WHAT IS RANSOMWARE?
News stories abound concerning the threat of ransomware. From education to financial institutions and enterprise, the threat is real for everyone. A ransomware attack infects networks, devices and data centers, stealing sensitive information and locking down your organization's ability to function until you agree to pay a "ransom" for it's release.
The malware du jour probably has you overwhelmed, so to help simplify your life, we've compiled all of the most current ransomware news in one place. We'll describe the latest ransomware families, lay out the arguments for and against paying and tell you what should be done before you are a victim.
But, before we get started...do you have a current offline back-up of your network data? Good.
RANSOMWARE FAMILIES IN THE NEWS TODAY:
Cerber is a new ransomware family that appeared in the middle of Q1 2016 and was one of the most pervasive heading into mid-year. This attack strategy reads out its ransom message to the user after it has infected a device. Then encrypts files with the extension “.cerber” and drops a ransomware message in HTML and TXT format. The United States, Taiwan, and Japan have been the top 3 most affected regions. Source.
First appearing on the scene in 2007, the "Bayrob" family of malware has laid dormant until recently. Bayrob duplicates itself in the network to start multiple processes at once, then hides malicious code among the benign/junk to impede analysis. This newer iteration of Bayrob also adds C&C (command and control server) communication, using custom protocols over TC/IP.
Read "Bayrob - An Ancient Evil Awakens" by Fortinet for deeper explanation.
Cryptowall is a popular ransomware which targets computers running Microsoft Windows, encrypts files, and extorts money to decrypt user files. Files are not only decrypted, but completely renamed making it impossible to know which files have been affected, increasing the likelihood of payout because you can't be sure if important files have been compromised. Plus, the newest version has enhanced code to avoid anti-virus detection.
Interestingly, the hackers avoid attacks on certain countries (find the list here) and is cautious not to encrypt files that will affect the operation of the computer.
CryptoWall remains the most dominant threat from Fortinet's statistics, identifying the U.S., Japan and Turkey as the most targeted.
The name of this ransomware family, Locky, does just what it says. Locky takes your files, scrambles and then locks them adding the extension ".locky". It also encrypts shadow copies created by Windows, in the hopes that most users consider VSS files sufficient backup. The U.S., France and Japan were the top three most hit countries in Fortinet's study. Technical breakdown of Locky >>
5. DMA Locker 4.0
DMA Locker is a ransomware type virus that encrypts local drives and network shares. The malware is distributed through web-based drive-by download attacks, where reputable sites are compromised and innocent web-surfers are redirected to sites controlled by hackers. If your system isn't updated with current patches, an exploit kit hosted on the site finds vulnerabilities, downloads and installs the malware (this is called payload), generates a unique encryption key and holds your files hostage until you pay.
The latest version of the DMA Locker virus is targeted at the healthcare industry which is especially vulnerable due to network connectivity being distributed across thousands of PCs, laptops, tablets, medical devices,patient monitors, and applications – many of which lack any security defenses altogether. Source.
6. Ophion Locker
A new strain of ransomware designed to recognize the devices it had infected in the past so that it doesn't hit the same victims repeatedly. Are hackers taking lessons in customer service? Unlikely. But, they are paying attention to "bad press" that's discouraging victims from paying because there's no guarantee that files will be returned safely. So, it makes sense that they're also paying attention to who the infect as a step towards maintaining their "integrity".
7. TESLACRYPT / ALPHA CRYPT
So after instilling all of this fear, here's some GOOD news. The creators of TeslaCrypt seemed to have hit a snag, were found out or got a conscience because they ceased operation and released the master decryption key in May 2016.
But, just in case you still want to know what it was...this ransomware family targeted users via a phishing campaign posing as a major office supply retailer. TeslaCrypt disguised itself as CryptoWall, making it harder to identify.
This is an example of why you should pay attention to the sender's email address, the body of the message and never, ever open attachments in suspicious emails.
Virlock is a ransomware that has metamorphic algorithm that enables malware to generate different copies of its binaries, while they continue to look like normal code. It also has an on-demand polymorphic algorithm that decrypts the code that it needs at a given moment and then encrypts it back using a different key.
Virlock will continuously decrypted and re-encypted using different keys making the malware in memory look completely different from the original encrypted copy.
The job of malware decryption experts is made exponentially more difficult because the only way to analyze it fully is to follow every code in the debugger. It's impossible to remove a completely decrypted copy of the malware when only a block of code is decrypted at any given time. Read more about Virlock >>
<< You May Also Enjoy Reading:
7 Steps To Protect Your Network From Ransomware >>
HERE'S THE MILLION BITCOIN QUESTION - SHOULD VICTIMS OF RANSOMWARE PAY?
The FBI says yes. During the 2015 Cyber Security Summit, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office, said that paying the ransom is often the easiest path out of ransomware infections. They also still want you to call them, even if you pay the ransom so they can collect information on how these attacks are evolving.
And, as mentioned above, most of these malware authors will follow through on their part to provide the decryption key. Why? Because if they don't, people will stop paying. It's in their best interests to make good on their word.
But, before you get to that point, there ARE steps you can take to protect yourself.
RESPONSE & MITIGATION (Something to get you started):
- Establish a backup and recovery strategy - yesterday! Keep an offline backup and if you're infected, restore to a point at least a week prior.
- Don't log in as an administrator unless it's necessary. That can cause more damage. Avoid doing work or browsing when logged in as admin.
- Don't open file attachments in suspicious emails. Even if it comes from what appears to be a trusted source. It may not be...that's called "spoofing". Look closely at the sender's address. Read the content of the email.
- And definitely don't enable macros on a file receive by email attachment.
- Patch! Update! Do not wait! If you don't stay on top of software updates, malware authors will use intelligence they've gained with the new software to reverse-engineer and identify the weakness in the prior version.
- And finally, if you suspect an attack or it's detected early, move quickly! You may be able to salvage your system and risk minimal file damage. It does take some time for encryption to complete, so immediate removal of the malware before severe damage has occurred is possible.
Is there a 100% garaunteed way to make sure your organization isn't a victim of ransomware? No. But, by leveraging solutions that look at reputation and zero-day attacks, your risk can be mininimized.
AND NOW THE PRODUCTS THAT CAN HELP PROTECT YOU
The antivirus functions of FortiGate, FortiMail, FortiWeb, FortiSandbox, and FortiClient detect and block this malware based on the following signatures and detection results. Fortinet's patented CPRL technology identifies the malicious behavior typical of malware, making it possible for it to detect and block unknown malware variants which use code defined in general CPRL signatures such as W32/Generic and W32/Kryptik.
Fortinet recommends that organizations use defense in depth protection, and not just enable antivirus functions alone, to protect their systems from advanced attacks using a variety of vectors for infection, spreading, and control.
In addition to gateway protection, end point security such as FortiClient is critical in protecting against infection via encrypted transmissions and infected USB memory sticks. Internal segment firewall (ISFW) and web filter functions are also important to prevent and contain infection activity within systems and C&C transmissions with outside systems.