Ransomware: Facts and Threats. Countermeasures
Ransomware is a form of malware that has been a major threat to U.S. companies and individuals over the past two decades. Ransomware is a type of malware that encrypts files on infected systems/networks (crypto-ransomware). However, some variants can erase files or block access using other methods (locker ransomware). Ransomware will demand a ransom to unlock the files once access is blocked. This ransom can be in the form of $200-$3,000 in bitcoins. However, other currencies and gift vouchers are sometimes reported. Ransomware variants are almost always designed to opportunistically attack victims and infect a variety of devices, from smartphones to computers.
Ransomware is spread mainly through user-initiated actions, such as clicking on malicious links in spam e-mails or visiting compromised websites. Malvertising and drive-by downloading are also used to spread malware. This is a method that does not require the user to engage for it to work.
Ransomware infections are almost always opportunistic and spread through indiscriminate vectors like the ones discussed above. However, there are very rare cases where cyber threat actors target specific victims. These attacks may be caused by specific infections or after actors discover that a sensitive entity is infected. These cases are often referred to by the Federal Bureau of Investigation (FBI), as extortion rather than ransomware. This is because they’re almost always an increased ransom amount that corresponds with strategic targeting. In spring 2016, several hospitals were infected by strategically targeted ransomware.
Ransomware variants’ features have been expanded over the last year to include data exfiltration, participation at distributed denial-of-service (DDoS), and antidetection. One variant erases files, regardless of whether or not payment was made. Another variant allows you to lock cloud-based backups during continuous real-time back-ups (a.k.a. during persistent synchronization). Other variants are targeted at smartphones and Internet of Things devices (IoT).
Some variants claim they are from a law enforcement agency, and that the user owes them a “fee”, or “fine” for illegal activities such as pornography viewing. These variants may use techniques to determine the victim’s approximate geographic location to give the name of a specific agency. The U.S. government will never remotely lock or disable a computer, and then demand a penalty to unlock it.
How to Reduce the Risk of Ransomware Infections
These are only a few of the best practices, but they do not cover all aspects.
Network and System Security
- Create an incident response plan, which includes what to do in the event of a ransomware attack.
- Backups can be critical. A backup system should allow multiple copies of backups to be stored in case one copy contains infected or encrypted files. Backups should be regularly tested for data integrity and operationality.
- Use anti-spam and antivirus software. Allow regular network and system scans using antivirus programs that automatically update signatures. To stop phishing emails from reaching your network, implement an anti-spam solution. Add a warning banner in all emails from external sources to remind users about the dangers of opening attachments and clicking on links.
- Disable macros. Use Office Viewer software to view Microsoft Office files sent via e-mail.
- Make sure all systems are patched. This includes all hardware and software. If possible, use a central patch management system. To prevent programs from being executed in ransomware locations such as temporary folders, implement application whitelisting or software restriction policies (SRP).
- Limit Internet access. Consider using a proxy server to access the Internet and ad-blocking software. Restrict access to ransomware entry points such as personal email accounts or social networking sites.
- Use the principles of least privilege, network segmentation, and categorizing data. Where possible, create virtual environments to separate networks and data. Use the principle of least privilege.
- Monitor and vet third parties with remote access to your network and/or connections to third-party networks, to ensure that they follow cybersecurity best practices.
- Participate in cybersecurity information sharing organizations and programs, such as MS-ISAC and InfraGard.
Secure the End-User
- Give phishing and social engineering training to employees. Ask them to not open suspicious emails or click on attachments. Remind them to be careful before visiting unknown sites.
- Remind users that browsers should be closed when they are not being used.
- Create a report plan to ensure that staff know where and how they can report suspicious activity.
Response to a Compromise/Attack
- Disconnect infected systems from the network immediately to stop infection.
- Determine the affected data. Some sensitive data such as electronic protected medical information (ePHI), may need additional reporting or mitigation.
- Find out if there is a decryptor available. No more ransom! can assist.
- Files from regularly backed up backups can be restored
- Report the ransomware infection to MS-ISAC. Home users and other sectors may also report infections to their local Federal Bureau of Investigation (FBI), or the Internet Crime Complaint Center.