Tuesday, 26 January 2016

The Rise of Ransomware - Tips on prevention, response and evading extortion

Ransomware, a malware that prevents or in some cases limits users from accessing their data has been on the rise. Last year, 2015 saw a considerable increase with Crowti (also known as CryptoWall) and FakeBSOD being the two instances that affected more than 850,000 systems between June and November. In the first quarter of 2015, ransomware saw a 165% increase compared to the previous year. In the second quarter of 2015, 4 million samples of ransomware were identified indicating 58% ransomware growth. Ransomware is expected to grow in 2016 considering that more than half of malware attacks in 2015 also carried ransomware.
The main function of ransomware is to prevent the user (or users if it infects a server) from using that particular system. It does this by encrypting the files that it finds stored in the filesystem and connected drives. Usually, ransomware also tries to prevent certain applications and services from running.

Malicious files
These malicious files are called ransomware because they demand a payment (a ransom) in order to allow the users to decrypt their files; the attacker provides the decryption key in exchange for the payment. Some of these types of malicious files try to convince individuals that they have done something illegal in an attempt to scare them into making the payment (ransomware acting as scareware). In order to be more believable, some ransomware payment demands pretend to be from a law enforcement agency. The ransom usually starts at a few US dollars to hundreds of dollars or its Bitcoin equivalent.

Exploit kits have been developed and made available to cybercriminals for the rapid development of malware. Exploit kits are pre-packaged toolkits of malicious code and web pages that cybercriminals can either buy, license or even lease for the purpose of distributing malware, and more specifically ransomware. Thus, the variations of ransomware not only has increased significantly but it is expected to grow substantially in the following years. Exploit kit authors who sell the kits claim that a cybercriminal who invests $5,900 in such a kit could generate $84,000 per month.

Prevention
Understanding your potential exposure to ransomware is the first step to prevention, identifying the critical systems and data. Ensuring that you have measures in place to protect those systems or are able to recover the data should you become a victim of a ransomware infection.

Some measures that should be taken to avoid becoming a victim include:
  • Make sure antivirus software is present on all systems that may be affected by malicious software, ensure virus signatures are updated frequently (as new updates are released).  In particular systems exposed to the Internet. Having AntiMalware solutions installed along with the AntiVirus will further reduce the probability of malicious ransomware files being downloaded and infecting your system(s).
  • Make sure software patches and Operating Systems updates are applied as soon as they become available as these will address known OS and software security vulnerabilities that could be exploited.
  • Ensure users are aware of the risks associated with email and Internet use so that they know to avoid clicking on links or opening attachments in emails which originate from unknown sources. Educate users to avoid emails that look suspicious or out of the ordinary, even when they are from sources that they are familiar with; sometimes spoofed emails pretending to be from someone known to the recipient are used to spread malicious links and attachments.
  • Regularly back up important files, especially to a remote server or to a secure cloud storage, this can prevent your data from being held to ransom.
  • Mobile Device Management is necessary for preventing an infection originating from mobile devices and BYOD users.
  • Last but not least, providing cybersecurity awareness training to all users (including the CEO and Board of Directors), to raise their awareness of such a threat, to be able to spot an infection attempt and to ensure they know how to report an incident. It is estimated that 95% of ransomware infections are the result of a successful targeted spear-phishing attacks, with various sources estimating that as many as 70% of the targeted individuals are likely to open such an emails.

Response
If a system is infected by ransomware recovering the encrypted files can prove very challenging. Having said that, there are specific types of malware that have been reversed engineered, flaws in their encryption process have been identified or the secret keys for restoring the encrypted files have been found.  Ransomware is not like a typical virus infection, especially if it has managed to get hold of important data, special tools need to be utilised in order to remove the infection. Some antivirus vendors offer free tools that may be used to boot the infected system(s) and take any appropriate actions towards not only removing the infection but recovering the affected files as well. For that reason, your incident response plan needs to include detailed processes to deal with ransomware infections specifically.

Evading Extortion
Paying the ransom does not guarantee that you will regain access to your data. Criminals carrying out these types of attacks cannot be trusted and supporting their actions by paying the ransom only encourages them to continue investing in such criminal activities. Consider investing in cloud storage or cloud based services which can act as a risk mitigation tactic.

Report the threat to the relevant e-crime unit (in Ireland - An Garda Siochana; In UK - National Fraud & Cyber Crime Reporting Centre; in the US - the FBI Internet Crime Complaint Centre - or local law enforcement).

Frequently evaluating the changing malware threat landscape (per PCI DSS, requirement 5.1.2) to ensure that the antivirus/antimalware tools in place are sufficient to address the threat. Also, determine whether systems not yet protected by antivirus software now need protection (for example, as threats develop smartphones or tablets not previously considered to need antivirus may be at risk); and assessing the impact of business changes on your exposure to malicious software such as ransomware (as changing business dependencies on at-risk systems or data may require updated prevention and response approaches).

Finally, assess the effectiveness of the cybersecurity awareness training and more particularly against the threat of a ransomware infection across all business, by including this scenario in the testing of your incident response plan, which should be undertaken at least annually.

1 comment:

  1. I have read your blogs many times and I must say, every time I read it I get a good piece of information.
    Ransomware removal tool

    ReplyDelete