from accessing the Internet, forcing them to use a VPN or other secure route. Some versions of Ransomware take advantage of vulnerabilities that Ransomware can implement on a target RDP-enabled system. There are several technet articles detailing how to disable RDP.

Patch and update everything

It is critical that you keep up with Windows updates as well as antivirus updates to prevent Ransomware exploitation. Not so obvious is that it is just as important to keep up with all Adobe and Java software. Remember, your security is only as good as your weakest link.

Use a layered approach to endpoint protection

It is not the intent of this article to endorse any one endpoint product over another, but rather to recommend a methodology that the industry is rapidly adopting. You need to understand that ransomware, as a form of malware, feeds on weak endpoint security. If you strengthen endpoint security, Ransomware will not proliferate as easily. A report released last week by the Institute for Critical Infrastructure Technology (ICIT) recommends a layered approach, focusing on behavior-based heuristic monitoring to prevent the act of non-interactive file encryption (which is what Ransomware does). , and at the same time, run a security suite or endpoint antimalware that is known to detect and stop Ransomware. It’s important to understand that both are necessary because while many antivirus programs will detect known strains of this nasty Trojan, unknown zero-day strains will need to be stopped by recognizing their encryption behavior, changing the wallpaper, and communicating through the firewall for their protection. command and control center.

What to do if you think you are infected

Disconnect from any WiFi or corporate network immediately. You may be able to stop communication with the command and control server before it finishes encrypting your files. You can also prevent Ransomware on your computer from encrypting files on network drives.

Use System Restore to return to a known clean state

If you have System Restore enabled on your Windows machine, you may be able to roll your system back to a previous restore point. This will only work if the Ransomware strain you have has not already destroyed your restore points.

Boot to a boot disk and run your antivirus software

If you boot from a boot disk, none of the services in the registry will be able to start, including the Ransomware agent. You may be able to use your antivirus program to remove the agent.

Advanced users can do more

The ransomware embeds executables in the Appdata folder of your profile. In addition, entries in the Run and Runonce keys in the registry automatically start the ransomware agent when the operating system starts. An advanced user should be able to

a) Run a thorough antivirus scan to remove the Ransomware installer

b) Start the computer in safe mode without running Ransomware or end the service.

c) Remove encryption programs

d) Restore encrypted files from offline backups.

e) Install layered endpoint protection, including signature and behavior-based protection to prevent re-infection.