How to avoid being caught out by ransomware
Since warnings about a strain of malware called Cryptolocker became such a problem in late 2013, causing Certs to issue guidance on how to prevent being infected and what to do if you were, ransomware has been a worry.
The principle is that the malware encrypts files on a system’s hard drive using an unbreakable key, and this is decrypted by the attacker once a ransom is paid, typically by online currency, such as Bitcoin.
Most ransomware is delivered via email, says Jens Monrad, systems engineer at FireEye. He confirms that ransomware is typically delivered via email opportunistically and the typical overall themes are shipping notices from delivery companies.
“In the past year, we have seen the content of these emails being both near-perfect in local languages and also looking much more legitimate than previously,” he says. “While the majority of ransomware attacks still happen opportunistically, we often see them being ‘localised’ so they fit into the targeting countries.”
Also, many attacks are delivered by mass random emails. Mark James, security specialist at ESET, says the intention is to infect as many as possible to maximise the chances of getting a result.
Ransomware is also delivered via drive-by-download attacks on compromised websites. Although the problem is well known, avoiding infection is a bigger problem, as well as what to do when you are infected.
Back up and be ready
The most common advice to recover from an attack by ransomware relies largely on whether a good backup policy is employed for your data and entire system backups. Patrick Wheeler, director of product at Proofpoint, calls regular backups “the most reliable method for recovering infected systems”, which makes it all the more important to prevent the initial infection.
Gary Warner, chief threat scientist at PhishMe, says that rather than a simple backup, in order to be effective, a backup must be “serialised”, with older versions of files available in case newer versions have been corrupted or encrypted.
Other advice includes storing backups in an offline environment because many ransomware variants will try to encrypt data on connected network shares and removable drives. Daniel Miessler, director of client advisory services at IOActive, stresses the importance of having known-good and up-to-date backups that are as close to real time as possible.
“One thing to consider is making sure you don’t overwrite your backups with the compromised data, so that when you go to restore, you are unable to,” he says.
And because ransomware is able to encrypt files on mapped network drives, disconnect the mapping where possible if you are not using the drive. Amichai Shulman, CTO of Imperva, says organisations must make sure backups are not accessible from endpoints through disk mounts, otherwise those will be encrypted as well.
Once the backups are done and stored securely, Brian Honan, CEO of BH Consulting, recommends checking that the backups are working and that you can recover from them.
Keep a layered approach
Having a “layered approach to security” is one of the cliches of modern infrastructure, but for repelling ransomware, it should be taken seriously. Fred Touchette, manager of security research at email and web security firm AppRiver, says the best way to protect against a virus is to have defences to ensure you never receive any viruses in the first place.
He recommends deploying a layered approach, utilising technologies such as anti-virus, web filtering and firewalls.
Most businesses are likely to be using these types of tools anyway, and more modern consumer security software now contains personal firewalls and web filtering alongside the more traditional anti-malware.
According to ESET’s James, current ransomware will typically run an executable from the App Data or Local App Data folders, so it is best to restrict this ability either through user policy, Windows or by third-party prevention kits that are designed for this purpose.
Keep up to date
As well as adopting a layered approach, getting patches installed and being up to date remain the best form of security.
FireEye’s Monrad says that as most ransomware compromises are still more opportunistically driven than targeted, the delivery of the ransomware payload usually take advantage of some known vulnerability rather than using a zero-day.
Check your privileges
The final piece of advice to protect against malware is to ensure your employees’ privileges are locked down. David Gibson, vice-president of strategy and market development at Varonis, says most organisations are not watching or analysing user activity.
Cyber criminals will return to someone who paid, so payment to recover your files simply confirms that you will be a good target for future attacks and scams Patrick Wheeler, Proofpoint
Monrad says most malware will execute with the same privileges as the victim executing the payload. “If the person getting compromised has local or global administrative privileges, the malicious code will have access to the same resources,” he says.
“In the instance of ransomware, this also mean ransomware will have the capacity to encrypt data on network drives, shares and removable media.”
Infection by ransomware does happen and free tools exist from companies such as Kaspersky and Cisco that may work. Monrad suggests the worst thing about a restore is the time it takes, but this is obviously less expensive than paying a ransom.
James says that if backups are not an option, you may be able to use Windows’ own shadow copies to restore files, if the ransomware has not disabled its use.
Dealing with criminals
Of course, the biggest problem with paying ransoms is that you are dealing with criminals, and there is no guarantee that the victim will get their data back, or that the attacker will not leave other forms of malware running on the system.
Proofpoint’s Wheeler adds: “Like other scammers, cyber criminals will return to someone who paid, so payment to recover your files simply confirms that you will be a good target for future attacks and scams.”
If you are a victim, then consider the sensitivity of your data, your profile and the sophistication of the attacker before you pay, because low sophistication in communication could mean low quality of encryption.
This is a modern problem in malware, combining both sophisticated and basic tactics, and people are still getting caught out, despite the fact that there are fairly straightforward methods to avoid becoming a victim.