Ransom. Rinse. Repeat

24. March 2016 Security 0

Ransomware is becoming an unpleasant fact of life with new variants and techniques popping up weekly. That’s hardly surprising as it’s a hugely profitable enterprise for the crooks. Back in December 2013 during the early outbreak of Cryptolocker, Michele Spagnuolo, an Italian researcher tracked the amount of ransom paid to known bitcoin addresses (you can find his thesis here).

On 15th December 2013, the criminals made US$1,100,000. That’s not too shabby for one day. The bottom line is that criminals see an enormous amount of money to be made, so the threat of crypto-ransomware is only going to get worse. New variants are being released and new attack methods are in use – the latest distribution method is poisoned ads served up by compromised ad servers on what would otherwise be trusted web sites. It’s fair to say that it’s not a matter of ‘if’ you’re going to get hit by ransomware, but ‘when’. Therefore, the better prepared you are, the greater chance you have of minimising the damage and recovering from the attack.

**What is it?**

Unlike traditional malware that hides itself and tries to steal information, crypto-ransomware makes itself known immediately as it encrypts files and locks them away from user access until a ransom is paid. There’s a number of variants including CryptoLocker, CryptoWall and the recent Locky. Traditional detection-based protection methods, such as anti-virus, have proven ineffective at stopping the attacks and, in any case, the attacks are becoming much more sophisticated with the criminals moving to target businesses. Ransomware proliferates through new attack vectors, such as embedded document macros, malvertising, and employing anti-analysis and persistence techniques. Ransomware authors use advanced encryption algorithms to prevent decryption without the key – decryption is ‘computationally infeasible’. So how do you prevent an attack? If you do get clobbered, how do you deal with the aftermath? As with so many things, an ounce of prevention is worth a pound of cure. So if you’re unlucky enough to get clobbered, you really only have two choices: pay the ransom or restore from backup. Please don’t pay the ransom.

**Backups, backups, backups**

Make sure you have good backups of your files. Don’t rely on VSS snapshots – some versions of ransomware look for and delete shadow files from System Restore. Make sure you have a tested backup that’s maintained on a separate platform to your primary data. If you’re not sure how good your backups are, then now is the time to test them and fix any problems.

Don’t forget to protect your personal stuff at home, too – I use CrashPlan to protect the family’s photos and files.

**User education**

First and foremost, teach your users to be suspicious. Simple things like:

• Did you expect the email?;

• Does the sender’s address look a bit odd?;

• Are there spelling and grammatical errors in the email?; and

• If you do open an attached document, don’t enable macros.

Keep your users updated to be on the lookout for specifics such as the recent spate of Australia Post tracking emails:


The sophistication of spam mails has improved enormously where you can no longer rely on the typical giveaways of poor spelling, odd grammar and stilted use of English.

Good sources for information up-to-date information include updates from security vendors such as Secureworks and blogs. Naked Security, Threatpost, Krebs on Security, and Bruce Schneier are all great sources for information about new threats.

**Don’t give users more login power than they need**

Make sure your users only have permissions to network shares that they actually need to access. There are a number of tools available to help you unravel a tangled mess of permissions on a network share. Solarwinds offers a freebie tool. Pay-for solutions are available from Varonis, ManageEngine and others.

**Application white-listing**

Application white listing tools such as Appsense means that only approved applications are allowed to run. This technique stops the malware dead – it simply can’t run. Application white-listing works a bit like a firewall in that it stops anything running that isn’t specifically approved. Compare this to AV software that lets anything run except stuff it recognizes. Application white-listing looks to be one of the most promising tools in our armoury for dealing with this sort of threat.

**Advanced threat management techniques**

Use next gen firewalls that run unknown applications in a sandbox and block suspicious activity and AV software that monitors for unexpected encryption activity. Look at Palo Alto for next gen firewalls and Trend Micro for end-point protection.

**Operating System and application patching**

Malware frequently exploits known security holes so patch early and patch often. Use Microsoft tools to manage the desktop and server environment. For applications, a tool such as Secunia can help manage patching in complex enterprise environments. As the bulk of vulnerabilities found in 2015 were in Chrome, Flash Player, Adobe Air, Firefox, Internet Explorer and Adobe Reader, it’s critical to stay on top of application patch management.

**If you do get hit:**

  • • If you can, kill the power to the affected PC or server;
  • • Disconnect from the network immediately so you don’t risk encrypting all your network shares. Unplug the Ethernet cable and turn off wireless;
  • • You may be able to recover using System Restore to get back to a known state;
  • • Restore from backups; and
  • • Don’t pay the ransom – it simply encourages the perpetrators.

**You should also note:**

  • • User education is key!;
  • • Check your backups and fix them if they’re not completing within twelve hours;
  • • Make sure your backups go to an independent platform – be it Cloud, disk or tape;
  • • Don’t rely on snapshots as backups;
  • • Review user permissions to network shares;
  • • Invest in next-gen firewalls and keep up-to-date with modern AV products;
  • • Application white-listing can stop the ransomware dead;
  • • Run a security audit; and
  • • Patch early, patch often.

TD can help with backup assessments, security assessments, application whitelisting, patch management and any of the areas discussed in this post.

Please get in touch with your TD account manager or call TD on (03) 8420 0100 to find out more. Alternatively, you can contact us via our page at http://www.thomasduryea.com.au/contact/

If you have any questions or comments for me, I can be contacted at dmeyers@td.com.au