Cryptographic ransomware has quickly become one of the greatest cyberthreats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber adversaries in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning the globe and affecting all major industry verticals. Small organizations, large enterprises and individual home users all are potential targets.
Ransomware has existed in various forms for decades; but, in the last three years, cybercriminals have perfected the key components of these attacks. This has led to an explosion of new malware families that have made the technique more effective and drawn new malicious actors into launching these lucrative schemes.
The financial impact of ransomware is enormous, with several high-profile infections leading to millions of dollars in ransom paid to attackers. Ransomware is one of the few cybercriminal business models where the same attack could harm a Fortune 500 company, a local restaurant down the street, and your grandmother.
The cryptocurrency Bitcoin has provided a payment mechanism that is fueling the success of this scheme. The payment mechanisms that early forms of ransomware relied on have been shut down or been forced to regulate their payments, but Bitcoin has no central authority against which law enforcement can take action.
Thus far, ransomware attacks have primarily targeted Windows-based systems, but adversaries have begun branching out to target other devices, such as attacks against the Mac OS X operating system. Until organizations around the world adopt a prevention mindset and stop paying ransoms to retrieve their data, this criminal scheme will continue to threaten all internet-connected devices.
Preparation
It is important to backup data so that it will be easily recoverable after a successful ransomware attack. One of the best defenses against ransomware is through your backup and data recovery process. If you can recover encrypted files from backups, you'll be able to recover from a successful ransomware attack with little to no impact on your organization. Backups should be kept in a location that is not accessible to the ransomware (i.e., not a connected USB drive). Attackers have been known to target backups as part of their efforts to encrypt all valuable files. Testing the process of recovering files from a backup is almost as important as the backup itself. If you have never tested your recovery process, you may find out your backups are not as secure as you thought.
In order to halt ransomware's spread, review the use of network shares to ensure that write access is limited to the smallest number of users and systems possible. Network drives that are mounted to multiple systems and contain shared data are especially vulnerable to ransomware attacks. If a system or user who is able to write to the mounted drive is infected with ransomware, all of the files stored on the network share may also be encrypted. This turns a single infection into a network-wide outage. Organizations should review their use of network shares to ensure that write access is limited to the smallest number of users and systems possible. As most ransomware attacks occur when users are browsing the web or reading email, limiting this activity on systems with write access is extremely prudent.
Prevention
Ransomware often begins with an email message carrying a Windows executable. Network security devices, such as a next-generation firewall, can identify these files when they are transitioning the network and should block or quarantine them. Signature-based detection systems have proven unreliable for detecting new malware. Unknown malware prevention systems should be used to augment network security devices. Attackers launching ransomware campaigns test their attacks against these systems to ensure they will not be detected before deploying their malware. In order to protect your organization from these rapidly changing malware variants, organizations need the ability to identify never-before-seen threats and automatically send new protections back down to the network.
While network-based security devices are sometimes blind to attacks, endpoint-based controls can stop the execution of malicious files before they start.
Response
In some cases, security vendors have found ways to decrypt files without paying the ransom. You can identify some ransomware using information included in the ransom note left on your system or using malware analysis or intelligence systems. In fact, some attackers use the same decryption code for multiple attacks, much like some users will employ the same password for multiple sites. You can identify some ransomware using information included in the ransom note left on your system. Another option is to use malware analysis or intelligence systems that can identify ransomware families. By searching the internet, it might be possible to find the decryption code in a post that lists other known decryption codes.
However, sometimes you just have to prepare for the worst. Paying a ransom to recover your files should be the last resort of any organization. If you decide to pay the ransom, you should be prepared to make that payment in a timely manner. However, paying the ransom does not guarantee that you will get your files back. The attacker might not provide a valid key. In fact, the attacker might provide a valid key. In fact, the attacker might not respond to you at all.
By Bryan Lee
Unit 42