SEMA News—May 2015
By Joe Dysart
One Wrong Click and Hackers Encrypt All Your Files
IT security experts warn that there’s been a spike in the scourge of ransomware—malicious software that freezes a computer, encrypts all of its data and demands a ransom for the system’s restoration. Since February 2013, more than 600,000 victims worldwide have reportedly been infected with just one variant of the malware, CryptoWall, according to an October 2014 report released by Dell.
“This is the next generation of ransomware, and you can expect this new version to spread like wildfire,” said Stu Sjouwerman, CEO of KnowBe4, a firm that specializes in IT security awareness training for small- and medium-size businesses.
“Today’s threat actors are smarter than ever, morphing their attacks multiple times to achieve the goal of undermining existing security defenses,” agreed David Monahan, research director for Enterprise Management Associates, an IT security firm that tracks and secures against hackers targeting the trucking and logistics industry.
“Cybercrime knows no season, never sleeps and is the most profitable international crime,” added TK Keanini, CTO of IT security firm Lancope.
Essentially, cyber-crooks trigger the extortion scheme by slithering past a PC’s defenses and delivering software onto the computer that auto-encrypts every file on the hard drive. The malware also infects all of the external hard drives connected to the PC.
Generally, victims inadvertently download the software after they click on what looks like a legitimate banner ad. They can also pick up ransomware when they visit an infected website or click on an infected attachment on an e-mail, according to the Dell report.
Crooks often demand ransoms ranging from $200 to $2,000. It’s an amount that’s painful to pay but low enough for many companies to tolerate in the hopes that the ransomers will be true to their word and restore a machine once money exchanges hands, according to the Dell report.
Moreover, companies that put off paying a ransom—usually more than four to seven days—often face threats of being forced to pay even larger ransoms. In one case, a victim was forced to pay $10,000 for the release of encrypted files. All told, Dell estimates that $1.1 million in ransom was paid to thieves using just the CryptoWall variant during a six-month period in 2014.
Ironically, the advent of new digital currencies is helping promulgate the criminal activity. Ransomers often demand to be paid in Bitcoin, a web-based currency that can be easily—and anonymously—exchanged over the web.
And while ransomware is often associated with visiting sketchy areas of the web—the digital equivalent of stumbling into a bad neighborhood—the malware has also been found on some extremely high-profile websites. In October, for example, ransomware was found embedded in ads on a number highly trafficked websites that included Yahoo, Match.com and AOL, according to a report by Proofpoint, an IT security firm.
Using infected ads on those high-profile websites was a clever move, in that the thieves did not have to overcome the formidable security defenses of major websites such as Microsoft.com and Bing—or even the ad networks servicing those sites, according to the Proofpoint report. Instead, the crooks simply stole legitimate ads, infected them with ransomware payloads, and then fed those ads back into the ad networks used by the previously mentioned highly trafficked websites.
Many companies aware of the ransomware scourge and similar malware already have education programs in place that train employees how to detect and guard against the most common sources of ransomware. But the extortionists, who apparently have nothing better to do all day, are always finding ways to up the ante in the never-ending game of cat and mouse.
“For example, most people are aware that they should avoid clicking on executable files,” said KnowB4’s Sjouwerman. “However, seemingly innocuous documents such as Microsoft Word files can also be infected with malware. That’s why it’s essential for employees to be able to identify and avoid social-engineering red flags.”
Sadly, the nightmare of the takeover software is also evolving with the digital revolution. For example, newer variants of ransomware are popping up on mobile technologies, such as Android phones, according to an October report from IT security firm F-Secure. With the mobile technologies, the ransomware payload often comes in the form of apps for download, according to the F-Secure report.
Unfortunately, there is no way to completely safeguard any business against ransomware 24/7. But there are a number of deterrents that organizations can put in place, including these:
- Block executable files (such as .exe files) and compressed archives (such as .zip files) containing executable files before they reach a user’s inbox.
- Keep operating systems, browsers and browser plug-ins such as Java and Silverlight fully updated to prevent compromises resulting from exposure to ransomware. “Patch browsers as soon as possible, and keep the amount of plug-ins as low as you can,” said Sjouwerman. “This diminishes your attack surface.”
- Once infected, try disconnecting your network from the Internet. This move can sometimes temporarily neuter ransomware until it can be discovered and removed.
- Program hard drives on your computer network to prevent any unidentified user from modifying files.
- Regularly back up data with so-called “cold,” offline backup media that does not and has never been connected to the Internet. “Make regular backups and have a backup off-site as well,” said Sjouwerman. “Test your restore function regularly to make sure that your backups actually work.” Sjouwerman added that backups to locally connected, network-attached or cloud-based storage are not sufficient, since ransomware such as CryptoWall encrypts such files along with those found on your system’s primary hard drive.
- Be careful with any e-mail that comes with an attachment or link inside. “Think before you click,” said Sjouwerman. “Don’t open anything from someone unless you are expecting it. Hover over an e-mail address to make sure it’s from a valid domain, one you know and recognize.”
- Check out KnowB4’s free phishing test. Essentially, this test enables you to identify people in your employ who are prone to be duped by ransomware operators looking to sneak into your network via online ads, websites and e-mails.
You should also consider a pre-emptive employee-training service such as KnowB4. The company offers a security awareness training program designed by Kevin Mitnick, who is an internationally recognized computer security expert and has extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled operator who penetrated some of the most resilient computer systems ever developed. Today, he is renowned as an information security consultant and speaker and has authored three books, including The New York Times bestseller Ghost in the Wires.
Mitnick’s security awareness training program is interactive, web-based and includes case studies, live demonstration videos and short tests. An initial training session in the program runs 30–40 minutes.
“Our Internet security awareness training is designed to ensure that employees understand the mechanisms of spam, phishing, spear-phishing, malware and social engineering and are able to apply this knowledge on the job,” Mitnick said. “This allows organizations to create a ‘human firewall’ that actively works to prevent network security breaches.”
Included in the service are regularly scheduled phishing security tests performed by KnowB4, which keep employees on their toes. Employees duped by the simulated phishing attacks can receive instant remedial training under the program. Also featured is an admin console that provides before-and-after reports featuring instant graphs detailing the training’s efficacy.
“The threat posed by malware should not be underestimated, particularly considering that employees have consistently proven to be the weak link in companies’ Internet security efforts,” Mitnick said. “In most cases, their involvement is unintentional. They unknowingly allow access to corporate networks simply because they don’t know what to watch out for.”
For more information on protecting your firm from ransomware, check out:
- “Dealing With Ransomware” Podcast: From IT Security Firm Sophos
- Proofpoint’s Report on Ransomware on Major Sites Such as Microsoft.com
- F-Secure’s Threat Report
Joe Dysart is an Internet speaker and business consultant based in Manhattan.