What is Ransomware?
Ransomware, malware that locks away your data until you pay to get it back, is spreading like a rash and affects both businesses and consumers. The FBI has identified that ransomware is on the rise, affecting not only PCs but smartphones as well. The Verizon 2016 Data Breach Investigations Report listed Ransonmware in it’s number two spot for Crimeware, and realized the biggest jump in reported attacks. While first seen as a semi-sophisticated crime against hospitals and financial institutions, this nefarious crime is quickly becoming commonplace in all types of organizations and at targeted individuals.
“Why is Ransomware new?” an IT Manager asked me, “isn’t this just a throwback to other malware schemes?”
I replied with one word, “Bitcoin.”
While ransomware has been around for a while, it’s becoming more prevalent because Bitcoin (BTC) has made it easier than ever for the bad guys to get paid. Because it is anonymous, Bitcoin enables the criminal to receive his or her payment without the scrutiny of law enforcement, the government, or Visa or MasterCard for that matter. In short, criminals use BTC as another tool to receive funds without easily being tracked.
Bitcoin started showing financial traction back in 2013 and not coincidentally, that is around the same time that the CryptoLocker virus started asking for payment in that manner.
As of May 3,2016, one of the latest ransomware creations is called Locky which Microsoft regards a “severe threat.”
Locky
While “Locky” sounds like a cute character from one of the shows my kids watch on TV, it will cause more pain and headache then a teething toddler. After it is downloaded, Locky encrypts all of your files including photos, documents and videos using AES strong encryption (the type of encryption the FBI uses). When it’s done, it pops up a screen demanding payment in Bitcoin in return for the encryption key to unencrypt and retrieve your data.
Obviously no one is going to download and run ransomware on purpose, are they? You might be surprised. The criminals behind Locky get you to download and run it yourself by sending it to you in a phishing email. The targeted user is part of a social engineering scheme, the criminals are on the hunt for users in accounting who often receive invoices from vendors. The user:
- Receives an email with an invoice attached asking for review.
- The invoice emails are socially engineered addressed to the company and asking for payment.
- The curios user launches the attached Word document, and is prompted to “Run Macros”
- A set of malicious executables is installed on the target machine that will begin to encrypt data.
And Locky won’t just attack your local files, it will attempt to encrypt all network and storage devices too! When it’s done, you may see a screen like the below:
Protecting your organization
Antivirus tools provide a measure of protection by identifying harmful macros, however motivated hackers will find a way past antivirus. But you can take destiny into your own hands by following the below best practices:
Awareness is the place to start. Educate your users about Ransomware and cyber security best practices. Start a campaign to ensure that all users are aware of the dangers of phishing and how to avoid being a victim. Several companies make software that sends simulated phishing messages, tracks responses, and trains users how to not be fooled by them.
Take control and monitor user access and change with Micro Focus Sentinel and Change Guardian. These solutions help security teams quickly identify threats before they cause damage with real-time integrity monitoring and analysis of security events as they occur. Rapidly spot file changes and new extensions like .locky that are out of the ordinary and take action with intelligence.
Enforce least privilege for your most sensitive data and systems. Micro Focus Privileged Identity Management solutions ensure the right users have access to the right systems at the right times. Trojans and malware like Locky typically need elevated rights to execute, you can stop them by simply not letting them start. Protect the integrity of your critical systems by limiting use and monitoring who has access to what files during designated time periods.
Finally ensure you have a disaster recovery plan in place which includes keeping offline copies of critical data in both physical and virtual environments. Micro Focus PlateSpin technology offers solutions that can quickly restore workloads to their original location or to a new location while the original is being repaired.
Put the right measures in place to create awareness, monitor user activity, enforce least privilege and create a disaster recovery plan. Be vigilant and use great technology to protect you and your organization.
1 Comment
In surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. This is a happy ending, but what happens if a ransomware net shuts down and doesn’t release the master key?
As Simon says, you have to out the right measures in place IN ADVANCE to create awareness, monitor user activity, enforce least privilege and create a disaster recovery plan. Be vigilant and use great technology to protect you and your organization.