In the US, ransomware is earning a significant amount of media attention for shutting down schools and hospitals, but a recent study points to Canada as the country 4th most likely to be a victim of ransomware attacks. With that in mind, this document presents background information, security recommendations and policy for the best response to ransomware incidents within an organization of any type.
Ransomware 101
Generally, ransomware operates by infecting a machine with malicious code, and executing that code to encrypt the contents of that machine and hold them hostage for a ransom of ~$300-$1,200. Once the ransom is paid, the attacker typically decrypts the data and returns the files on that machine to the user, though the longer someone waits to pay, the more money they have to spend to regain access to files. It looks something like this:
Scenario 1: Ransomware infects a machine, and then uses that machine as a gateway to hold an an organization’s network hostage.
Scenario 2: Ransomware infects a single machine, and then finds its way up to the cloud to encrypt and ransom whatever data it can find.
Common Ransomware Entrypoints
- Phishing/spamming emails to email accounts
- Malicious files, links (esp. from social media) and attachments
- Support emails with attachments or links to compromised sites
- Malvertising from general web browsing
- Physical media storage (USB devices)
- Malicious text message to an Android device
- Malicious web site browsed on an Android device
A majority of the time, ransomware shows up as an email attachment that appears to be an invoice, a shipment tracking document or other run-of-the-mill business document that appears harmless at first encounter. While some strains of ransomware originally used Microsoft Office .doc files with macros enabled to download the malicious code, newer variants are using .ZIP archives with obfuscated scripts written in JavaScript. In the past month, there have been reports of emails using malicious scripts in JavaScript as new methods of attack.
Vulnerable Platforms
Overall, ransomware is a bigger threat to desktop operating systems than mobile operating systems, and it poses a larger threat to Windows machines and environments than Macs right now. Though it has been wreaking havoc on Windows machines for more than a decade, ransomware development has increased exponentially in the past three years.
Platforms currently susceptible to ransomware include:
Windows (prolific, exponential increase in development)
Android (emerging)
OS X (emerging)
While there has not yet been a strain of iOS ransomware found in the wild, it is safe to presume the worst case scenario and expect one to show up within the next 3-6 months. Though only one Mac variant (KeRanger) has been found in the wild, it was shut down in < 48 hours; researchers on the front lines of malware research expect to see others in coming months.
Known Variants
At present, there are several dozen variants of ransomware in the wild. Many new variants pop up each month, and the newer variants tend to be more vicious and malicious than their predecessors. In some cases, it is possible to recover files by using an anti-ransomware tool that unlocks an infected machine. In others, ransomware developers have proved themselves so inept at key handling that it is technologically impossible to recover files, even if a ransom has been paid. The strains below represent some that are known to researchers and that can be easily identified by their user interfaces.
AlphaCrypt
Cryptowall
Jigsaw (Decrypt)
Locker (Decrypt)
KeRanger
Locky
Petya (Decrypt )
Torrent Locker
Some strains of ransomware in the Jigsaw family have evolved to become destructive and will delete files if payment takes too long.
Proactive Defenses
- Overall, ransomware requires strong endpoint security. It is most likely to affect:
- Anyone conditioned to open attachments
- Anyone whose work involves invoices and shipping tracking documents
- Anyone handling physical media from 3rd parties
- Anyone who can be identified by a 3rd party
In terms of defense, there are a few things that must be done proactively to prevent ransomware infections:
Mandate secure, encrypted backups and ensure that they are maintained offline. From an organizational standpoint, our best defense is mandating secure backups for all employees. If secure backups are in place for 100% of a company, 100% of employees should be able to wipe their machines and restore them from an offline backup. This will require ongoing efforts and checkins.
Mandate compliance with regular software update policies. More often than not, an unsupported operating system, an unpatched server, or an an out-of-date browser is all an attacker will need to get ransomware into an environment.
Mandate the adoption of adblocking software for browsers. Consistent use of adblocking will mitigate threats posed by day-to-day web browsing, malvertising, or exposure to malicious sites that are infected by exploit kits that serve ransomware to end-users.
Educate employees on best practices for maintaining a secure home network. Many companies don’t filter or log home network traffic, they have no way of knowing whether home networks are configured correctly or segmented for work and family use, or whether they are following best practices like requiring separate folders on each network for users.
Proactively review, monitor and track cloud services in use. By conducting a quick review of all of the cloud services used within an organizations, we will be better informed about our exposure as ransomware progresses towards attacking the cloud.
For employees who regularly handle invoices, shipping documents, and attachments, the security team can provide advanced anti-phishing training and help configure advanced email and browser settings to further prevent infection.
To protect against JavaScript attachments, configure the browser or native mail application to open .JS files with Notepad by default.
To protect against misleading filenames, configure the browser or native mail application to display files with their extensions. (See below.)
To protect against accidental execution of a file that might contain ransomware, open file attachments from suspicious emails using a virtual machine.
Additional mitigation techniques like application whitelisting are not advisable for every individual within a company, especially if the majority of employees work from home or are not part of the corporate network. This particular approach should, however, be investigated for larger networks in offices and concentrated geographic areas.
Detection Tools
At present, many antivirus companies have added ransomware detection capabilities to their regular offerings, but there are only two ransomware-specific detection tools on the market.
Windows: Anti-Ransomware from Malwarebytes is for Windows machines
OS X: RansomWhere? by Patrick Wardle of Synack
Given that both tools operate similarly to antivirus suites that ask for tons of privileged access to machines that it runs on, and both tools are in beta, it isn’t ideal to recommend adoption of either at this time.
Ransomware Policy Recommendation
If any individuals or employees are infected by any strain of ransomware, it is best to absolutely not pay the ransom requested by the attackers. By not paying, victims do not positively reinforce criminal behavior— especially when they can take measures to prevent payment from being a measure of last resort. By mandating regular, secure backups and taking additional proactive measures to protect data, individuals and organizations can ensure that little-to-no data is lost to a ransomware attack. To put it simply, there’s no better way to avoid paying a ransom than to remove the need to pay a ransom from an organization or individual’s computing environment.
Jessy Irwin is a security communications professional. You can follow her on Twitter @jessysaurusrex.
