Ransomware causes and Prevention

INTRODUCTION

Ransomware Trojans are a type of cyberware that is designed to extort money from a victim. Often, Ransomware will demand a payment in order to undo changes that the Trojan virus has made to the victim’s computer. These changes can include:

There are two types of ransomware in circulation:

  1. Encryptors: It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the  blocked Content . Examples include CryptoLocker, Locky, CrytpoWall and more.
  2. Lockers: which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. Examples include the police-themed ransomware or Winlocker.

Some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. Examples include Satana and Petya families.

How Ransomware gets onto a computer

The most common ways in which Ransomware Trojans are installed are:

  1. Spam email campaigns that contain malicious links or attachments (there are plenty of forms that malware can use for disguise on the web);
  2. Security exploits in vulnerable software;
  3. Internet traffic redirects to malicious websites;
  4. Legitimate websites that have malicious code injected in their web pages;
  5. Drive-by downloads;
  6. SMS messages (when targeting mobile devices);
  7. Self-propagation (spreading from one infected computer to another)

Ransomware has some key characteristics that set it apart from other malware:

  • It features unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
  • It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
  • It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
  • It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
  • It will display an image or a messagethat lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
  • It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies.

ss

Image source: One of the newest and most daring ransomware families to date is definitely Locky.

Different types of recent Ransomware

        I.            WannaCry

On Friday, May 12, 2017, around 11 AM ET/3PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without them taking any action.

Until May 24, 2017, the infection has affected over 200,000 victims in 150 countries and it keeps spreading.

sss

      II.            Uiwix

As a recent development, another type of encrypting malware that tries to replicate the impact that WannaCry had. However, it improves by not including a killswitch domain, while keeping its self-replicating abilities. Up to date details in this security alert which also anticipates addition waves of malicious encryption.

   III.            Cerber ransomware

Cerber is a relatively old version encryption malware, and its usage has frequently gone up and down. However, recent updates and added features have brought it back firmly into center stage. In the first quarter of 2017, Cerber had a huge, 90% market share among all the ransomware families. For the time being, it is likely to stay on top of the food chain.

    IV.            Others

There are other well known ransomware avilable in the internet but types of the ware is not the scope of this article. If you want more about the types please surf the references provided.

PROTECTION

“There is no silver bullet when it comes to ransomware, so you need a multi-layered approach, prioritized for the best risk mitigation.”

Enterprise level:

  • Use Active Directory System. Active directory system are more secure and centrally managed system where security can be managed or forced to be implemented according to enterprise requirement and level of security.
  • Educate users.Education of end users is the first line of defense. Make sure users are aware that ransomware is often spread through phishing emails and drive-by downloads (from compromised websites). Train them how to identify and avoid these and other security threats. Along with email alerts and security presentations, consider offering end users financial incentives for identifying and alerting IT to security problems.
  • Perform regular security audits.Be clear about all areas of potential risk and have a plan to counter them.
  • Back up critical data online as well as on-premise.Automatic, incremental, secure data backups to the cloud can help an enterprise recover files that are being held for ransom, especially if the ransomware has infiltrated on-premise servers and backups.
  • Train IT workers for better security. Security is a relative term in the sence that every day there is new discovery and update to last dated system. Even enterprise IT personals (even IT experts) should be regularly trained for such advancement to cope with the changing world of IT security.

User Level:

  • Backup regularly and keep a recent backup copy off-site

There are other risks besides ransomware that can cause files to vanish, such as fire, flood, theft, a dropped laptop, or even an accidental delete. Always do a regular backup of your files and encrypt your backup. This way you don’t have to worry about the backup device falling into the wrong hands.

  • Enable file extensions

The default Windows setting has file extensions disabled. This means that you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to identify file types that are not commonly sent, such as JavaScript.

  • Don’t enable macros in document attachments received via email

Microsoft turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

  • Be cautious about unsolicited attachments

Crooks rely on the dilemma that you can’t tell if the file is the one you want until you open it. If in doubt leave it out.

  • Don’t give yourself more login power than you need

Don’t stay logged in as an administrator any longer than necessary and avoid browsing, opening documents, or other regular work activities while you have administrator rights.

  • Patch early, patch often

Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash, and more. The sooner you patch, the fewer vulnerabilities there are to be exploited.

  • Stay up-to-date with new security features in your business applications

Office 2016 now includes a Block macros from running in Office files from the internet control, which helps protect against external malicious content without stopping you using macros internally.

References:

  1. https://heimdalsecurity.com
  2. https://community.sophos.com/kb/en-us/120797
  3. https://www.kaspersky.com
  4. http://windowsitpro.com/workforce-tech-talk/how-protect-enterprise-ransomware
  5. http://www.cisco.com/c/en/us/solutions/enterprise-networks/ransomware-defense

Thank you.

For more reading materials please click here