Ransomware - Did you update your incident response plan?

At the beginning of 2016 an article was published about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.

Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat. As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware.

Have a plan, Be Prepared
Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place. It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom. Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.

The Rise of Ransomware - Tips on prevention, response and evading extortion

Ransomware, a malware that prevents or in some cases limits users from accessing their data has been on the rise. Last year, 2015 saw a considerable increase with Crowti (also known as CryptoWall) and FakeBSOD being the two instances that affected more than 850,000 systems between June and November. In the first quarter of 2015, ransomware saw a 165% increase compared to the previous year. In the second quarter of 2015, 4 million samples of ransomware were identified indicating 58% ransomware growth. Ransomware is expected to grow in 2016 considering that more than half of malware attacks in 2015 also carried ransomware.

The main function of ransomware is to prevent the user (or users if it infects a server) from using that particular system. It does this by encrypting the files that it finds stored in the filesystem and connected drives. Usually, ransomware also tries to prevent certain applications and services from running.

Malicious files

These malicious files are called ransomware because they demand a payment (a ransom) in order to allow the users to decrypt their files; the attacker provides the decryption key in exchange for the payment. Some of these types of malicious files try to convince individuals that they have done something illegal in an attempt to scare them into making the payment (ransomware acting as scareware). In order to be more believable, some ransomware payment demands pretend to be from a law enforcement agency. The ransom usually starts at a few US dollars to hundreds of dollars or its Bitcoin equivalent.

Browse Safely & Tools for Looking up Potentially Malicious Websites

The following list contains free online tools for looking up a potentially malicious websites. Some of these tools will lookup their own historical data for a particular website, while others perform live tests. The URLs are in alphabetical order. 

Even though these websites allow you to initiate an online check on-demand, it is not the most convenient way for everyday use, especially when you jump from one website to the next. In that case, I strongly suggest the use of a browser plug-in (extension) that will do this for you automatically. On that note, know that there are several extensions that will do this check for you in real-time. 

I tested a bunch of them and to be completely honest the most lightweight and effective one I found was the Avira Browser Safety. This is a tiny extension that will not only lookup and check each website you visit for any malicious content but it will also list all trackers on the website. Also, the Avira Browser Safety extension allow you to select which trackers would you like to turn off by flipping a switch next to each tracker listed. Combining this with you favourite extension that blocks ads makes visiting website a little bit less scary process. 

Please note that I am referring to legitimate websites that have been breached with the only purpose to deliver malware to its visitors. In many cases, this breach stays undetected for days or weeks before it is picked up by the developers or the security team. Also, the reason why I am suggesting an ads blocker is because there have been many cases where ads have been compromised, and contain malicious JavaScript that infects visitors. (see: Malvertising) 

• AVG LinkScanner Drop Zone: Analyzes the URL in real time for threats
• BrightCloud URL/IP Lookup: Presents historical reputation data about the website
• Cisco SenderBase: Presents historical reputation data about the website
• Comodo Web Inspector: Examines the URL in real-time
• Cyscon SIRT: Provides historical data for IP addresses, domains and ASNs.
• FortiGuard lookup: Displays the URL’s history and category
• Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
• IsItPhishing: Assesses the specified URL in real-time
• KnownSec: Presents historical reputation data about the website; Chinese language only
• Malware Domain List: Looks up recently-reported malicious websites
• MalwareURL: Looks up the URL in its historical list of malicious websites
• McAfee Site Advisor: Presents historical reputation data about the website
• McAfee TrustedSource: Presents historical reputation data about the website
• MxToolbox: Queries multiple reputational sources for information about the IP or domain
• Norton Safe Web: Presents historical reputation data about the website
• PhishTank: Looks up the URL in its database of known phishing websites
• Quttera ThreatSign: Scans the specified URL for the presence of malware
• Reputation Authority: Shows reputational data on specified domain or IP address
• Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
• Trend Micro Web Reputation: Presents historical reputation data about the website
• Unmask Parasites: Looks up the URL in the Google Safe Browsing database
• URL Blacklist: Looks up the URL in its database of suspicious sites
• URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
• URLVoid: Looks up the URL in several website blacklisting services
• VirusTotal: Looks up the URL in several databases of malicious sites
• vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
• WebPulse Site Review: Looks up the website in BlueCoat’s database
• Wepawet: Analyzes the URL in real time for threats
• Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

If you think you know of a site that can do something similar but it is not on this list, let me know and I will be happy to add it.