RANSOMWARE:
Malware that locks/encrypts your system / files and requires
you to pay a ransom amount to decrypt/unlock your system/files.
RANSOMWARE is a serious issue addressed by all the AV companies
and the security agencies like the FBI.
The average ransom demand is now $679
RANSOMWARE targets end users and targets on enterprise users is on the rise usually by spear phishing emails.
Stages of RANSOMWARE:
Infection: The
script / program / exe file that contains the code to encrypt all your system
files.
Search & Encrypt:
Most of the times, the file type is configured. The script searches for system
files / .docx xlsx and other specified files and starts encryption.
Notification: The
affected system is notified that the system is locked and a ransom needs to be
paid.
Along with a countdown timer indicating the time left to pay
ransom after which you will never be able to recover the data.
Something like this:
RANSOMWARE is not a Virus.
RANSOMWARE informs the user after the attack and requires
you to pay up to free your data which is held ransom.
Why isn’t your
antivirus/ security suite not enough?
AV’s work on signature recognition of a file / program to
detect whether it is a good egg or a bad one.
There are quite a few famous RANSOMWARE such as TesCrypt,
Locky, Waltrix etc. But the main problem is that there are many types of custom
RANSOMWARE. Which renders the signature recognition useless.
Ransomware has gained a lot of steam in the past year. It
has even evolved to “Ransomware as a Service”, it is being sold on the market
like any other software service. One might also witness a very immense
competition between rival groups, with each group sharing the decrypting keys
of its rival.
Preventing
a RANSOMWARE Attack:
Employee Training:
Most of the employees working in enterprise / Health Industry are not aware of RANSOMWARE.
They need to be made aware and trained in how to prevent and report such an occurrence.
Phishing: Beware
of phishing emails. RANSOMWARE can also be disguised in macros and sent across via
email stating “2016 Store Rollout Plain.xlsx” (something that looks genuine)
Macros have unlimited ability to execute a program or script. Disable macros when not required.
Click Bait: Many
links are leached with RANSOMWARE infections causing the script / payload to
download via JavaScript and other means and affects the system
Internet: If you
are aware that files are being encrypted, shut down the internet immediately
and also power off the system. This will help you in preventing the infection
spread. Disconnect any network drives connected to the system. As RANSOMWARE has
a tendency to go after it too.
Backup: Have a
scheduled backup taken often. In case of RANSOMWARE infection system can be
restored using the backup/ windows restore. Beware some RANSOMWARE even encrypt
the shadow/ backup files.
Public Wi-Fi:
Beware of public wifi’s best if you prevent using public Wi-Fi for official work.
Using man in the middle attack via a pineapple router the attacker can easily
move the infection to your system.
Update: Keep
updating your system via patches and the softwares, applications which you use
regularly to safeguard against the latest vulnerabilities.
Show Hidden File Extensions:
This could prevent the user from
running an exe file disguised as a video or picture file.
Misc: You will need a
behavior driven detection system that looks out for malicious activity of a program
or a user. Since RANSOMWARE attack can be unique every time, having such a
detection system will truly serve the purpose. Ex: https://www.barkly.com/
In case you are
attacked:
·
Inform the authorities.
·
Isolate the system from network.
·
Paying the Ransom should be your last option.
Many organizations have ended up paying. Many cases the decrypter key is not
provided even after the payment of the ransom.