Ransomware has been around for some time but has garnered a lot of attention recently and been a topic of hot discussion in the IT community due to several high profile attacks on business interests.
Recent high profile cases involving the ransomware LOCKEY have raised awareness of this new form of cyber threat. In the last month or so, a number of organizations have been badly hit by ransomware, including a police department in Tewksbury, Massachusetts, a church in Oregon, South Carolina schools and several medical centers in California and Kentucky, one of which ended up paying the attackers 40 bitcoins (approximately $17,000).
Interest in ransomware has recently peaked, with google trends reporting April 2016 as the peak, even with current partial data.
Broad search volume analysis also reveals high search volumes over the last several months showing an increasing threat – see the table below.
Ransomware is a type of malware (or ‘scareware’) that prevents or limits users from accessing their files and systems.
Ransomware forces victims to pay a ransom in order to grant back access to their systems, or to get their data back. Payment is usually requested through online payment methods such as Bitcoin.
There are various trains of Ransomware, some encrypts files (called Cryptolocker). Other types of ransomware use TOR to hide C&C communications (called CTB Locker).
Recently even Apple users have been subject to attacks by what was previously a windows systems only threat.
Ransomware is particularly dangerous in that paying the requested ransom is no guarantee that users can eventually access the infected system. Your customers may encounter this threat through a variety of sources. Ransomware can be accidentally downloaded by visiting malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. Some ransomware is also delivered as attachments in spammed email as in the example below showing a Lockey attachment.
Once executed in the system, a ransomware can either
• lock the computer screen or
• encrypt selected files with a password.
In the first case, a ransomware shows a full-screen image or notification, which prevents victims from using their system.
This also shows the instructions on how users can pay for the ransom.
The second type of ransomware locks files like documents, spreadsheets, databases and other important files by encrypting them with a password.
What can I do to protect my Customers?
Once infected with ransomware there is little that can be done except for retrieving the data from a well maintained backup system or alternatively taking the Pay & Pray strategy. Since a lot of our customers have asked us about this trending topic we made a simple excel file that you can use to check all you customers are protected against Ransomware. You can download the checklist below. First, here’s some general advice on the key strategies.
Atera recommend the following strategies to minimize the chance of becoming infected by ransomware.
Mail Protection Service
Your first action should be to set inbound emails to be scanned for known threats. You should also block any attachment types that could pose a threat. Ransomware can masquerade as any type of file. You will want to avoid opening suspicious files and setup MX records to your mail protection service ONLY (such as Atera’s integrated Cloud Mail Security service).
Web Filtering Service
Should be offered through a proven security-as-a-service (SecaaS) gateway and include:
- URL Protection – Block connections to phishing and other malicious sites to prevent infections and credential/login compromises.
- Antivirus – Reduce the risk of malware infections or the need for time-consuming cleanup.
- Advanced Threat Protection – Protection from zero-day threats and highly evasive malware through a combination of next-generation Cloud Sandbox Array technology and big data analytics.
The next key step is to configure your Firewall Appliance. Ensure that you allow inbound mail & web traffic from the Mail and Web filtering servers only. Avoid allowing external attempts to send mails or traffic using telnet (SMTP). Lastly, enable IDS or IPS modules. They can detect and prevent the communication attempts that the malware uses to create the public and private encryption keys required to encrypt the data.
It should go without saying, but always keep your AV up-to-date. Update your AV product and its signatures regularly. If you are not already doing so, run system scan on a daily basis. This is best performed out of working hours to avoid load on the end user system. It is highly recommended that you have in place an alerting system that will notify you of AV clients that are not up to date so you can immediately resolve the problem. We recommend Webroot with their cloud-based threat intelligence services.
It is crucial to back-up your data to minimize the potential impact of a ransomware infection. This is your only guaranteed recourse if an attack does penetrate one of your customers’ networks.
We highly recommend to choose a vendor that offers a Disaster Recovery capability so that in case of an attack you will be able to recover within minutes. If you are going for a standard backup solution, select important and useful data, such as: Drive C / D and backup the System State. System state includes;
– System Registry
– COM + Database
– Certificate Services
– Active Directory
– IIS Metabase
Some RMM solutions provide integrated online-back-up, such as Atera’s Online Backup cloud service that has a simple to use yet powerful Disaster Recovery capability.
Use Archiving capabilities to gain retention for more than 30 days – you can hold a snapshot of a specific backup session for an unlimited amount of time.
Operating system / Domain environment
Keeping your operating system and domain environment secure is a key strategy against ransomware infection. Patch and update your system! Using an automated Patch Management system is recommended.
Disable RDP – where the RDP isn’t required. The malware also spreads via RDP ports that have been left open.
Limit end user access to mapped drives – the ransomware will recognize available workstations in the network and will infect them instantly – therefore you should add restrictions.
Educating your users about the proper handling of unknown or suspicious files is crucial. This is probably already part of you IT Security and Access policy but it may be worth considering a communication or training remediation in light of new threats
?You’ve been hit by ransomware, what do you need to do
First and foremost, immediately disconnect the workstation from the network.
Once the workstation is disconnected perform the steps below:
- Run the backup virtual machine from your Hyper-V / vSphere console.
- Provide access to your customer on their backup virtual machine, this is an action of 5 minutes Max.
- Rebuild the infected machine.
- Install the Backup client and run system state restore.
- Restore Data files.
- Install Anti-Virus and other software.
- Your new system is ready.
- Switch between the virtual machine and the new one
- Follow all the steps in the quick guide below and you will hopefully be up and running again as soon as possible without losing any of your business critical data.
Atera Checklist to protect your Clients from Ransomware.
Download the Excel checklist and ensure you have taken all the necessary actions to deal with a Ransomware infection.
Follow all these steps and you will hopefully be up and running again as soon as possible without your customers losing any of their business critical data.
More Information about Ransomware:
Watch the CryptoLocker support video from Webroot showing how the infection works.