Monday, October 17, 2016

Ransomware Risk Mitigation


RANSOMWARE:
Malware that locks/encrypts your system / files and requires you to pay a ransom amount to decrypt/unlock your system/files.


RANSOMWARE is a serious issue addressed by all the AV companies and the security agencies like the FBI.
The average ransom demand is now $679

RANSOMWARE targets end users and targets on enterprise users is on the rise usually by spear phishing emails.


Stages of RANSOMWARE:

Infection: The script / program / exe file that contains the code to encrypt all your system files.

Search & Encrypt: Most of the times, the file type is configured. The script searches for system files / .docx xlsx and other specified files and starts encryption.

Notification: The affected system is notified that the system is locked and a ransom needs to be paid.
Along with a countdown timer indicating the time left to pay ransom after which you will never be able to recover the data. 

Something like this:


RANSOMWARE is not a Virus.

RANSOMWARE informs the user after the attack and requires you to pay up to free your data which is held ransom.

Why isn’t your antivirus/ security suite not enough?
AV’s work on signature recognition of a file / program to detect whether it is a good egg or a bad one.

There are quite a few famous RANSOMWARE such as TesCrypt, Locky, Waltrix etc. But the main problem is that there are many types of custom RANSOMWARE. Which renders the signature recognition useless. 


Ransomware has gained a lot of steam in the past year. It has even evolved to “Ransomware as a Service”, it is being sold on the market like any other software service. One might also witness a very immense competition between rival groups, with each group sharing the decrypting keys of its rival.


Preventing a RANSOMWARE Attack:

Employee Training: Most of the employees working in enterprise / Health Industry are not aware of RANSOMWARE. They need to be made aware and trained in how to prevent and report such an occurrence.

Phishing: Beware of phishing emails. RANSOMWARE can also be disguised in macros and sent across via email stating “2016 Store Rollout Plain.xlsx” (something that looks genuine) Macros have unlimited ability to execute a program or script.  Disable macros when not required.

Click Bait: Many links are leached with RANSOMWARE infections causing the script / payload to download via JavaScript and other means and affects the system

Internet: If you are aware that files are being encrypted, shut down the internet immediately and also power off the system. This will help you in preventing the infection spread. Disconnect any network drives connected to the system. As RANSOMWARE has a tendency to go after it too.

Backup: Have a scheduled backup taken often. In case of RANSOMWARE infection system can be restored using the backup/ windows restore. Beware some RANSOMWARE even encrypt the shadow/ backup files.

Public Wi-Fi: Beware of public wifi’s best if you prevent using public Wi-Fi for official work. Using man in the middle attack via a pineapple router the attacker can easily move the infection to your system.

Update: Keep updating your system via patches and the softwares, applications which you use regularly to safeguard against the latest vulnerabilities.

Show Hidden File Extensions:  This could prevent the user from running an exe file disguised as a video or picture file.

Misc: You will need a behavior driven detection system that looks out for malicious activity of a program or a user. Since RANSOMWARE attack can be unique every time, having such a detection system will truly serve the purpose. Ex: https://www.barkly.com/


In case you are attacked:
·         Inform the authorities.
·         Isolate the system from network.
·         There are many free tools out there that might help you unlock. You may try them. Ex: Trend Micro Crypto-RANSOMWARE File Decryptor Tool
·         Paying the Ransom should be your last option. Many organizations have ended up paying. Many cases the decrypter key is not provided even after the payment of the ransom.

References: Osterman Research

No comments: