Prepare, Mon Frère, Against Ransomware

There is no question that we have become heavily dependent on computerized systems to “do more” through automation and to “do more better” by connecting and analyzing data in ways we couldn’t do previously. Ransomware takes advantage of an organization’s reliance on these systems by denying access to their systems or data for financial gain.  Ransomware attacks occur daily and are a real threat that shouldn’t be ignored.  Fortunately, there are a few techniques we can use to defend against ransomware.

Overview: The problem

Although it often arrives via spam, ransomware is more lucrative than a simple spam email. There are multiple malware kits available to ransomware authors, and distribution is easy, affordable, and profitable. Even with a .05% success rate, if sent to one million addresses (which is quite easy to acquire), that’s 500 hits. If the ransom amount is one Bitcoin for each hit, that amounts to nearly CA$400,000 / US$300,000 (August 2016 exchange rates). Many people choose to pay up instead of lose their digital livelihood, making this an effective attack vector; and according to Bromium and Symantec (PDF), the number of ransomware types has at least doubled every year since 2013. Although most ransomware infections are usually a result of attacks of opportunity, in some cases they are targeted against organizations. If key systems are hit, an entire business could be forced to shut down, as most cannot continue to function offline.

Common methods of infection include:

• E-mails with infected attachments or links to infected servers.
• Drive-by downloads, whereby simply visiting an infected site runs scripts to download and execute the malware.
• Fake popup ads that direct to malware downloads (e.g. “Security Warning – WARNING 3 THREATS FOUND!”).

Drive-by downloads and malware popup ads can be done by setting up fake websites, but malvertising is a growing problem. Malvertising is where criminals either infect advertising networks or buy ads through legitimate channels that are distributed on popular sites. Popular websites infected within the past year include many major news sites , including The Independent, LiveJournal, Marktplaats (the Dutch eBay), The Pirate Bay, and PerezHilton.com.

The bad news: Ransomware trends

• New strains of malware appear periodically, adding upgrades to improve infection, resilience, and extortion capabilities. Examples of this include Jigsaw, which deletes one file every hour until payment is made and 1000 files if attempts are made to shut it down, and the cross-platform Browlock, that runs in JavaScript. This year’s DEF CON even launched a presentation of a variant that infected a thermostat, which is interesting but less of a concern to the average enterprise and more a lesson in secure development (which is a topic for another post).
• Endpoint security is generally not enough to protect against new strains of ransomware. Malware authors are able to purchase the same endpoint security solutions that we are, and they include tests against these systems in their development labs.
• The healthcare industry has made the news recently after several serious ransomware attacks. Although other industries are more commonly affected (Symantec), the healthcare industry is required to publicize breaches. In addition, healthcare providers need to prioritize between spending to protect existing systems and investing in the latest technology to save lives. A few high-profile at hospitals have shown that a ransomware attack can be devastating and patients may need to be turned away.

The good news: What you can do

Most law enforcement agencies recommend that ransoms not be paid because it encourages this kind of attack. That’s a reasonable position, but it means that you have to be well prepared so your organization can recover quickly from an attack.  How do you prevent and respond? Good question!

How do you prevent a ransomware attack?

• Inventory management: Know what software and hardware is in your environment and restrict the use of unauthorized/non-business software and hardware. Run periodic scans or a centralized endpoint management tool.
• Backups: Make sure you have backups of your critical data, including system configuration files, and ensure that the backup cannot be modified from the original machine. If your backup is to an external drive, take the drive offline after a backup. Periodically test your backups to ensure they are reliable and that you are backing up the right files to be able to restore a system. This is the #1 technique for recovering from a ransomware attack.
• Patch management: Everyone says it, but critical and important patches really do need to be applied within one week of release. And if you’re only keeping Microsoft systems up-to-date, you’re missing out on other major attack vectors (e.g., Flash, Java, and third-party browsers). In addition, it’s also very important to update enterprise software suites. Make sure you don’t miss anything by subscribing to patch release newsletters for the systems in your business.
• Education: Make sure your IT and security staff have a plan in place to defend against ransomware, and educate your end users about what they can do. Good resources from which to learn more include Ransomware Tracker, No More Ransom, Microsoft, Symantec Internet Security Threat Reports, and the Bromium blog.
• Testing: Periodically conduct phishing simulations and share anonymized results with end users as part of training.
• Filters: Despite one’s best efforts at training, clever attacks can trick even the savviest of readers. Preventive technologies, such as web and e-mail filters, should be part of a standard defensive environment. Although endpoint security may not be effective against the latest threats, it can help against older, known threats.
• Limit the reach of ransomware by segmenting important systems from end-user machines (i.e., those most likely to be infected via e-mail or the web). Best practices for segmentation include placing systems on a separate network and firewalling off all traffic that is not necessary for cross-segment operations.
• Safe web browsing: In addition to web filters, consider the use of browser plugins to disable malicious scripts and/or block ads. This is the #1 method against web-based malware. Blocking scripts does make many sites user-unfriendly, but even if some parts of your organization can handle script blocking, it’s effective in reducing the threat of drive-by downloads. And although everyone understands the need for ad-based revenue, but malvertising attacks will continue to rise until advertising networks and website owners begin to vet their own advertisements for safety.
  • Script blockers: NoScript (Firefox), ScriptSafe (Chrome)
  • Ad blockers: uBlock Origin (Firefox, Chrome), AdBlock (Edge), and Adblock Plus (Edge)
• Advanced techniques: Consider application whitelisting or only allowing signed applications to launch. If your organization can accept the change in working style, migrate to thin clients or consider implementing technologies that remove browser access to the local operating system, (e.g., Sandboxie or Menlo Security).

How do you respond to a ransomware attack?

• When an infection is reported, disconnect the affected machine from the network to inhibit spreading. Ensure the integrity of the backup, rebuild the machine(s), and restore the data.
• Check if the recovery keys for a specific ransomware strain are available. In some cases, the security community has broken the encryption and posted the keys and in one case, the ransomware authors shut down operations and released the key. Sites with recovery tools for ransomware include the following:
  • https://id-ransomware.malwarehunterteam.com/ (151 variants as of this writing),
  • https://noransom.kaspersky.com/ (24 variants)
  • https://decrypter.emsisoft.com/ (20 variants)
  • https://www.nomoreransom.org/decryption-tools.html (7 variants, including Wildfire as of August 24)
  • http://www.bleepingcomputer.com/download/jigsaw-decrypter/ (Jigsaw)
  • http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/ (TeslaCrypt)

Don't let ransomware attacks catch you and your organization off guard. Educate your team, take preventative measures, and when all else fails – respond accordingly. Download our checklist to take control of your system and prevent what could be a very bad day for your organization.