Protect Your Data: Ransomware Attacks on the Rise
Discover the steps you can take now to protect your data and minimize loss. Backups play a critical role. Even if your anti-virus, network security, and firewall safety nets are at full strength, without a solid backup plan, you are still at risk of suffering a catastrophic data loss from a potentially crippling ransomware attack.
A special form of malware threat called ransomware might best be described as a virus with a vendetta.
Like a ticking time bomb, ransomware locks your critical business and personal data files to extort money from you to unlock them before a deadline expires, often 24 to 72 hours. The FBI estimates that over 4,000 ransomware attacks occur per day in the U.S. alone.
A recent article in Money magazine revealed that over the past year the total financial impact has grown from the tens of millions to over one billion dollars.
Often delivered through phishing emails, ransomware encrypts your data, locks you out of your own system, and demands a ransom payment from $100 to over $25,000. And attacks are not only proliferating, they’re becoming more advanced. Several years ago, ransomware was normally delivered through e-mail spam, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.
In this blog post, I’d like to help you understand the threat and I urge you to assess your disaster recovery and backup plans. Also, update your IT security education programs to sharpen staff awareness about these potentially crippling forms of malware.
How Ransomware Infections Occur
The infection could be completely silent, so you might not even notice an actual attack until it’s too late.
Typically, what happens next goes something like this:
- Ransomware starts encrypting files and folders on all your local drives including any backup drives and even other computers on the same network.
- Users are often not aware that they have been infected until they can no longer access their data.
- On-screen messages appear to advise the user of the complete success of the attack. For example, “Your files have been encrypted. Follow the payment instructions to unlock your files before the countdown expires.”
- The victim is asked to pay the ransom in exchange for a promised decryption key. Payment is often demanded in Bitcoin due to the difficulty in tracing this virtual currency.
However, even after payment is received, the hackers might refuse to deliver the decryption key. And how accurate or safe is the decrypted data at that point? For these reasons, and to deny any type of payment transaction that might support the proliferation of such attacks, the FBI advises that users should not make ransom payments, and that organizations should instead take steps to safeguard their data.
While the particular form of malware varies, all ransomware attacks lead to the same end-point. After their files are encrypted, users are no longer able to access them, and they are left with two options:
- Pay the required ransom (not recommended)
- Restore the files from a backup
The Importance of Backups
It’s easy to imagine how these desperate users strongly consider, and sometimes even pay the ransom. But there is a better choice.
A reliable nightly backup solution is essential.
CDI advises our customers that if their network does get infected, we can restore their files from a good backup. Depending on when the last backup ran, what would otherwise have been a catastrophic loss might only result in the loss of a couple hours, days, or weeks of work.
Another point to remember is that any anti-virus program you have running will not protect against these malware infections because they require a user to click on something, which overrides the protection.
As a customer, remember that in most attacks, restoration from a backup is likely not only your best option, it is your only option. This point is important because it factors into your overall IT security training for your employees and staff and helps them set realistic expectations about the very real threats and vulnerabilities that exist. They shouldn’t consider backups as less important or even optional activities. They are critical and users should know when and how often your backup jobs run.
In the following sections, let’s examine some of the more common forms of ransomware:
CryptoLocker and CryptoWall
Two years ago, CDI began formally reaching out to customers with service notifications about CryptoLocker and CryptoWall. These forms of malware were known to infect computers through malicious attachments or email links that spoofed popular companies such as FedEx, UPS, or ADP.
They were designed to trick the user into clicking on the attachment or link. To avoid falling victim to these attacks, users were advised not to open attachments or click on links in emails they were not expecting. Users hovered their mouse over a link or image hotspot to identify the true target URL, which was often either a deceivingly similar domain name, or even something completely different.
But users sometimes forgot, or the design fooled them into clicking and the malware infection began to encrypt files on their device and any shared network volumes.
User education is the best defense against CryptoLocker or CryptoWall. Information from the FBI and the US Computer Emergency Readiness Team (CERT) is also available:
- FBI: http://www.ic3.gov/media/2015/150623.aspx
- US-CERT: https://www.us-cert.gov/ncas/alerts/TA14-295A
Another destructive ransomware variant named Locky was first observed in early 2016 as it infected mostly business computers in the United States, New Zealand, Australia, Germany, and the United Kingdom. Locky propagates through spam email that includes malicious Microsoft Office documents or compressed attachments such as .rar or .zip files that were previously associated with banking malware such as Dridex and Pony, both classified as Trojans.
Once again, user education is the best preventive measure as traditional anti-virus applications are ineffective against these types of malware. Users should refrain from opening any email, attachments, or links from unknown or suspicious senders. These emails are often disguised to look like they were sent from legitimate companies such as banks, FedEx, UPS, or ADP. Do not be fooled. Many attachments are labeled as invoice or sales orders.
Educate your users to avoid opening attachments or clicking on links in emails they were not expecting.
Users are also advised to disable the preview, reading pane, or auto-open-next features of their email applications to prevent accidentally triggering an infection. (In Outlook, on the View tab, select the drop-down arrow on the Reading Pane button and select Off.)
Since this is an especially fast-moving infection, it is critical to take the following steps if you believe you’ve become infected:
- Immediately shut down and unplug the infected machines. If a laptop, remove the battery, and verify it is disconnected, and remains disconnected, from the network.
- CDI customers should immediately contact CDI Managed Services and open a P0 incident. Provide details of the incident including where and how it is believed the infection originated.
In February 2015, TeslaCrypt was observed within the video game community as it encrypted gaming files. But it soon spread to images, documents, and other file types.
Applying AES-128 or higher encryption, TeslaCrypt infects systems from a compromised website, and demands a ransom payment before promising to decrypt the files.
It was distributed by malicious redirects through the Angler, Sweet Orange, and Nuclear exploit kits.
Once the data was encrypted, TeslaCrypt attempted to delete all shadow volume copies and system restore points to prevent file recovery.
TeslaCrypt removes all shadow volume copies from the infected system. Essentially a Microsoft Windows feature, shadow copy technology enables you to make backup copies (snapshots) of computer files or volumes. Without these shadow volumes, you cannot restore the encrypted files.
MSIL or Samas (SAMSAM)
MSIL or Samas (SAMSAM) uses open-source tools to identify hosts reporting to the active directory on the infected computer. This ransomware was used to compromise several networks in North America, including the 2016 attacks on U.S. healthcare facilities that were running outdated JBoss enterprise application servers.
SAMSAM exploits vulnerable Java-based Web servers. The malware distributes itself using psexec.exe and spreads to each host on the network. It encrypts most of the files on the system before demanding the ransom payment.
To prevent an inconvenient loss of data or a major tragedy, I urge you to take the following actions:
- Offer training to your staff. Verify that they are aware of ransomware and understand their critical role in protecting company data.
- Apply patches for your apps, firmware, and OS software on all devices. If volume is a concern, leverage a centralized patch management system.
- Verify that your anti-virus and anti-malware solutions are set to automatically update and scheduled to conduct regular scans. We recommend security solutions from Palo Alto Networks and Cisco. For example, Palo Alto and Cisco AMP offer ways to prevent intrusions and notify you about the spread of malware in your environment. CDI deploys both Palo Alto and Cisco AMP firewalls as preventive measures.
- Disable macro scripts in Microsoft Office files sent by e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations such as temporary folders for web browsers or archival file compression programs.
- Make regular backups and verify their integrity. Also, take steps to secure them. Backups that are connected to computers and networks are vulnerable.
- Configure access controls, including file, directory, and network share permissions appropriately. If users need read-only access to directories, do not grant edit or write-access.
- Manage the use of privileged accounts. No users should be assigned administrative access unless absolutely necessary.
- Periodically visit the No More Ransom project online at www.nomoreransom.org to stay informed.
If you have any questions or concerns, please do not hesitate to contact your Service Delivery Manager or the CDI Service Desk.