Top 10 Things You Should Know About Ransomware

0

Ransomware is a hot topic in the news these days, but what exactly is it and why should you care? This blog discusses the top 10 things you should know about ransomware, why it is becoming more prevalent, and, most importantly, what you can do to reduce your chances of becoming a victim of ransomware.

1. What is ransomware?

Ransomware is a type of malware that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Ransomware has been around for a several years, however, in the recent years, attacks have increased, and have become highly targeted and sophisticated. In the last couple years, several thousands of computers have been affected by ransomware which are designed to extort money from users and organizations.

2. Types of ransomware

  • Older versions: Locking-type ransomware
    • Deny or block access to computer or files.
    • Demand ransom to unblock or to provide access.
    • On-screen alert provides instructions to victim on how to provide payment and regain access.
  • Recent versions: File-encrypting ransomware
    • Encrypt user files with strong encryption such as RSA, AES etc.
    • Demand ransom to decrypt files.
    • Onscreen alert provides instructions to victim on how to provide payment and regain access.

3. Examples of ransomware

Some types of Ransomware are: Crysis, CryptoLocker, CryptoWall, CTB-Locker, Locky, SamSam.exe, TorrentLocker, Teslacrypt, RAA. Here is a deeper definition of three common ones:

  • Trojan.Randsom.C is a type of locking ransomware that blocks users access to their computer and then issues a ransom fee for access to be paid via phone.
  • Reveton is an example for locking ransomware and it fraudulently claims to be from a legitimate law enforcement authority and blocks users from accessing their computer. Reveton also tracks geographic location of the victim and displays country-based law enforcement message. For example, if it detects that the victim is from U.S, then it will display the alert from FBI. This Ransomware demands a “fine” to restore access.
  • RAA is one of the recent variants of encrypting Ransomware written completely in JavaScript. RAA is primarily delivered through phishing email with attachment named .text.js. This file will be displayed as “filename.txt” as in most Windows® machines, the extensions are usually not configured to be displayed. Once the user opens this file, the Ransomware starts encrypting user files and displays a message with instructions to pay and decrypt files.

4. Ransom

The ransom demanded from victims varies greatly depending upon the victim and could be anywhere from a couple hundred dollars, several thousand dollars or more. To avoid traceability ransom is typically demanded in virtual currency such as Bitcoin.

5. Targets

The business of Ransomware has become highly professionalized and the cybercriminals are targeting not only home users, but also businesses, educational institutions, hospitals, Law enforcement and other Government agencies as well.

6. How do computer or networks become affected by ransomware?

Ransomware is commonly delivered through mass phishing emails with attachments pretending to be photos, reports, invoices, resumes or other business communications. Attachments are usually:

  • .zip file attachments which contain .exe files that are disguised as PDF, Word or Excel documents.
  • .js file attachments disguised using multiple file extension technique such as filename.txt.js.

When the user opens the attachment, it will install the ransomware, which will start encrypting data files. Ransomware also targets data files in any drives connected to the computer including network shares, or DropBox mappings.

Other popular methods include:

  • Drive-by downloading
    • Drive-by downloading occurs when an unsuspecting user simply visits a compromised website and the malware is downloaded and installed without the user’s knowledge.
    • Usually the drive-by-download utilizes known security weakness in browser, plug-ins, or OS.
  • Malvertising
    • Involves injecting malicious or malware-laden advertisement into legitimate online-advertising network and webpages.
    • Malware silently travels through the advertisement. It is dangerous because it does not require user action to compromise the system and it does not depend on a vulnerability on the website it is hosted from.

7. Recent attacks

Hackers have targeted a number of hospitals as well as universities and law enforcement agencies.

  • Law Enforcement Agency: In Feb, 2016, The Melrose Police Department in Massachusetts was hit by encrypting ransomware. It has been reported that the ransomware was triggered from a malicious email opened by a member of the department. According to Melrose free press, the police department paid one bitcoin as ransom to get the decryption key.
  • Hospital: In Feb 2016, ransomware took Hollywood hospital offline, and demanded $3.6M. Hollywood Hospital eventually paid $17,000.00/USD to free their computers.
  • University: In May 2016, The University of Calgary was attacked by a ransomware which locked staff, students and faculty out of their emails. According to Calgary Herald, The University of Calgary paid $20,000 CAD to free their email system.

8. Enterprises prove to be lucrative targets

  • Enterprise-targeted ransomware attacks have started to become mainstream.
  • Newer methods of ransomware infection include exploiting vulnerable web servers as an entry point to gain access into an organization’s network.
  • Enterprises have many users to target, and it could only take one innocent click to infect the entire enterprise with ransomware.

9. The impact of a ransomware attack varies based on the target

Here is a list of the most common effects:

  • Temporary or permanent loss of personal information, or organization’s proprietary information
  • Financial loses to recover personal files, or financial loss due to business disruption
  • Reputation damage to individual or organization

10. Best practices to protect against ransomware

The following are tips on how to best protect against becoming a victim of a ransomware attack.

  •  Testing
    • Conduct frequent vulnerability scanning of your organizations’ external and internal network, network devices, and web applications to identify security holes or any known security vulnerabilities
    • Conduct penetration testing to identify potential points of exploit on your organizations’ external and internal network, network devices, and web applications.
  • Raise awareness
    • Instruct users not open attachments from unknown sources or in emails that appear to be legitimate but are still suspicious and/or unexpected.
    • Instruct users to avoid enabling macros from email attachments.
    • Instruct users not to click on unsolicited web links in emails.
  • Patches and updates
    • Patch and keep operating systems, antivirus, browsers, Adobe Flash Player, Quicktime, Java, and other software up-to-date
  • Anti-virus software
    • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict permissions
    • Restrict users’ permissions to prevent installation and execution of unauthorized software applications.
    • Apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or spreading quickly through the network.
  • Backup
    • Employ a data backup and recovery plan for all critical information.
    • Regularly backup servers and network shares with multiple restore points.
    • Consider backing up critical data in two different media including one off-site backup.
  • Customize
    • Email filter/Spam filter settings to block emails with suspicious attachments.
Share.

About Author

Shiv Ganapathy
Shiv Ganapathy

Shiv Ganapathy serves as senior managing consultant of Spirent Security Services. Shiv has more than 10 years of information technology experience with eight years of experience as a dedicated penetration tester. At Spirent, Shiv is leading the web and mobile application team as part of ethical hacking and security research group called Spirent SecurityLabs. Shiv has performed web application and mobile applications penetration testing for various clients ranging from the Fortune 500 to small and midsized companies. Shiv has also conducted several training sessions on application security best practices for Fortune 500 companies. Prior to joining Spirent, Shiv worked as managing consultant performing penetration tests, security assessments, vulnerability research, along with building and training a team of security consultants at Trustwave.

Leave A Reply

Log in or register to comment on this article.