366 247 102

Dealing with the aftermath of ransomware (http://www.tripwire.com/state-of-security/security-awareness/ransomware-refusing-to-negotiate-with-attackers/) attacks is like Russian roulette, wheresubmitting the ransom might be the sole option for recovering locked data (http://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/). This is preciselywhy focusing on prevention is a judicious approach to adopt.

The growth of ransomware over the past few years has driven the security industry to create myriads of toolsapplicable for blocking these types of threats from being executed on computers. Few of them are 100%bulletproof, though.

This article is focused on additional measures that users should employ to ensure a higher level of defenseagainst these plagues.

1. First and foremost, be sure to back up your most important files on a regular basis.

Ideally, backup activity should be diversified, so that the failure of any single point won’t lead to theirreversible loss of data. Store one copy in the cloud, resorting to services like Dropbox, and the other onoffline physical media, such as a portable HDD.

An efficient tactic is to toggle data access privileges and set read/write permissions, so that the filescannot be modified or erased. An additional tip is to check the integrity of your backup copies once in awhile.

2. Personalize your anti-spam settings the right way.

Most ransomware variants are known to be spreading via eye-catching emails that contain contagiousattachments. It’s a great idea to configure your webmail server to block dubious attachments withextensions like .exe, .vbs, or .scr.

3. Refrain from opening attachments that look suspicious.

Not only does this apply to messages sent by unfamiliar people but also to senders who you believe areyour acquaintances. Phishing emails may masquerade as notifications from a delivery service, an e-commerce resource, a law enforcement agency, or a banking institution.

4. Think twice before clicking.

Dangerous hyperlinks can be received via social networks or instant messengers, and the senders arelikely to be people you trust, including your friends or colleagues. For this attack to be deployed,cybercriminals compromise their accounts and submit bad links to as many people as possible.

5. The Show File Extensions feature can thwart ransomware plagues, as well.

This is a native Windows functionality that allows you to easily tell what types of files are being opened, sothat you can keep clear of potentially harmful files. The fraudsters may also utilize a confusing techniquewhere one file can be assigned a couple of extensions.

For instance, an executable may look like an image file and have a .gif extension. Files can also look likethey have two extensions – e.g., cute-dog.avi.exe or table.xlsx.scr – so be sure to pay attention to tricks ofthis sort. A standalone known attack vector is through malicious macros enabled in Microsoft Worddocuments.

6. Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and othersoftware up-to-date.

This habit can prevent compromises via exploit kits.

7. In the event a suspicious process is spotted on your computer, instantly turn off the Internetconnection.

This is particularly efficient on an early stage of the attack because the ransomware won’t get the chanceto establish a connection with its Command and Control server and thus cannot complete the encryptionroutine.

8. Think of disabling vssaexe.

This functionality built into Windows to administer Volume Shadow Copy Service is normally a handy toolthat can be used for restoring previous versions of arbitrary files. In the framework of rapidly evolving file-encrypting malware, though, vssadmin.exe has turned into a problem rather than a favorable service.

If it is disabled on a computer at the time of a compromise, ransomware will fail to use it for obliteratingthe shadow volume snapshots. This means you can use VSS to restore the blatantly encrypted filesafterwards.

9. Keep the Windows Firewall turned on and properly configured at all times.

10. Enhance your protection more by setting up additional Firewall protection.

There are security suites out there that accommodate several Firewalls in their feature set, which canbecome a great addition to the stock defense against a trespass.

11. Adjust your security software to scan compressed or archived files, if this feature is available.

12. Disabling Windows Script Host could be an efficient preventive measure, as well.

13. Consider disabling Windows PowerShell, which is a task automation framework.

Keep it enabled only if absolutely necessary.

14. Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access,etc.).

In particular, disable macros and ActiveX. Additionally, blocking external content is a dependabletechnique to keep malicious code from being executed on the PC.

15. Install a browser add-on to block popups as they can also pose an entry point for ransom Trojanattacks.

16. Use strong passwords that cannot be brute-forced by remote criminals.

Set unique passwords for different accounts to reduce the potential risk.

17. Deactivate AutoPlay.

This way, harmful processes won’t be automatically launched from external media, such as USB memorysticks or other drives.

18. Make sure you disable file sharing.

This way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.

19. Think of disabling remote services.

Otherwise, the threat could rapidly propagate across the enterprise network, thus calling forth serioussecurity issues for the business environment if your computer is a part it.

For example, the Remote Desktop Protocol can be leveraged by the black hat hackers to expand theattack surface.

20. Switch off unused wireless connections, such as Bluetooth or infrared ports.

There are cases when Bluetooth get exploited for stealthily compromising the machine.

21. Define Software Restriction Policies that keep executable files from running when they are inspecific locations in the system.

The directories most heavily used for hosting malicious processes include ProgramData, AppData, Tempand Windows⧵SysWow.

22. Block known-malicious Tor IP addresses.

Tor (The Onion Router) gateways are the primary means for ransomware threats to communicate with theirC&C servers. Therefore, blocking those may impede the critical malicious processes from getting through.

Since ransomware is definitely today’s number one cyber peril due to the damage it causes and theprevalence factor, the countermeasures above are a must. Otherwise, your most important files could becompletely lost.

The key recommendation, though, is the one about backups – offline or in the cloud. In this scenario, therecovery consists of removing the ransom Trojan and transferring data from the backup storage.

Currently, dealing with the consequences of ransomware isn’t very promising from the file decryptionperspective. That is why thwarting the virus attack can save you a pretty penny and guarantee peace of mind.

About the Author: David Balaban is a computer security researcher with over 10 yearsof experience in malware analysis and antivirus software evaluation. David runs thewww.Privacy-PC.com (http://www.privacy-pc.com/) project, which presents expertopinions on the contemporary information security matters, including socialengineering, penetration testing, threat intelligence, online privacy and white hathacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such securitycelebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthandperspectives on hot InfoSec issues. David has a strong malware troubleshootingbackground, with the recent focus on ransomware countermeasures.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and donot necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock (http://www.shutterstock.com/)

366 247 102

Tips for Dealing with the Ransomware Threat

While the below tips are primarily aimed at organizations and their

employees, some are also applicable to individual users.

Prevention Efforts

­ Make sure employees are aware of ransomware and of their critical

roles in protecting the organization’s data.

­ Patch operating system, software, and firmware on digital devices

(which may be made easier through a centralized patch management

system).

­ Ensure antivirus and anti­malware solutions are set to

automatically update and conduct regular scans.

­ Manage the use of privileged accounts—no users should be

assigned administrative access unless absolutely needed, and only

use administrator accounts when necessary.

­ Configure access controls, including file, directory, and network

share permissions appropriately. If users only need read specific

information, they don’t need write­access to those files or

Incidents of Ransomware on the RiseProtect Yourself and Your Organization

04/29/16

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses,large businesses—these are just some of the entities impacted recently by ransomware, an insidioustype of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.

The inability to access the important data these kinds of organizations keep can be catastrophic in termsof the loss of sensitive or proprietary information, the disruption to regular operations, financial lossesincurred to restore systems and files, and the potential harm to an organization’s reputation.

And, of course, home computers are just as susceptible to ransomware, and the loss of access topersonal and often irreplaceable items—including family photos, videos, and other data—can bedevastating for individuals as well.

Ransomware has been around for a few years, but during 2015, law enforcement saw an increase inthese types of cyber attacks, particularly against organizations because the payoffs are higher. And ifthe first three months of this year are any indication, the number of ransomware incidents—and theensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t preparefor these attacks in advance.

In a ransomware attack, victims—uponseeing an e­mail addressed to them—will open it and may click on anattachment that appears legitimate, likean invoice or an electronic fax, but whichactually contains the maliciousransomware code. Or the e­mail mightcontain a legitimate­looking URL, butwhen a victim clicks on it, they aredirected to a website that infects theircomputer with malicious software.

One the infection is present, the malwarebegins encrypting files and folders onlocal drives, any attached drives, backupdrives, and potentially other computerson the same network that the victimcomputer is attached to. Users andorganizations are generally not awarethey have been infected until they can nolonger access their data or until they

Story IndexBy Date

By Subject

­ Art Theft­ Civil Rights ­ Counterterrorism ­ Crimes Against Children­ Criminal Justice Information Services­ Cyber Crimes­ Director/FBI Leadership­ Field Cases­ Foreign Counterintelligence­ General­ History­ Intelligence­ International­ Lab/Operational Technology­ Linguist/Translation Program­ Major Thefts/Violent Crime­ Organized Crime/Drugs­ Partnerships­ Public/Community Outreach­ Public Corruption­ Recruiting/Diversity­ Responding to Your Concerns­ Technology­ Training­ White­Collar Crime

Home • News • Stories • 2016 • April • Incidents of Ransomware on the Rise

Accessibility | eRulemaking | Freedom of Information Act | Legal Notices | Legal Policies and Disclaimers | Links | Privacy Policy | USA.gov | White House

FBI.gov is an official site of the U.S. government, U.S. Department of Justice

Close

information, they don’t need write­access to those files or

directories.

­ Disable macro scripts from office files transmitted over e­mail.

­ Implement software restriction policies or other controls to prevent

programs from executing from common ransomware locations (e.g.,

temporary folders supporting popular Internet browsers,

compression/decompression programs).

Business Continuity Efforts

­ Back up data regularly and verify the integrity of those backups

regularly.

­ Secure your backups. Make sure they aren’t connected to the

computers and networks they are backing up.

More info

longer access their data or until theybegin to see computer messagesadvising them of the attack anddemands for a ransom payment inexchange for a decryption key. Thesemessages include instructions on how topay the ransom, usually with bitcoinsbecause of the anonymity this virtualcurrency provides.

Ransomware attacks are not onlyproliferating, they’re becoming moresophisticated. Several years ago,ransomware was normally deliveredthrough spam e­mails, but because e­mail systems got better at filtering outspam, cyber criminals turned to spearphishing e­mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals aren’t using e­mails at all.According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved overtime and now bypass the need for an individual to click on a link. They do this by seeding legitimatewebsites with malicious code, taking advantage of unpatched software on end­user computers.”

The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying aransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases whereorganizations never got a decryption key after having paid the ransom. Paying a ransom not onlyemboldens current cyber criminals to target more organizations, it also offers an incentive for othercriminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organizationmight inadvertently be funding other illicit activity associated with criminals.”

So what does the FBI recommend? As ransomware techniques and malware continue to evolve—andbecause it’s difficult to detect a ransomware compromise before it’s too late—organizations in particularshould focus on two main areas:

Prevention efforts—both in both in terms of awareness training for employees and robusttechnical prevention controls; andThe creation of a solid business continuity plan in the event of a ransomware attack. (See sidebarfor more information.)

“There’s no one method or tool that will completely protect you or your organization from a ransomwareattack,” said Trainor. “But contingency and remediation planning is crucial to business recovery andcontinuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBIwill continue working with its local, federal, international, and private sector partners to combatransomware and other cyber threats.

If you think you or your organization have been the victim of ransomware, contact your local FBI fieldoffice and report the incident to the Bureau’s Internet Crime Complaint Center.

Resources:

­ More on the FBI’s Cyber Division­ Ransomware brochure­ Internet Crime Complaint Center (IC3)

Alert (TA16­091A)Ransomware and Recent VariantsOriginal release date: March 31, 2016 | Last revised: May 06, 2016

Systems Affected

Networked Systems

Overview

In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, whichincluded healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until aransom is paid to unlock it.

The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert toprovide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent andmitigate against ransomware.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed forseveral years and often attempt to extort money from victims by displaying an on­screen alert. Typically, these alerts state that the user’s systems have beenlocked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individualsvaries greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive­by downloading. Drive­by downloading occurs when auser unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web­basedinstant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have beenexploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected withadditional malware. Ransomware displays intimidating messages similar to those below:

“Your computer has been infected with a virus. Click here to resolve the issue.”

“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”

“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent ofthose compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from asingle C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced,including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives.These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, NewZealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). Themalicious attachments contain macros or JavaScript files to download Ransomware­Locky files.

Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates throughvulnerable Web servers. After the Web server was compromised, uploaded Ransomware­Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening amalicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is avariant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre willalso download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, whichalso proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOverZeus and CryptoLocker.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

temporary or permanent loss of sensitive or proprietary information,

disruption to regular operations,

financial losses incurred to restore systems and files, and

potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in somecases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recoveryspecialist.

US­CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and toexpedite the recovery process. Note that network­connected backups can also be affected by ransomware; critical backups should be isolated from thenetwork for optimum protection.

Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best securitystrategies as it allows only specified programs to run, while blocking all others, including malicious software.

Keep your operating system and software up­to­date with the latest patches. Vulnerable applications and operating systems are the target of most attacks.Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

Maintain up­to­date anti­virus software, and scan all software downloaded from the internet prior to executing.

Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services.Restricting these privileges may prevent malware from running or limit its capability to spread through the network.

Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on themachine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safelyhandling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits andSafeguarding Your Data for additional details.

Do not follow unsolicited Web links in emails. Refer to the US­CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at theInternet Crime Complaint Center.

References

Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S.

Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left off

Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month

Symantec, Cryptolocker: A Thriving Menace

Symantec, Cryptolocker Q&A: Menace of the Year

Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network

Sophos / Naked Security, “Locky” ransomware – what you need to know

McAfee Labs Threat Advisory: Ransomware­Locky. March 9, 2016

SamSam: The Doctor Will See You, After He Pays The Ransom

Revisions

March 31, 2016: Initial Publication

May 6, 2016: Clarified guidance on offline backups

This product is provided subject to this Notification and this Privacy & Use policy.