What is Ransomware and the 8 Things You Can Do to Prevent Becoming a Victim
Ransomware is a term used to describe malware that is installed on a user’s computing device (without the user’s knowledge or permission), that encrypts the user’s data. This malware is distributed to an individual (or entity) through social engineering, such as phishing emails, or compromised websites that install the malware on the visitor’s machine. Once a machine has been compromised the malware executes and encrypts all data files that the end-user has access to. This includes local files as well as network drive file storage. After the files are encrypted, they are unrecoverable unless a “ransom” is paid to the attacker. Outside of restoring from a backup the only way to restore the data is to pay the distributor of the malware.
This Malware extortion began by targeting mostly individual home users and has now grown-up to target businesses and other large entities. This Ransomware extortion is very profitable and as such is growing rapidly. The development of this malware and associated components for the collection of funds has become quite sophisticated. The malware developers are often fully staffed organizations, having the sole purpose of developing this software. These organizations have full time employees dedicated to developing and improving the malware. They leverage some of the most sophisticated phishing and social engineering techniques seen to date. The threat posed by Ransomware is growing should not be under-estimated by our clients.
Ransomeware key data points:
- CryptoWall alone cost user's approximately $325,000,000 in 2015.
- 165% increase from 2014 through the end of 2015.
- Ransom is paid through bitcoin or other cryptocurrency to mask the paper trail.
- Malware phishing may look like AV software, messages from law enforcement or financial service providers.
- Once data is encrypted there is no reversing it without the private key held by the attackers.
- Most development and distribution comes from Russia as well as other countries outside the United States.
- While this has impacted other regions of the world, North America is by far the number one target for ransom based attacks.
- Ensure that all critical data on all systems is known, backed up and the integrity of the backups are guaranteed.
- Ensure that there is visibility for detection and response on the network to detect command and control activity as well as the distribution of malicious code.
- Ensure that all files on the network are only accessible by those who need them, and review permissions and access regularly to ensure that is the case. A tool such as file integrity monitoring should also be considered to ensure that going forward file access and rights are ensured. Ransomware cannot encrypt data that the victim does not have access or rights to.
- Ensure that LAN and endpoint security measures include tools for detection and response in conjunction with prevention. These attacks come in the form of polymorphic malware and can easily get by detection, especially signature based detection. It is important to have detection and response tools that are able to identify undesired behavior in the environment to uncover potential compromise.
- Be aware of the vulnerabilities that exist on systems within the environment. Ensure that software beyond the OS is assessed. Flash for example, is one of the most common vectors for attack.
- Ensure that user privilege is the minimum required to work. Without administrator access many variants of this malware cannot execute and compromise data.
- Ensure that mail security has the ability to detect and prevent phishing attacks.
- Perform regular user awareness training to help prevent users from falling victim to social engineering attacks.