What ransomware is
Ransomware is now an epidemic based on insidious malware that cyber criminals use to extort money from you by seizing your computer or computer files for ransom and demanding payment from you to get them back. Unfortunately, ransomware is quickly becoming an increasingly popular method for malware authors to extort money from businesses and consumers alike. If this trend continues, ransomware will soon affect IoT devices, cars and ICS and SCADA systems, and just computer endpoints. There are several ways ransomware can get onto another person’s computer, but most result from a social engineering tactic or the use of software vulnerabilities to silently install itself on a victim’s computer.
For the past year and even before that, malware authors have been sending out waves of spam emails targeting various groups. There is no geographic limit to who can be impacted and while emails initially targeted individual end users and then small to medium sized businesses, the enterprise is now the mature target.
In addition to phishing and spear-phishing social engineering, ransomware also spreads through remote desktop ports. Ransomware also affects files accessible on mapped drives, including external hard drives like thumb drives, external drives or folders on the network or in the cloud. If you have a OneDrive folder on your computer, these files can be affected and then synced with the cloud versions.
No one can say with absolute certainty how much malware of this type is in the wild. Since a lot of it is present in unopened emails and many infections go unreported, it’s hard to tell.
The impact for those affected is that data files have been encrypted and the end user is forced to decide based on a ticking clock whether to pay the ransom or lose the data forever. Affected files are usually popular data formats like office files, music, PDF and other popular data files. More sophisticated strains remove “shadow copies” of the computer that would otherwise allow the user to revert to an earlier point in time. It also destroys “restore points” of computers, as well as accessible backup files. The way the process is managed by the criminal is that it has a command and control server that holds the private key for the user’s files. They apply a timer to the destruction of the private key and the requests and countdown timer are displayed on the user’s screen with a warning that the private key will be destroyed at the end of the countdown if the ransom is not paid. The files themselves still exist on the computer, but they are encrypted and inaccessible even to brute force.
In many cases, the end user simply pays the ransom and sees no way out. The FBI advises against paying the ransom. By paying the ransom, you fund further activities of this type and there is no guarantee that you will get your files back. Additionally, the cybersecurity industry is getting better and better at dealing with ransomware. At least one major anti-malware vendor has released a “decryption” product in the past week. However, it remains to be seen how effective this tool will be.
What you should do now
There are several perspectives to consider. The person wants their files back. At the enterprise level, they want files back and assets protected. At the corporate level, they want all of this and need to be able to demonstrate compliance with due diligence to prevent others from being infected by anything provided or sent by the company to protect them from the mass crimes that are inevitable in the not so distant future.
In general, it is unlikely that the encrypted files themselves can be decrypted. Therefore, the best tactic is prevention.
Back up your data
The best thing you can do is to do regular backups to offline media while keeping multiple versions of the files. With offline media such as a backup service, tape, or other media that allows for monthly backups, you can revert to old versions of files at any time. Also, make sure you back up all data files – some may reside on USB drives, mapped drives, or thumb drives. As long as the malware has write access to the files, they can be encrypted and held for ransom.
education and awareness
A crucial component in the process of preventing ransomware infections is making your end users and employees aware of the attack vectors, particularly SPAM, phishing, and spear phishing. Almost all ransomware attacks succeed because an end user clicked on a seemingly harmless link or opened an attachment that looked like it came from a known person. By alerting and educating employees about these risks, they can become a critical line of defense against this insidious threat.
Show hidden file extensions
Normally Windows hides known file extensions. Enabling the ability to view all file extensions in emails and in your file system makes it easier for you to spot suspicious malware code files masquerading as friendly documents.
Filter out executable files in emails
If your gateway email scanner can filter files by extension, you may want to reject email messages that are sent with *.exe file attachments. Use a trusted cloud service to send or receive *.exe files.
Disable running files from temporary file folders
First, you should allow hidden files and folders to be shown in explorer so that you can see the appdata and programdata folders.
With your anti-malware software, you can create rules to prevent executable files from running in your profile’s AppData and local folders, as well as in the computer’s ProgramData folder. Exclusions can be set for legitimate programs.
When practical, disable RDP (Remote Desktop Protocol) on mature targets like servers, or block Internet access by forcing them through a VPN or other secure route. Some versions of ransomware use exploits that can deliver ransomware to an RDP-enabled target system. There are several Technet articles that describe how to disable RDP.
Patch and update everything
It is important to stay current with your Windows updates as well as antivirus updates to prevent ransomware exploit. What’s not so obvious is that staying current with all Adobe software and Java is just as important. Remember, your security is only as good as your weakest link.
Use a layered approach to endpoint protection
It is not the intent of this article to endorse one endpoint product over another, but rather to recommend a methodology that the industry is quickly adopting. You need to understand that ransomware, as a form of malware, feeds on weak endpoint security. If you strengthen endpoint security, ransomware will not spread as easily. A report released last week by the Institute for Critical Infrastructure Technology (ICIT) recommends a multi-layered approach focused on behavior-based, heuristic monitoring to prevent the act of non-interactively encrypting files (which is what ransomware does) run a security suite or at the same time Endpoint anti-malware known to detect and stop ransomware. It is important to understand that both are necessary because while many antivirus programs detect known strains of this malicious trojan, unknown zero-day strains need to be stopped by detecting their behavior in encrypting, changing wallpaper and communicating through firewall their command – and control center.
What to do if you think you may be infected
Disconnect any WiFi or corporate networks immediately. You may be able to stop communicating with the command and control server before your files are encrypted. You can also prevent ransomware from encrypting files on network drives on your computer.
Use System Restore to return to a known clean state
If you have System Restore enabled on your Windows computer, you may be able to roll your system back to an earlier restore point. This only works if the ransomware strain you have hasn’t destroyed your restore points yet.
Boot from a boot disk and run your antivirus software
If you boot from a boot disk, none of the services in the registry will start, including the ransomware agent. You may be able to use your antivirus program to remove the agent.
Advanced users may be able to do more
Ransomware embeds executable files in your profile’s Appdata folder. Additionally, entries in the Run and Runonce keys in the registry automatically start the ransomware agent when your operating system boots. An advanced user should be able to do this
a) Run a thorough endpoint antivirus scan to remove the ransomware installer
b) Boot the computer in safe mode without running ransomware or stop the service.
c) Delete the encryption programs
d) Recover encrypted files from offline backups.
e) Install multi-layered endpoint protection, including behavior-based and signature-based protection, to prevent re-infection.