Don’t Be a Victim – Fight Ransomware Attacks with These Proven Steps

Wednesday, July 27, 2016

Hatem Naguib

A54b17daa55292c4d86ee62ac8a766b8

There is certainly no shortage of cyber-attacks in the headlines, and none more prevalent than ransomware attacks. These bold attacks encrypt user files, then demand a ransom in exchange for decrypting the files and restoring access to the original owner. This attack model has a far more direct revenue model than most hacking schemes, which is why these attacks are becoming so widespread. And even though this style of attack isn’t new, it is becoming more sophisticated.  The attacks have grown beyond targeting end users to now focusing on more lucrative business attacks.

Currently, there are three variants of ransomware that keep popping up: CryptoWall (the oldest variation), Locky (the fastest growing), and TeslaCrypt, which spreads primarily through hijacked WordPress and Joomla sites. Ransomware attacks have been so successful that even hospitals and police departments have been infected and forced to pay large sums to have their records unlocked.   

If we take a look at Locky, for example, and why it’s spreading so quickly, we find a few distinctive traits that are contributing to these successful campaigns. It’s important to know that Locky spreads primarily though spam email with Word attachments carrying the malicious macro. Here’s how:

  • Email messages are customized based on information collected from recipient’s social media activity in order to gain the victim’s trust. This research is then automated with advanced scraping software that scans profiles and then delivers the malicious email messages to victims.
  • Criminals distributing Locky appear to be experienced with malware, which was pointed out on IBM’s Security Intelligence blog earlier this year, stating that the new scheme copies Dyre Trojan’s redirection attack.  
  • Locky uses both AES-128 and RSA encryption software, which means there is currently no way to decrypt Locky encrypted files without the decrypter key.
  • Locky developers have the ability to change domains every day making it more difficult to identify domains that are being used to host the software.  
  • Instead of targeting one enterprise for a large ransom, Locky attacks have focused on smaller ransoms on a global basis, making organizations of all sizes viable targets.

Locky and other ransomware attacks are still expected to increase throughout the year, and expand more to Macs, smartphones and IoT endpoints.  No one person or business is immune.  If in fact you’ve already been attacked – there’s no reason to believe it won’t happen again. So, where does that leave us? With encrypted files being held for ransom?

Fortunately there are some proven precautions you can take to ensure that your data remains protected. After all, most ransomware attacks rely on tricking users into opening an infected attachment or visiting a poisoned site.  Here’s how to fight it:

Consider Multiple Security Layers

To defend against ransomware, you should consider a variety of different practices.  While no one specific tactic can make your business 100 percent secure, by combining practices you reduce the potential for malware without hampering your routine activities. 

Have a backup and recovery plan in place

If you backup your files on a nightly basis, you’ll be able to minimize the damage from a ransomware attack and be able to restore your files from your last backup. The more often you backup – the better off you’ll be.  

Review your policies on Internet surfing

Many attacks begin with malware from malicious sites. Do all employees in an organization need unfettered internet access?  Possibly not – and this eliminates some of the risk. Can you deploy a web filter?  They’re not foolproof, either, but can be an effective part of a multi-pronged strategy.

Prevention

Advanced threat detection or ATD relies on something called a sandbox – it’s a secure area, generally in a private cloud, where the suspicious file can be opened or “detonated” and checked for malware. ATD is ideal for tricking malware into exposing itself, where once it’s exposed, the file can be quarantined and the attack is stopped in its tracks. Another effective form of prevention could be as simple as using one of the many web security gateway solutions available to avoid the risk of users visiting already compromised websites where  “drive-by downloads” happen.

Be Smart

Regular employee security training may be the best solution to help users avoid clicking on malicious links or opening harmful attachments. If they recognize the signs of an attack, they will be able to identify trouble before it starts.

Understanding the Mobile Risk

It’s relatively easy to inspect senders and resolve URLs on a desktop or laptop, however, some mobile plug-ins eliminate this capability. Trained users will be less likely to open a suspect email or click on a URL received via text. Remember, when in doubt – don’t open the email, and never open a URL in a text message as someone could be spoofing that mobile number. Any legitimate message would resolve automatically on a smartphone and there won’t be a URL to click.

As inconvenient as Ransomware is – you have plenty of options to ensure you’re not making news as the latest company to fall victim. If you are concerned about the safety of your organization, contact an IT service provider or reseller who can provide you with a security assessment.  They will be able to evaluate your level of protection and help you develop a short and long-term plan to remain secure.

Possibly Related Articles:
10465
Viruses & Malware
Ransomware Drive-By Downloads Locky Dridex Spam Emails
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.