Ransomware: Keep Safe and Stay Safe

Tuesday, October 09, 2018

Richard Hummel

F9b46f5646b843bd0f87903611d30aad

Ransomware has been a notable threat since the infamous Cryptolocker hit headlines back in 2013. 

Since then, multiple iterations, copycats, and a plethora of new ransomware families have entered the scene. Some of the more prolific, such as Locky, Cryptowall, Teslacrypt, and TorrentLocker, ebbed and flowed before dimishing in number of infections and volume of distribution, while others have declined further still, with crypto-currency mining appearing to fill the void in recent months. 

There are a number of reasons for this downward trend. A key factor may be the increased involvement of law enforcement agencies, particularly in those cases where the target holds sensitive information or the attack takes down key infrastructure. There has also been a rise in the number of cyber security organizations providing a level of prevention and mitigation against ransomware, as well as in the number of government initiatives such as those offering free decryption services for reverse-engineered ransomware. Finally, it's arguably simpler and less risky for cyber-criminals to turn their attention to easier, less noticeable gains, such as those that can be made by turning a victim's system into a digital currency miner. 

It's worth noting, however, that although there may be fewer campaigns, and although its effectiveness may have diminished over time, ransomware is still a significant threat and one that businesses and consumers alike should remain mindful of. 

The shape of ransomware

Ransomware can take one of two different forms. The first of these is file encryption ransomware, in which the attacker encrypts every file on a system except those which are system critical, before demanding payment, often in the form of Bitcoin. The second, system lockout ransomware, involves the use of an overlay, or fake boot-up screen, that demands the victim make a payment for the password needed to unlock the system. 

Although it tends to arrive via a phishing email, there have been instances in which a direct compromise of a server has occurred shortly before ransomware was delivered on to a system. Recent notorious examples that have made headlines around the world include WannaCry, NotPetya, and Bad Rabbit, in which attackers combined the ability to auto-propagate with a 'warn and install' ransomware to target a wide and dispersed range of systems and organizations across multiple regions. 

Recommended plan of action

What all types of ransomware have in common is that, should a system be compromised, the effects are obvious, and often immediate. 

If an organization is unfortunate enough to fall victim to a ransomware attack, however, there are steps it can take to minimize any potential damage. 

First, it would be strongly advised not to pay the ransom, and to do what the organization can to recover its files by other means. Taking regular backups of those files is best practice as, in the event of a compromise, it's possible to restore to a previously known secure state. 

If this isn't possible for any reason, a decryptor should be sought. Most of the time, ransomware self-identifies, which--helpfully--enables its victims to search specifically for decryptors of that particular family. Many anti-virus companies and security vendors post free decryptors on their websites. Projects such as No More Ransom are also often a good place to start. 

On occasion, an organization might feel that paying the ransom demand is the only way to recover files, although this can be fraught with danger. While many ransomware families 'offer' decryption after payment, this constitutes fraud and there is no guarantee that the files will actually be recovered. What's more, there's no way of knowing that the 'decryption tool' won't re-infect the system or leave a backdoor into it for future compromise. 

Finally, if there really is no other alternative, it can often be less of a risk to simply wipe the system and start over. 

Prevention is better than cure

With phishing being the primary delivery method, the easiest way to avoid a ransomware attack is to be on the lookout for suspicious emails. 

It's important not to open suspicious email attachments or click on suspicious links, for example. Just because it might says www.goodsite.com doesn't mean it isn't actually a link to www.evilsite.com; hover over the URL and observe what the link actually points to before clicking it. 

If an email has a document or PDF attached and asks for certain scripts to be enabled, or for a security warning for content to be accepted, this should only ever be done if the email came from a known and trusted sender. As the sender's email address may have been spoofed, it might be necessary to pick up the phone and call that person to check whether the email actually came from them. 

In addition, making sure that systems are reguarly patched and updated will prevent the exploitation of obvious vulnerabilities, and protect against those attackers that take a direct approach. 

Ransomware may not be the threat it once was, but it still poses a risk to the files and systems of businesses everywhere. With improved awareness, network hygiene, and general preparedness, however, organizations can minimize this risk and keep the attackers at arms' length. 

About the author: Richard Hummel has 10 years of experience in the intelligence field and is currently the Threat Intelligence Manager for NETSCOUT's ASERT. Previously, he served as Manager and Principal Analyst on the FireEye iSIGHT Intelligence’s Financial Gain team. He began his career as a Signals Intelligence Analyst with the United States Army.

Possibly Related Articles:
30048
Viruses & Malware Enterprise Security Security Awareness
infection Ransomware Prevention Cryptolocker file encryption
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.