The latest malware is not a traditional virus, it is called Ransomware. There are various variants such as Cryptolocker or Locky, but all do the same thing, encrypt your data, and then force a user or company to pay a large ransom to get the data back.
How does Ransomeware occur? What does the process look like?
- Phishing – Typically a group of bad guys target an organization. Once an organization is targeted, users in the organization will start receiving targeted phishing emails. Industry statistics are that 30% of those emails will get clicked on, and FBI Cybercrime statistics tell us that it takes only 20 phishing emails to be sent into an organization to guarantee with 100% certainty that at least once of them will be opened and someone will click on the link (links have a much higher click through rate than attachments).
- Infection – Once a user clicks on the link, or the infected attachment, the malware is installed on the end user’s machine. You might think anti-virus will stop this, it won’t. Why? It’s too easy these days to figure out what technology an organization is running (are you sure you want to list all of your technical accomplishments on Linkedin?), via social media, job postings, and other publicly available information. If a bad guy knows what AV you’re running, then it is quite simple to get malware generated that isn’t detected by the AV, and this process, called “crypting”, is available on the “dark web”. (CAAS = crime as a service). The cost to “crypt” a piece of malware is using CAAS is as low as $20.
- Key retrieval – Once the malware is on a machine, then it goes out and grabs an encryption key from a command and control site. (Latest variants and improvements in ransomware have figured out how to eliminate this step).
- Encryption – now that the malware is installed and has an encryption key, it begins it’s work in the background, silently encrypting 1000s of files on the PC and the network. The malware usually starts with network shares first, the bad guys know this is where the most valuable data typically resides.
- Notification – once encryption is complete, a pop up message appears on the end user’s PC, typically looks something like this:
- Respond – now the end user, typically alarmed, has to call IT Security and report the infection. The malware cannot be simply removed, because the files will still be encrypted. Worse, if the ransom is not paid within the time, the data will be deleted. A company now has 2 choices:
- Pay the ransom – ranges from $1000s of dollars to millions of dollars.
- Restore all systems and data from backup. (you do have good backups, right
- Neither of these are very great choices to have to make. We get calls for help, asking what can be done, and the choices are limited. The encryption is unbreakable and there is nothing a security professional can do to recover from the malware once the data is encrypted.
In an alert published today, the U.S. Federal Bureau of Investigation (FBI) warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network.
“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “Additionally, recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”
How can you stop ransomware attacks from happening?
We broadly break down security into 3 areas, preventative, detective, and corrective controls.
Preventative controls, which include people, processes, and technologies, are obviously the most effective, we want to help our clients prevent this type of infection from getting in their network in the first place. Some examples of preventative controls we recommend:
- Next-generation firewalls with IDS/IPS (like Palo Alto’s Virtualized Next Generation Firewall)
- Email filtering for malware
- DNS protection
- URL/content filtering (like Check Point’s URL Filtering Blade)
- Next generation endpoint protection (like McAfee Endpoint Protection Suite)
- Employee security awareness training
- Internal email phishing campaigns
- Cryptolocker Prevention Kit – (group policies, agents, utilities, and more)
- Detective controls include the ability to detect the files themselves being encrypted. As security specialists, some technologies we deploy can help in this regard:
- Attivo Networks – deceptive technologies
- DLP (like McAfee’s Total Protection for Data Loss Prevention)
When we detect a process starting to access or encrypt 1000s of files, we can set a low threshold and shut down the process or account before the bulk of the damage occurs.
Finally, corrective controls include:
- Incident Response – remediation, malware removal from PCs, email
- Restoration of backups
- Post-incident review
- Systems hardening, remediation
It is important to remember that your people, processes and technology should always be assessed to reduce cybersecurity threats. For more information on ransomware and answers to other IT related questions, contact us today and a friendly IT consultant will be in touch with you.