To support our customers, we have created new resources on how to stay protected against resomware.

Ransomware has become one of the most widespread and damaging threats that internet users and businesses face today. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.

The current wave of ransomware families can have their roots traced back to the early days of FakeAV, through “Locker” variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful with each iteration.

Where does the current wave of ransomware infection come from?

Even though most companies have security mechanisms in place, such as virus scanners, firewalls, anti-SPAM/anti-virus-email-gateways and web filters, we are currently witnessing large numbers of infections worldwide with ransomware infections, such as Cryptowall, TeslaCrypt and Locky. Files on computers and network drives are encrypted as part of these infections in order to blackmail the users of these computers to pay a sum of money, usually in the region of USD 200-500, for the decryption tool.

A common infection scenario may look like this:

A user receives an email that comes from a seemingly plausible sender with an attached document, a parcel service with attached delivery information or an external company with an attached invoice.

The email attachment contains an MS Word or Excel document with an embedded macro. If the recipient opens the document a macro will attempt to start automatically, executing the following actions:

• It tries to download the actual ransomware payload from a series of web addresses that only exist momentarily. If a web address cannot be reached, the next one is accessed until the payload has been downloaded successfully.

• The macro executes the ransomware.

• The ransomware contacts the command & control server of the attacker, sends information about the infected computer and downloads an individual public key for this computer.

• Files of certain types (Office documents, database files, PDFs, CAD documents, HTML, XML etc.) are then encrypted on the local computer and on all accessible network drives with this public key.

• Automatic backups of the Windows operating system (shadow copies) are often deleted to prevent this type of data recovery.

• A message then appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to ensure delivery of a suitable decryption tool with the private key that is only available in the attacker’s system.

• The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.

This is just an example of how such an infection scenario may play out. While email is a popular technique to spread these threats, by no means is it the only approach.

So what are some of the IT security weaknesses in affected companies?

? Inadequate backup strategy (no real-time backups, backups not offline/off-site)

? Updates/patches for operating system and applications are not implemented swiftly enough

? Dangerous user/rights permissions (users work as administrators and/or have more file rights on network drives than necessary for their tasks)

? Lack of user security training (“Which documents may I open and from whom?”,
  “What is the procedure if a document looks malicious”, “How do I recognize a phishing email?”)

? Security systems (virus scanners, firewalls, IPS, email/web gateways) are not implemented or are not configured correctly. Inadequate network segmentation can also be included here     (servers and work stations in the same network)

? Lack of knowledge on the part of administrators in the area of IT security (.exe files may be blocked in emails but not Office macros or other active content)

? Conflicting priorities (“We know that this method is not secure but our people have to work...“)

Best practices to apply immediately – do this NOW!

1. Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

2. Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!

3. Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.

4. Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.

5. Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!

6. Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.

Encrypting company data

Suitable encryption of company documents can help to prevent malware from obtaining unencrypted access to confidential documents. This prevents damage caused by the outflow of business-relevant documents.

Deploy malicious traffic detection capabilities

It's essential to react quickly to new threats. Malicious Traffic Detection, which is available in Acclamar’s SimpliSecure IT solution that detects communications between a compromised endpoint and an attacker’s servers. The Malicious Traffic Detection automatically identifies offending software and stop it from running to prevent potential damage or data loss.

Additional measures to secure against ransomware

In addition to the immediate measures described above, it's important that all employees receive regular IT security training. The success of these measures should also be checked regularly. Acclamar is willing to help educate employees on security threats, including IT Security DOs and DON'Ts. Just ask about scheduling a FREE IT & security assessment and we will provide an educational IT Security DOs and DON'Ts training for your employees as well.