Technology admin  

The ransomware epidemic and what it can do

What is ransomware

Ransomware is a current epidemic based on an insidious piece of malware that cybercriminals use to extort money from you by holding your computer or computer files for ransom and demanding you pay to get them back. Unfortunately, Ransomware is quickly becoming an increasingly popular way for malware authors to extort money from businesses and consumers alike. If this trend is allowed to continue, Ransomware will soon affect IoT devices, automobiles, and ICS and SCADA systems, as well as computer terminals. There are several ways that ransomware can enter someone’s computer, but most are the result of a social engineering tactic or the use of software vulnerabilities to silently install itself on a victim’s machine.

Since last year and even before, malware authors have been sending waves of targeted spam emails to various groups. There is no geographical limit on who can be affected, and while the emails were initially targeted at individual end users, then at small and medium-sized businesses, now the enterprise is the mature target.

In addition to social engineering phishing and spear-phishing, ransomware also spreads through remote desktop ports. The ransomware also affects files that can be accessed on mapped drives, including external hard drives such as USB sticks, external drives, or folders on the network or in the cloud. If you have a OneDrive folder on your computer, those files may be affected and then synced to cloud versions.

No one can say with exact certainty how much malware of this type exists. Since much of it exists in unopened emails and many infections go unreported, it’s hard to tell.

The impact for those who were affected is that the data files were encrypted and the end user is forced to decide, based on a clock, whether to pay the ransom or lose the data forever. Affected files are usually popular data formats such as Office files, Music, PDF and other popular data files. More sophisticated strains remove “shadow copies” from the computer that would otherwise allow the user to return to an earlier point in time. In addition, the “restore points” of the computer are being destroyed, as well as the backup files that can be accessed. The way the criminal manages the process is that he has a command and control server that contains the private key of the user’s files. They apply a timer to the destruction of the private key, and the demands and countdown timer are displayed on the user’s screen with a warning that the private key will be destroyed at the end of the countdown unless the ransom is paid . The files themselves continue to exist on the computer, but they are encrypted, inaccessible even to brute force.

In many cases, the end user simply pays the ransom and sees no way out. The FBI recommends against paying the ransom. By paying the ransom, you are funding further such activities and there is no guarantee that you will get any of your files back. Also, the cyber security industry is getting better at handling Ransomware. At least one major anti-malware vendor released a “decryptor” product last week. It remains to be seen, however, how effective this tool will be.

What to do now

There are multiple perspectives to consider. The individual wants to recover the files from him. At the company level, they want to recover files and protect assets. At the enterprise level, they want all of the above and must be able to demonstrate performance of due diligence to prevent others from being infected by anything that is deployed or shipped from the enterprise to protect them from the mass grievances that will inevitably occur in the future. so far.

Generally speaking, once encrypted, files are unlikely to be decryptable. The best tactic, therefore, is prevention.

Make a backup of your data

The best thing to do is make regular backups to offline media, keeping multiple versions of the files. With offline media, such as a backup service, tape, or other media that allows monthly backups, you can always go back to previous versions of your files. Also, be sure to back up all your data files; some may be on USB drives, mapped drives, or USB keys. As long as files with write-level access can be accessed by malware, they can be encrypted and held for ransom.

Education and Awareness

A critical component in the Ransomware infection prevention process is making end users and staff aware of attack vectors, specifically SPAM, phishing, and spear-phishing. Almost all Ransomware attacks are successful because an end user clicked on a link that seemed innocuous or opened an attachment that appeared to come from a known person. By raising awareness and educating staff about these risks, they can become a critical line of defense against this insidious threat.

Show hidden file extensions

Windows usually hides known file extensions. If you enable the ability to see all file extensions in email and in your file system, you can more easily detect files of suspicious malware code masquerading as friendly documents.

Filter executable files in email

If your gateway mail scanner has the ability to filter files by extension, you may want to reject emails sent with *.exe attachments. Use a trusted cloud service to send or receive *.exe files.

Disable running files from temporary file folders

First, you need to allow hidden files and folders to show in explorer so that you can see the app data and program data folders.

Your antimalware software allows you to create rules to prevent executables from running from your profile’s local and application data folders, as well as from the computer’s program data folder. Exclusions can be set for legitimate programs.

Disable RDP

If it’s practical to do so, disable RDP (Remote Desktop Protocol) on mature targets, such as servers, or block them from Internet access by forcing them to use a VPN or other secure route. Some versions of Ransomware take advantage of vulnerabilities that can deploy Ransomware on an RDP-enabled target system. There are several technet articles detailing how to disable RDP.

Patch and update everything

It is critical that you stay current with Windows updates as well as antivirus updates to avoid a Ransomware exploit. Not so obvious is that it is just as important to stay up to date with all Adobe and Java software. Remember, your security is only as good as its weakest link.

Use a layered approach to endpoint protection

It is not the intent of this article to endorse any one endpoint product over another, but rather to recommend a methodology that is rapidly being adopted by the industry. You need to understand that ransomware, as a form of malware, feeds on weak endpoint security. If you strengthen endpoint security, Ransomware will not proliferate as easily. A report published last week by the Institute for Critical Infrastructure Technology (ICIT) recommends a layered approach, focusing on behavior-based heuristic monitoring to prevent the act of non-interactive file encryption (which is what Ransomware does). , and at the same time, run an endpoint anti-malware or security suite that is known to detect and stop the Ransomware. It is important to understand that both are necessary because while many antivirus programs will detect known strains of this nasty Trojan, it will be necessary to stop unknown zero-day strains by recognizing their encryption behavior, changing the wallpaper, and communicating through the firewall for their detection. command and control center.

What to do if you think you are infected

Disconnect from any WiFi or corporate network immediately. You may be able to stop communication with the command and control server before it finishes encrypting your files. You can also prevent Ransomware on your computer from encrypting files on network drives.

Use System Restore to return to a known clean state

If you have System Restore enabled on your Windows machine, you might be able to take your system to a previous restore point. This will only work if the Ransomware strain you have has not already destroyed your restore points.

Boot to a bootable disk and run your antivirus software

If you boot from a boot disk, none of the services in the registry will be able to start, including the Ransomware agent. You may be able to use your antivirus program to remove the agent.

Advanced users can do more

The ransomware embeds executables in the Appdata folder of your profile. In addition, the entries in the Run and Runonce keys in the registry automatically start the ransomware agent when the operating system boots. An advanced user should be able to

a) Run a thorough antivirus scan to remove the Ransomware installer

b) Start the computer in safe mode without running Ransomware or end the service.

c) Remove encryption programs

d) Restore encrypted files from offline backups.

e) Install layered endpoint protection, including signature and behavior-based protection to prevent reinfection.

Leave A Comment