Ransomware Guidance: Are You Prepared?

Written by Jeff Bohman, CISSP, CNA on November 28, 2017

Any organization without a ransomware protection strategy is taking a big risk. As ransomware attacks are on the rise, it is important to be aware of what ransomware is and how to defend yourself from attacks. For anyone blissfully ignorant of this term, a description of ransomware is provided, followed by recommendations concerning its defense.

According to US Government Computer Emergency Readiness Team Alert (TA16-091A) published in late 2016, it is:

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website, and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.

A study in June of 2017, sponsored by security software developer Malwarebytes, found that 41 percent of the US businesses polled had experienced between one and five ransomware attacks in the previous 12 months. Another six percent had experienced six or more attacks. Similar rates were reported in Australia, Germany and the UK.

Ransomware attacks continue to proliferate, with a new Cobra CrySIS variant reported the first week of November and two new CryptoMix variants discovered the week of November 15, 2017, according to Bleeping Computer, which credited Malware Hunter Team for details reported.

Malware Hunter Team operates a free website dedicated to the defense from ransomware. If a ransomware is identified, ID Ransomware will give the victim a distinct status on whether it is known to be decryptable or not and will provide a link to a credible source for more information.

When infected, ransomware displays intimidating messages similar to those below:

  • “Your computer was used to visit websites with illegal content. To unlock your computer…”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
  • “What happened to your files? All of your files were protected by a strong encryption with RSA-2048. Decrypting your files is only possible with a private key and decrypt program, which is on our secret server. What do I do? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! And restore your data the easy way.”

According to US-CERT, in 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors. The financial success of this one server has led to a proliferation of this type of organized crime activity targeting individuals, small businesses, enterprise businesses and government agencies.

Cost

The amount of data and type of entity compromised will influence the value of the ransom demanded. A mid-sized US municipality recently paid more than $40,000 to liberate its data. A hospital on the west coast paid $17,000. According to Paymnts.com, in 2016, cybercriminals demanded an average of $1,077 per victim, compared to $294 in the previous year. Examples of CryptoMix were reported in November 2016 demanding 5 to 10 bitcoins at $650 per bitcoin as the ransom amount. A few months earlier, increases to $700 were shocking. Bitcoin prices are trading above $8,000 today, and ransom amounts appear to be rising rapidly too.

Distribution

Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand and Germany. It propagated through spam emails that included malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contained macros or JavaScript files to download Ransomware-Locky files.

Weaknesses in access controls and password security, as well as unpatched software vulnerabilities, have been identified as entry points for 2017 variants, such as WannaCry, NotPetya, Bad Rabbit, new versions of CrySIS and two new CryptoMix variants reported in November 2017.

Some solutions are presented below, but remote access vulnerabilities can be effectively mitigated using VPNs and multi-factor authentication, which require a minimum of two out three of the following items:

  1. Something you know (ID/PW)
  2. Something you have (key fob, electronic badge, or smartphone – hard or soft tokens)
  3. Something you are (biometric)

Payloads Include Multiple Types of Malware

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system and requests that a ransom be paid.

Consequences

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money and, in some cases, banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solutions

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist, but the first step when an attack is detected is to disconnect infected computers from the network and Internet. Encryption processes take time, so this will mitigate the extent of the damage.

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. Security awareness training should include email security testing to ensure users are adept at recognizing threatening email messages.

First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. Historical backup archive retention should also be considered to permit recovery when an attack is slow to develop and infected files are backed up.

You should also have security software that incorporates behavioral detections to combat ransomware and not just virus signature detections or heuristics. An effective example is Palo Alto’s Traps solution, which establishes an operational baseline and automatically halts untrusted actions within the network.

Gartner annually assesses endpoint protection solutions and ranks them in an annual report. The report can usually be obtained from any of the companies reviewed.

US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infections:

  • Perform frequent backups of system and important files, and verify those backups regularly. If ransomware affects your system, you can restore your system to its previous state with any files unaffected by ransomware.
  • The safest practice is to store backups on a separate device that cannot be accessed from a network. For additional information, see the Software Engineering Institute’s blog post here.
  • Be careful when clicking directly on links in emails, even if the sender appears to be known. Attempt to verify web addresses independently by contacting your organization’s helpdesk or searching the Internet for the main website of the organization or topic mentioned in the email.
  • Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
  • Follow best practices for Server Message Block (SMB), and update to the latest version immediately. See US-CERT’s SMBv1 Current Activity for more information.

For general best practices on patching and phishing (social engineering attacks), users should exercise the following guidelines:

  • Ensure that your applications and operating system has been patched with the latest updates. Vulnerable applications and operating systems are the target of most attacks. More information can be found here.
  • Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Avoid providing personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Be cautious about sending sensitive information over the Internet before checking a website’s security. See Protecting Your Privacy for more information.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain – for example, .com vs. .net.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups such as the APWG.
  • Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.

Hopefully, by implementing good security habits, you will be successful in avoiding a costly ransomware incident. Please contact Warren Averett if you are interested in learning more.

Back to Resources
Top