10 things to know about ransomware

1. What is Ransomware?
Ransomware is a type of malware that infects a computer and restricts users' access to it until a ransom is paid to unlock it. Ransomware has been around for a several years, however, in the recent years, attacks have increased, and have become highly targeted and sophisticated. In the last couple years, several thousands of computers have been affected by Ransomware which are designed to extort money from users and organizations.

2. Types of Ransomware
Older versions: Locking type Ransomware
 Deny or block access to computer or files.
 Demand Ransom to unblock or to provide access.
 On-screen Alert provides instructions to victim on how to provide payment and regain access.
Recent versions: File-Encrypting Ransomware
 Encrypt user files with strong encryption such as RSA, AES etc.
 Demand Ransom to decrypt files.
 Onscreen Alert provides instructions to victim on how to provide payment and regain access.

3. Examples of Ransomware
Some types of Ransomware are: Crysis, CryptoLocker, CryptoWall, CTB-Locker, Locky, SamSam.exe, TorrentLocker, Teslacrypt, RAA. Here is a deeper definition of three common ones:
Trojan.Randsom.C is a type of Locking Ransomware that blocks users access to their computer and then issues a ransom fee for access to be paid via phone.
Reveton is an example for locking Ransomware and it fraudulently claims to be from a legitimate law enforcement authority and blocks users from accessing their computer. Reveton also tracks geographic location of the victim and displays country-based law enforcement message. For example, if it detects that the victim is from U.S, then it will display the alert from FBI. This Ransomware demands a "fine" to restore access.
RAA is one of the recent variants of encrypting Ransomware written completely in JavaScript. RAA is primarily delivered through phishing email with attachment named .text.js. This file will be displayed as "filename.txt" as in most Windows® machines, the extensions are usually not configured to be displayed. Once the user opens this file, the Ransomware starts encrypting user files and displays a message with instructions to pay and decrypt files.

4. Ransom
The ransom demanded from victims varies greatly depending upon the victim and could be anywhere from a couple hundred dollars, several thousand dollars or more. To avoid traceability ransom is typically demanded in virtual currency such as Bitcoin.

5. Targets
The business of Ransomware has become highly professionalized and the cybercriminals are targeting not only home users, but also businesses, educational institutions, hospitals, Law enforcement and other Government agencies as well.

6. How do computer or networks become affected by Ransomware?
Ransomware is commonly delivered through mass phishing emails with attachments pretending to be photos, reports, invoices, resumes or other business communications. Attachments are usually:
 .zip file attachments which contain .exe files that are disguised as PDF, Word or Excel documents.
 .js file attachments disguised using multiple file extension technique such as filename.txt.js.
When the user opens the attachment, it will install the Ransomware which will start encrypting data files. Ransomware also targets data files in any drives connected to the computer including network shares, or DropBox mappings.
Other popular methods include:
Drive-by downloading
 Drive-by downloading occurs when an unsuspecting user simply visits a compromised website and the malware is downloaded and installed without the user's knowledge.
 Usually the drive-by-download utilizes known security weakness in browser, plug-ins, or OS.
Malvertising
 Involves injecting malicious or malware-laden advertisement into legitimate online-advertising network and web pages.
 Malware silently travels through the advertisement. It is dangerous because it does not require user action to compromise the system and it does not depend on a vulnerability on the website it is hosted from.

7. Recent attacks
Law Enforcement Agency: In Feb 2016, The Melrose Police Department in Massachusetts was hit by encrypting Ransomware. It has been reported that the Ransomware was triggered from a malicious email opened by a member of the department. According to Melrose free press, the police department paid one bitcoin as ransom to get the decryption key.
Hospital: In Feb 2016, Ransomware took Hollywood hospital offline, and demanded $3.6M. Hollywood Hospital eventually paid $17,000.00/USD to free their computers.
University: In May 2016, The University of Calgary was attacked by a Ransomware which locked staff, students and faculty out of their emails. According to Calgary Herald, The University of Calgary paid $20,000.00/CAD to free their email system.

8. Enterprises prove to be lucrative targets
 Enterprise-targeted Ransomware attacks have started to become mainstream.
 Newer methods of Ransomware infection include exploiting vulnerable web servers as an entry point to gain access into an organization's network.
 Enterprises have many users to target, and it could only take one innocent click to infect the entire enterprise with Ransomware.

9. The Impact of a Ransomware attack varies based on the target. Here is a list of the most common effects:
 Temporary or permanent loss of personal information, or organization's proprietary information
 Financial loses to recover personal files, or Financial loss due to business disruption
 Reputation damage to individual or organization

10. Best Practices to Protect Against Ransomware:
Testing
 Conduct frequent vulnerability scanning of your organizations' external & internal network, network devices, and web applications to identify security holes or any known security vulnerabilities
 Conduct penetration testing to identify potential points of exploit on your organizations' external & internal network, network devices, and web applications.
Raise awareness
 Instruct users not open attachments from unknown sources or in emails that appear to be legitimate but are still suspicious and/or unexpected.
 Instruct users to avoid enabling macros from email attachments.
 Instruct users not to click on unsolicited Web links in emails.
Patches and updates
 Patch and keep operating systems, antivirus, browsers, Adobe Flash Player, Quicktime, Java, and other software up-to-date
Anti-virus software
 Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
Restrict permissions
 Restrict users' permissions to prevent installation and execution of unauthorized software applications.
 Apply the principle of "Least Privilege" to all systems and services. Restricting these privileges may prevent malware from running or spreading quickly through the network.
Backup
 Employ a data backup and recovery plan for all critical information.
 Regularly backup servers and network shares with multiple restore points.
 Consider backing up critical data in two different media including one off-site backup.
Customize
 Email filter/Spam filter settings to block emails with suspicious attachments.

Shiv Ganapathy, Senior Managing Consultant, Spirent SecurityLabs
Shiv has over ten years of Information Technology experience with eight years of experience as a dedicated penetration tester. At Spirent, Shiv is leading the Web and Mobile application team as part of ethical hacking and security research group called Spirent SecurityLabs™.

Shiv has performed Web application and Mobile applications penetration testing for various clients ranging from the Fortune 500 to small and midsized companies. Shiv has also conducted several training sessions on Application Security Best Practices for Fortune 500 companies. Prior to joining Spirent, Shiv worked as Managing Consultant performing penetration tests, security assessments, vulnerability research, along with building and training a team of Security Consultants at Trustwave.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

 

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months