Ransomware and the measures to safeguard an organisation
Ransomware and Its Prevention
We are all aware of ransomware, as most of us, or at least someone in our connection might be a victim. Ransomware is a type of malware that is known to encrypt a victim’s data, thus preventing their access to their own data while demanding a ransom.
The organizations behind ransomware are businesses. They target huge organizations that can provide them a ransom, rather than mere households. Ransomware affiliates earn a percentage (around 70%) of successful payments.
Any antimalware solution is insufficient to protect against all the malware because around 450,000 malicious programs and potentially unwanted applications (PUA) are being registered every day (according to av-test.org). Since new types of malware are being introduced daily at such a high rate, it is impossible to safeguard organizations without being updated.
How to Identify that We Have Been Attacked?
Once a ransomware attack is launched, the files on the victim’s computer are encrypted, it is often noticed that the file extensions change and they could no longer be opened. One may find a text file in the documents directory or displayed on the background image of the desktop, describing how to pay ransom money, threats to disclose information, etc.
It is also worth noticing that an infected system is not infected entirely. Some directories such as programs files and Windows directories are left uninfected. This is because if the entire system would become non-functional, then the objective of such an attack would not be met.
Steps of a Phishing Email Attack
Step 1:The victim is presented with a very convincing or attractive phishing email and is tricked into clicking a link present in the email.
Step 2: This link contains a “dropper” that clandestinely downloads the actual malware (ransomware) into the system.
Step 3: It moves through the system disabling firewalls and all antivirus software and begins exfiltrating data.
Step 4: Data is then encrypted.
Step 5:The attacker will use a TXT file deposited on the target system to notify the victim. The file contains instructions to pay ransom money if the victim wants the decryption key.
What Should Be Done If We Are Infected?
After confirming that your system is infected with ransomware, do the following:
Containment and isolation: Containment and Isolation should be the first thing to be kept in mind for such incidents as the malware can spread and infect other systems by exploiting the vulnerability. EternalBlue vulnerability in Windows systems developed by National Security Agency (NSA) was exploited by the attackers to spread WannaCry ransomware to other systems. One should disconnect the system from any network they are on. Turn off all the wireless capabilities like Wi-Fi, Bluetooth, etc. Unplug all the storage devices like USB and external hard drives connected to it.
Avoid removing the infected files: Never try to delete any infected files from the victim/target computer.
Determine the infection scope: The next step is to determine the scope of the infection by identifying how bad the damage is, whether the infected system had access to shared/unshared drives or folders, USB with valuable files, storage devices such as external hard drives or network storage of any kind or cloud-based storage like Google Drive, OneDrive, SkyDrive, etc.
Determine the infection strain: Determining the strain of infection is another important step, the strains may differ in the amounts and the ability to spread, as some variants may infect only files, some may infect hard drives while some may even steal data. With some research, we can easily find free decryption tools for certain strains.
When infected, the victim will have the following four options:
- Restore from a backup
- Decrypt with the help of a third-party decryptor.
- Do nothing
- Negotiate and/or pay the ransom.
How to Avoid and Combat Ransomware Attacks?
To combat ransomware attacks, one should gain knowledge through threat intelligence. This includes information about how a ransomware attack works and general approaches, for example, NIST standards for cybersecurity and MITRE’s ATT&CK framework which are a taxonomy of techniques, tactics, procedures, patterns on how any attack would follow.
One can introduce block rules in the system’s firewalls or blacklist DNS for that specific name. But how would anyone know such information? This information can be received through commercial vendors. Next-generation firewalls and unified threat management appliances may have the ability to receive this information from the vendor that manufactures such devices.
A number of companies may also sell threat intelligence feeds that may include IP addresses, domain names, email addresses commonly known as indicators of compromise. Some companies may also provide these details for free for research or project purposes.
It has never been more important to stop a ransomware infection before it happens. With the rising number of ransomware attacks these days, it has become essential to prevent them by taking necessary precautions. To do this, a defense-in-depth approach is required which should include all of the following points:
- Good endpoint protection/antimalware
- Segmenting the network
- Data loss prevention controls
- Limiting permissions
- Good spam filters
- Weapons-grade backups
- Security awareness training to employees periodically.
Audit and Compliance Team,
Varutra Consulting Pvt. Ltd.
Ref: (ISC)2 Course training material, Ransomware Hostage Rescue Guide.