Ransomware, public enemy number 1!

Over the past few years undoubtedly Ransomware has become the top security concern no matter which industry. Several high profile publicly visible data breaches have happened in the healthcare and financial sectors leading to payouts to retrieve encrypted corporate data. Computer viruses have been around a long time, but it’s important to understand the Ransomware variant, how it works and some of the steps you can take to mitigate this growing act of intrusion and theft.

About Ransomware:

Basically, there are two basic types of Ransomware seen today. The first is non-encrypting, screen locking, and the second is file encryption (Crypto-ware) data locking.

Screen-Locking ransomware locks the screen on your system, typically displays a fake warning made to look legitimate from sources like the FBI, FTC or other governmental or law enforcement agency that cites you have engaged in illegal or illicit activities. The banner or warning screen may display a phone number to call indicating a solution will be provided to remedy the illegal actions for a fee.

Crypto-ware, unlike screen locking, silently scans your computer and any connected data sources for specific file types and encrypts them with a secure key. It replaces the file with a banner indicating your files have been locked, and if you want to retrieve or de-crypt them you must pay a ransom fee. This ransom request usually comes with a time limit requiring you to act quickly before the private key used to encrypt your files is deleted. It also generally requires payment in the form of Bitcoin to the attacker.

 Today’s delivery of Ransomware :

Today Ransomware is delivered in two main forms, phishing emails, and compromised websites using malicious URL web links.

Phishing emails: Email messages sent out in campaigns, which are widely distributed to spread downloader applications that carry out the installation of a program called a “Dropper”. It’s then up to the “Dropper or Downloader” to download and install a form of Crypto-ware which then encrypts your data silently, attacking all forms of connected data drives, cloud, network, or physically connected USB drives.

Compromised websites: These sites could be social in nature, and when visited contain URL links that when clicked on, initiate a script to download the malicious crypto-ware payload.

Most common forms of downloader / droppers seen today include Microsoft Office documents that may contain malicious macro’s, Java scripts that function very similarly, .lnk attachments that launch applications inside of Windows, and even .CHM files, which are Microsoft distributed help files.

How to prevent Ransomware infections:

Along with keeping systems updated and patched, one of the most effective prevention methods is training. Making sure all your users are trained in how to spot the various forms of attack methods such as rouge email attachments. Using methods like subscription based online training to keep employees’ knowledge levels up to date, utilizing safe phishing campaign software to test your employee’s ability to identify phishing attempts and identify users who click on potentially un-safe attachments.

Utilizing firewalls with IDS technology enabled, keeping anti-virus software current, patching any and all connected computers, infrastructure devices and public facing systems will help to reduce the possibility of an attack. Since email is the easiest delivery method for ransomware, utilizing an email filtering appliance or service will reduce the number of rouge emails received by staff.

If an attack happens, what ’s next ?

First things first, if you can locate the machine or system responsible for the outbreak, physically disconnect that system from the network immediately! The sooner the better, as Crypto-ware generally attacks local machine files first, and then moves on to cloud connected and network connected files and folders. By disconnecting the infected system, you are in fact shielding the network from further attack.

Even though best efforts may have been made to mitigate an attack, they can still happen. Once the ransomware has impacted the network there are generally only 2 options for recovery.

Pay the ransom fee: This is not a suggested course of action, but is an option. Law enforcement officials site that the vast majority of the time, paying the ransom rarely leads to receiving the key to decrypting the locked files. And in fact, helps to embolden criminals to continue to commit these cybercrimes due to the ease of payment perpetuating the problem of ransomware further.

Restore data from backups: Restoring data from a backup location is the only sure way to guarantee data recovery. It is imperative to have, maintain and test backups on a continual basis to make sure the data is current, and fully restorable in the event of an attack.  Simulating disasters and performing restorations will help to ensure the data can be restored and staff knows what to do when the event occurs. This will help to limit the amount of downtime your business or organization experiences and mitigate any loss of revenue due to the outage.

Having an up-to-date network map or system diagram will also aid in the recovery of critical systems that may be affected such as financial applications or remote access systems. Make sure to document and keep current, any system licenses and keys that may be needed in the event of a system rebuild as this will speed the recovery time.

In some cases, it may make sense to set aside a budget for potential outbreaks covering the costs of new equipment, software and external IT consulting resources should the need arise helping to expedite the recovery process.

Article written by Ryan Carter. If you have any questions or concerns about ransomware, give Ryan a call at 517.886.9526