CHANNELS

Subscribe to the InfoTech eNewsletter

infoTECH Feature

September 29, 2016

10 Things You Should Know About Ransomware

By Special Guest
Shiv Ganapathy, Senior Managing Consultant, SpirentSecurityLabs

As we predicted earlier this year, ransomware is a hot topic in the news these days, but what exactly is it and why should you care?  In this article I will discuss the top 10 things you should know about ransomware, why it is becoming more prevalent, and, most importantly, what you can do to reduce your chances of becoming a victim of ransomware.

1. What is ransomware?

Ransomware is a type of malware that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Ransomware has been around for several years; however, in recent years, attacks have increased, and have become highly targeted and sophisticated.  In the last couple years, several thousands of computers have been affected by ransomware which are designed to extort money from users and organizations.

2. Types of ransomware

Older versions: Locking type ransomware

  • Deny or block access to computer or files.
  • Demand ransom to unblock or to provide access.
  • On-screen alert provides instructions to the victim on how to provide payment and regain access.

Recent versions: File-Encrypting ransomware

  • Encrypt user files with strong encryption such as RSA (News - Alert), AES etc.
  • Demand ransom to decrypt files.
  • On-screen alert provides instructions to the victim on how to provide payment and regain access.

3. Examples of ransomware

Some types of ransomware are: Crysis, CryptoLocker, CryptoWall, CTB-Locker, Locky, SamSam.exe, TorrentLocker, Teslacrypt, RAA. Three of the most common types are:

  • Trojan.Randsom.C is a type of locking ransomware that blocks users’ access to their computer and then issues a ransom fee for access to be paid via phone.
  • Reveton is an example for locking ransomware and it fraudulently claims to be from a legitimate law enforcement authority and blocks users from accessing their computer. Reveton also tracks geographic location of the victim and displays a country-based law enforcement message. For example, if it detects that the victim is from the U.S., it will display an alert from the FBI. This ransomware demands a “fine” to restore access.
  • RAA is one of the recent variants of encrypting ransomware written completely in JavaScript. RAA is primarily delivered through phishing email with an attachment named .text.js. This file will be displayed as “filename.txt,” as in most Windows machines the extensions are usually not configured to be displayed. Once the user opens this file, the ransomware starts encrypting user files and displays a message with instructions to pay and decrypt files.

4. Ransom

The ransom demanded from victims varies greatly depending upon the victim and could be anywhere from a couple hundred dollars to several thousand dollars or more. To avoid traceability, ransom is typically demanded in virtual currency such as Bitcoin.

5. Targets

The business of ransomware has become highly professionalized and the cybercriminals are targeting not only home users, but also businesses, educational institutions, hospitals, law enforcement and other government agencies as well.

6. How do computers or networks become affected by ransomware?

Ransomware is commonly delivered through mass phishing emails with attachments pretending to be photos, reports, invoices, resumes or other business communications. Attachments are usually:

  • .zip file attachments which contain .exe files that are disguised as PDF, Word or Excel documents.
  • .js file attachments disguised using multiple file extension techniques such as filename.txt.js.

When the user opens the attachment, it will install the ransomware which will start encrypting data files. Ransomware also targets data files in any drives connected to the computer, including network shares, or DropBox mappings.

Other popular methods include:

Drive-by downloading

  • Drive-by downloading occurs when an unsuspecting user simply visits a compromised website and the malware is downloaded and installed without the user’s knowledge.
  • Usually the drive-by-download utilizes known security weaknesses in browsers, plug-ins, or OS.

Malvertising

  • Involves injecting malicious or malware-laden advertisements into legitimate online-advertising networks and Web pages.
  • Malware silently travels through the advertisement. It is dangerous because it does not require user action to compromise the system and it does not depend on a vulnerability on the website it is hosted from.

7. Recent attacks

  • Law Enforcement Agency: In Feb 2016, The Melrose Police Department in Massachusetts was hit by encrypting ransomware. It has been reported that the ransomware was triggered from a malicious email opened by a member of the department. According to Melrose free press, the police department paid one bitcoin as ransom to get the decryption key.
  • Hospital: In Feb 2016, ransomware took Hollywood hospital offline, and demanded $3.6M. Hollywood Hospital eventually paid $17,000 to free their computers.
  • University: In May 2016, The University of Calgary was attacked by a ransomware which locked staff, students and faculty out of their emails. According to Calgary Herald, The University of Calgary paid $15217.46 to free their email system.

8. Enterprises prove to be lucrative targets

  • Enterprise-targeted ransomware attacks have started to become mainstream.
  • Newer methods of ransomware infection include exploiting vulnerable Web servers as an entry point to gain access into an organization’s network.
  • Enterprises have many users to target, and it could only take one innocent click to infect the entire enterprise with ransomware.

9. The impact of a ransomware attack varies based on the target. Here is a list of the most common effects:

  • Temporary or permanent loss of personal information, or organization’s proprietary information
  • Financial losses to recover personal files, or Financial loss due to business disruption
  • Reputation damage to the individual or organization

10. Best practices to protect against ransomware:

Testing

  • Conduct frequent vulnerability scanning of your organizations’ external & internal network, network devices, and web applications to identify security holes or any known security vulnerabilities
  • Conduct penetration testing to identify potential points of exploit on your organizations’ external & internal network, network devices, and web applications.

Raise awareness

  • Instruct users not to open attachments from unknown sources or in emails that appear to be legitimate but are still suspicious and/or unexpected.
  • Instruct users to avoid enabling macros from email attachments. 
  • Instruct users not to click on unsolicited Web links in emails.

Patches and updates

  • Patch and keep operating systems, antivirus, browsers, Adobe (News - Alert) Flash Player, Quicktime, Java, and other software up-to-date

Anti-virus software

  • Maintain up-to-date anti-virus software, and scan all software downloaded from the Internet prior to executing.

Restrict permissions

  • Restrict users’ permissions to prevent installation and execution of unauthorized software applications.
  • Apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or spreading quickly through the network.

Backup

  • Employ a data backup and recovery plan for all critical information.
  • Regularly backup servers and network shares with multiple restore points.
  • Consider backing up critical data in two different media including one off-site backup.

Customize

  • Email filter/Spam filter settings to block emails with suspicious attachments.

 About the Author

Shiv has over ten years of Information Technology experience with eight years of experience as a dedicated penetration tester. At Spirent (News - Alert), Shiv is leading the Web and Mobile application team as part of the ethical hacking and security research group called Spirent SecurityLabs.

Shiv has performed Web application and Mobile applications penetration testing for various clients ranging from the Fortune 500 to small and midsized companies. Shiv has also conducted several training sessions on Application Security (News - Alert) Best Practices for Fortune 500 companies. Prior to joining Spirent, Shiv worked as Managing Consultant performing penetration tests, security assessments and vulnerability research, along with building and training a team of Security Consultants at Trustwave.




Edited by Alicia Young
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers