the comprehensive guide to ransomware...

Thecomprehensiveguideto

RANSOMWAREPROTECTION

EDUCATION,TIPSANDTOOLSFORTHECONCERNED ITMANAGER

©2018InvenioIT

TABLEOFCONTENTS

1:Introduction

2:OverviewofRansomware

3:CommonTypesofRansomware

4:RansomwareProtection:Prevention,Mitigationand

Recovery

5:Conclusion

INTRODUCTION

CHAPTERONE

INTRODUCTIONThecomprehensiveguidetoRansomwarePrevention

Ina2017surveyofmorethan1,700managed-service providers(MSPs),86%saidtheirclients hadrecently sufferedaransomware attack. Andawhopping99%predicted that attacks willworsenoverthenexttwoyears.Nowmorethanever,it’s critical that ITmanagers havethefundamental ransomware education theyneed tofendoffattacks.

Inthisguide, you’ll learnmoreeverything you’veeverwanted toknowaboutransomware, including:

• Overview ofRansomware• Common Types ofRansomware• Ransomware Protection: Prevention,Mitigation andRecovery

The comprehensive guidetoransomware protection 4

OverviewofRansomware

CHAPTERTWO

WHATISRANSOMWARE?

Ransomware cantakedifferentforms,but it isatypeofmalware thatdenies access toadevice orfilesuntilaransomhasbeen paid.Ransomwareencrypts youremployee’s orcorporate filesandforcesyoutopayafee tothehacker inordertoregainaccess totheir files.

Ransomware encrypts thefiles onaworkstation,andcantravelacrossyournetworkandencryptfiles located onmapped andunmapped networkdrives. It’s howoneinfected usercanbringadepartment orentire organizationtoahalt.

Oncethe filesareencrypted, the hackerswilldisplayascreen orwebpage explaining howtopaytounlock thefiles. Historically, ransomsstarted inthe$300-$500range,butfastforwardandevensmall companies arebeing hitwith ransomsinthethousands ofdollars.

Payingtheransominvariably involvespayingaformofe-currency (cryptocurrency) likeBitcoin.Oncethe hackersverifypayment, they provide“decryptor” software, andthecomputer starts thearduousprocessofdecrypting allofthe files.


RANSOMWARETODAY

There areafewdominant types, orfamilies, ofransomware inexistence. Eachtypehasitsownvariants. It isexpected thatnew families willcontinue tosurfaceastime goeson.Historically,Microsoft Office, AdobePDFandimage files havebeen targeted, butMcAfee predicts that additional typesoffiles willbecometargets asransomware continues toevolve.

Mostransomware uses theAESalgorithm toencryptfiles, thoughsome usealternative algorithms. Todecrypt files, cyberextortionists typically requestpayment inthe formofBitcoins oronlinepayment voucherservices, suchasUkashorPaysafecard. Thestandardrateisabout$500,thoughwe’ve seenmuchhigher.Cybercriminals behindransomware campaigns typically focustheirattacksinwealthy countries andcities where people andbusinesses canaffordtopaytheransom.Inrecentmonths, we’ve seenrepeated attacks onspecific verticals, mostnotablyhealthcare.


HOWRANSOMWARESPREADS

PHISHING ATTACKS Spamisthemost commonmethod fordistributingransomware. It isgenerally spreadusingsome formofsocialengineering; victimsaretrickedintodownloading ane-mail attachment orclicking a link.Fakeemailmessages mightappear tobeanote fromafriendorcolleague askingausertocheck outanattached file, forexample. Or,emailmightcome fromatrustedinstitution (suchasabank)asking youtoperformaroutinetask.Sometimes,ransomware usesscare tactics suchasclaiming that thecomputer hasbeenusedforillegalactivities tocoerce victims. Once theusertakesaction, themalwareinstalls itselfonthesystem andbegins encrypting files. Itcanhappenintheblinkofaneyewithasingleclick.



DRIVE-BY DOWNLOAD Anothercommonmethod forspreading ransomware isasoftware package knownasanexploitkit.These packages aredesigned toidentifyvulnerabilities andexploitthem toinstall ransomware. Inthistype ofattack, hackersinstallcode onalegitimate website that redirects computer userstoamalicioussite. Unlikethespammethod, sometimes thisapproach requiresnoadditionalactions fromthe victim. This isreferredtoasa“drive-by download” attack.

Themost common exploitkit inusetodayisknownasAngler.AMay2015studyconducted bysecurity software vendorSophosshowed thatthousands ofnewwebpages runningAnglerarecreated everyday.TheAnglerexploitkitusesHTML andJavaScript toidentifythe victim’s browserandinstalled plugins,which allowsthehackertoselect anattack that isthemost likelytobesuccessful. Usingavariety ofobfuscation techniques, Anglerisconstantly evolvingtoevade detection bysecuritysoftware products. Angleris justoneexploit kit,thereareavarietyofothers inuse.

FREE SOFTWARE Anotherwaytoinfect auser ’smachine istoofferfreesoftware.Thiscomes inmany flavorssuchas“cracked” versionsofexpensive games orsoftware, freegames, game “mods”, adult content, screensavers orbogussoftwareadvertised asawaytocheat inonlinegames orgetaroundawebsite’s paywall. Bypreyingontheuser inthisway,the hackerscanbypassanyfirewalloremail filter.Forexample, oneransomware attack exploited the popularityofthegameMinecraft byofferinga“mod” toplayersofMinecraft. Whenusers installed it,thesoftware alsoinstalled asleeper versionofransomware thatactivated weeks later.



RANDOMWARE-AS-A-SERVICE Spambotnets andexploitkitsarerelatively easytouse,butrequiresomelevel oftechnical proficiency. However, therearealsooptionsavailable fortheaspiringhackerswithminimal computer skills. AccordingtoMcAfee, there areransomware-as-a-service offeringshosted ontheTornetwork,allowing justaboutanyonetoconduct these types ofattacks.


It’snotamatterofif,butwhenyou’regoingtogethit.

- LanceJames,ChiefScientist atFlashpoint

“

“

CommonTypesofRansomware

CHAPTERTHREE

COMMONTYPESOFRANSOMWARE

Ransomware isconstantly evolvingandnewvariantsareappearing allthetime. So,it’s difficult, ifnot impossible, tocompile a listofeverytypeofransomwareproliferatingtoday.Whilethe followingisnotacomplete listoftoday’s ransomware,itgivesasense ofthemajorplayersandthevarietyinexistence.



CryptoLockerRansomware hasbeenaroundinsomeformoranother forthe pasttwodecades,but itreallycame toprominence in2013with CryptoLocker.The originalCryptoLocker botnet wasshutdowninMay2014,butnotbeforethehackersbehinditextortednearly $3millionfromvictims. Sincethen, theCryptoLocker approachhasbeenwidely copied, although thevariants inoperationtodayarenotdirectlylinkedtothe original.ThewordCryptoLocker,much likeXeroxandKleenex intheirrespective worlds,hasbecome almost synonymouswithransomware.

CryptoLocker isdistributed viaexploitkitsandspam.Whenthemalware isrun,itinstalls itself intheWindowsUserProfilesfolderandencrypts filesacross localharddrivesandmapped network drives. Itonlyencrypts fileswithspecific extensions,includingMicrosoftOffice, OpenDocument, images andAutoCADfiles.Once thedirtyworkisdone,amessage informingtheuserthat fileshavebeenencrypted isdisplayed onsaiduser ’sscreen demanding aBitcoinpayment.

CryptoWallCryptoWallgainednotoriety afterthe downfalloftheoriginalCryptoLocker. Itfirstappeared inearly2014,andvariantshaveappearedwithavarietyofnames,including: Cryptorbit,CryptoDefense, CryptoWall2.0andCryptoWall3.0,amongothers.Like CryptoLocker, CryptoWallisdistributed viaspamorexploitkits.Theinitial versionofCryptoWallused anRSApublicencryption keybutlaterversionsuseaprivate AESkey,whichisfurthermasked usingapublicAESkey.Whenthemalware attachment isopened, the CryptoWallbinarycopies itself intotheMicrosoft temp folderandbeginstoencode files.CryptoWallencrypts awidervarietyoffiletypesthanCryptoLocker but,when encryption iscomplete, alsodisplaysaransommessage onauser ’s screendemanding payment.



CTB-LockerThecriminals behind CTB-Locker takeadifferentapproachtovirusdistribution.Taking apage fromtheplaybooksofGirlScoutCookies andMaryKayCosmetics,these hackers outsourcethe infection processtopartners inexchange foracut oftheprofits.This isaprovenstrategy forachieving largevolumesofmalwareinfections atafasterrate.

WhenCTB-Locker runs, itcopies itself totheMicrosoft tempdirectory. Unlikemostformsofransomware today,CTB-Locker uses Elliptic CurveCryptography(ECC)toencrypt files.CTB-Locker impacts morefiletypesthan CryptoLocker. Oncefilesareencrypted, CTB-Locker displays aransommessage demanding payment in,youguessed it,Bitcoins.

LockyLocky isarelatively newtypeofransomware, but itsapproach isfamiliar. Themalware isspreadusingspam,typically intheformofanemailmessage disguisedasaninvoice.Whenopened, theinvoice isscrambled, andthe victim isinstructed toenablemacros toreadthedocument. Whenmacros areenabled, Lockybeginsencrypting alargearrayoffiletypes usingAESencryption. Bitcoin ransomisdemanded whenencryption iscomplete. Areyousensing apatternhere?

Thespam campaigns spreadingLocky areoperatingonamassive scale. Onecompany reportedblockingfivemillion emails associated with Lockycampaignsoverthe courseoftwodays.



TeslaCryptTeslaCrypt isanother newtypeofransomware onthescene. Likemostofthe otherexamples here, ituses anAESalgorithm toencrypt files. Itistypically distributed viatheAnglerexploitkitspecifically attacking Adobevulnerabilities. Once avulnerability isexploited, TeslaCrypt installs itself intheMicrosoft temp folder.Whenthetime comes forvictims topayup,TeslaCrypt givesafewchoices forpayment:Bitcoin, PaySafeCardandUkashareaccepted here. Andwhodoesn’t loveoptions?

TorrentLockerTorrentLocker istypically distributed throughspam email campaigns andisgeographically targeted, withemailmessages delivered tospecific regions.TorrentLocker isoftenreferredtoasCryptoLocker, anditusesanAESalgorithm toencrypt filetypes. Inaddition toencoding files, italsocollects email addresses fromthevictim’s address booktospreadmalware beyondtheinitially infectedcomputer/network—this isuniquetoTorrentLocker.

TorrentLocker uses atechnique called processhollowing, inwhichaWindowssystemprocessis launched inasuspended state,malicious codeis installed, andtheprocessisresumed. Itusesexplorer.exeforprocesshollowing. Thismalware alsodeletesMicrosoft Volume Shadow CopiestopreventrestoresusingWindowsfilerecoverytools.Bitcoin isthe preferredcurrency forransompayment.

KeRangerAccordingtoArsTechnica, KeRanger ransomwarewasrecently discovered onapopularBitTorrentclient. KeRanger isnotwidelydistributed atthispoint,but it isworthnotingbecause it isknownasthe firstfullyfunctioning ransomware designedtolockMac OSXapplications.



Ransom32Ransom32isavariety of“ransomware-as- a-service” thateffectively putsthepowertocreate ransomware intothe handsofjustaboutanyone– regardlessoftheirtechnical know-how.Whatmakes Ransom32reallydangerous isthat it iscodedentirely usingJavaScript, whichmeans itcanbeusedtotarget computers runningWindows,Mac OSXandLinux.


RANSOMWAREPROTECTION:prevention,mitigation&recovery

CHAPTERFOUR

RANSOMWAREPROTECTION

Cybercriminals armedwith ransomware areaformidable adversary.Whilesmall-to-mid-sized businesses aren’t specifically targeted inransomware campaigns, theymaybemorelikelytosufferanattack. Frequently, small businessITteams arestretched thinand, insomecases, relyonoutdated technology duetobudgetaryconstraints. This istheperfect stormforransomware vulnerability. Thissection willprovidetipsandtoolsnecessary toprevent,mitigate andrecoveryfromanattack.


Securitysoftwareisessential,however,youcan’trelyonitalone.Aproperransomwareprotectionstrategyrequiresathree-prongedapproach,comprisingofeducation,securityandbackup/recovery.

DaleShulmistraBusinessContinuityStrategist, InvenioIT

“

“

RANSOMWAREPREVENTION1) Train employeeswhattolookfor.Most ransomware infections areprimarily

caused bygoodold-fashioned humanerror.Somebody opensaspamemail,clicks abadlink,opensamalicious attachment, andsoon.Phishingemails canbeverydeceiving, especially toanuntrainedeye. Implement anongoingransomware education programthattrainsstaffhowtospotmalicious emailsandhowtopractice safeInternet usage.

2) Usegoodanti-malwaresoftware. Obvious,right?Butit’s always worthrepeating: youshouldbeusingstronganti-malware/antivirus protection acrossyourorganizationasafirst lineofdefense against ransomware andothercyberattacks. Thatbeing said,there’s noguarantee thesoftwarewillstoparansomware infection. 94%ofsurveyedITprofessionals saidtheirclients wereusingantivirussoftwarewhen theyweresuccessfully attacked. Comparesoftware optionscarefully, andlookforsolutionsthat aredesigned specificallytospotknownransomware strains.

3) Implementstrongspamfilters. Strongspamfiltering willpreventthevastmajority ofransomware emails fromreachinginboxes.Youhavenumerousoptionsforconfiguringsuchfilters: throughyourserver, email client, firewallappliance, add-onsoftware andsoon.

4) Authenticateinbound emails. Themorefiltering, thebetter. The FBI’sCyberTaskForcesrecommend that youauthenticate inboundemail usingtechnologies likeSender PolicyFramework (SPF),DomainMessageAuthentication Reporting andConformance (DMARC)andDomainKeysIdentified Mail(DKIM)toweed outbadmessages andpreventemail spoofing.

5) Filterexecutablefiles. Asidefromsuspected spam, youshouldalsobescanninginboundandoutboundemails forexecutable files. Ifyouneed tosetpermissions forselect email accounts, that’s fine.


RANSOMWAREPREVENTION6)Block knownmalicious IPs. Whenanykindofdata attempts tocomeintoyournetwork fromanIPaddressthat’s knownforsendingmalware, itshouldbeblocked.Configureyourfirewalltoblockallaccess tothose knownIPaddresses. Somefirewallsolutions update blocklists automatically, oryoucanaddthemmanually.

7)Patchandupdateconstantly. Last summer ’s WannaCryoutbreak revealed thatthousands ofcompanies’ operating systemswere embarrassingly outofdate.WannaCryexploited knownvulnerabilities inWindows,forwhich patches hadbeenavailable longbefore.These infections couldhavebeen preventedwithautomaticWindowsupdates. But it’s notjustoperatingsystems youneedtobeconcernedabout. ITmanagers shouldbepatching allsoftware andfirmwareusedbythebusiness assoonasupdates become available. Acentralized patchmanagementsystem canhelptostreamline andautomate those patches across theorganization.

8)Setaccount privilegesandaccess controls. Whenaninfection occurs, itlocksupdataonthe user ’scomputer andthenspreadsoutward, attempting toreachasmanyotherfiles, foldersandmachines onthenetwork as itcan. Youcanminimizethat outwardspreadbyplacing restrictions onaccount privileges. Theoretically, iftheusercan’t access asensitive folderofdata,the ransomware shouldn’tbeabletoeither. Applytheprinciple ofleast privilege: limit each user ’saccess toonlythedestinations theyrequirefortheir job,andrestrict administrative access tothosewhoneedit.

9)Disablemacroscriptsfromfilessentviaemail. Onebadfileattachment cantakedownthewhole business. Phishingemails willoftencontain attachments ofWorddocs,PDFsandspreadsheets, labeled as“invoices,” “receipts” andotherfilesthatlookauthentic tostaff.Attachment previewers, whichdisable active content likescripts andmacros, helpensurethat staffcanverifythecontents andauthenticity ofsuspicious attachments without fullyopeningthem. Email clients likeOutlookhavepreview optionsbuilt in,butthird-partypreviewers arealsoavailable.


RANSOMWAREPREVENTION10)Usesoftwarerestrictionpolicies andcontrols. ITmanagers shouldbesettingcontrolsoverwhich programscanrunonlocalcomputers and/orhowthey’reexecuted. Software restriction policies (SRP),withinWindowsforexample, willallowyoutoautomatically enforceanapprovedlistofsoftware, effectively denyingallotherapplications frombeingable toexecute. Ifyouneedlooserrestrictions, youcanapplyamoregranularapproach. Forexample, theFBIrecommends settingcontrolsthat “prevent programsfromexecuting fromcommon ransomwarelocations, such astemporary folderssupporting popularInternet browsersorcompression/decompression programs, includingthe AppData/LocalAppData folder.”

11)DisableWindowsRemoteDesktopProtocol(RTP). Don’tneedit?Disable it.LastNovember, businesses saw afloodofnewransomware attacks that leveragedRemote Desktop Protocoltobreakintomachines, oneatatime, andthenlaythegroundworkforaransomware infection. Partofthe probleminthese cases wasweak RDPpasswords, whichwere easily brokenbytools likeNLBrute. Creatingstrongerpasswordsisagoodstart.Butevenbetter, ITmanagers shoulddisable RDPoneverymachine, andenable itonlytemporarily if/when remoting isneeded.

12)Categorizeandseparatedata. This isespecially important forlargerorganizations thathavesprawling networksacrossmultiple locations. Beyond themere useraccess controlsmentioned above, youneedtothinkstrategically abouthowandwhere yourdataisstoredandaccessed, andbywhom.Asthe FBICyberTaskForceadvises, youshouldbecategorizing databased onorganizational value,andimplementing “physical andlogical separation ofnetworks anddatafordifferentorganizational units.” Ifsomeone inyourSanFranciscomarketing officeunwittinglyopensaransomware-infected email attachment, whyshouldthataffect the criticaldatausedbyyouraccounting team inNew York?Youneedtoapproachyourinfrastructure strategically, separating storeddatainawaythatmakes itharderforransomware tospread anddisruptyourentireorganization.


RANSOMWAREPREVENTION13)Back upyourdata. Backing upyourdatawon’t necessarily prevent ransomware(although, itcan:see #14below),but it isarguablythemostcritical preventativesteponthis list. Ifanattack occurs,youronlyoptionisusuallytorestore abackupfrombeforetheinfection occurred.Whenallotherpreventative methods fail,yourdatabackups arewhat willpreventyourbusiness fromlosingeverything inaransomware attack.

14)Considerbackup technologieswithbuilt-inransomwareprotection. Databackuptechnologies from Datto havebuilt-inransomware detection asanextralineofdefense against infection. Theappliance actively looksforcommon signsofaransomware footprint(forexample, largeamounts offilecontent being suddenlyoverwrittenwith randomdata).Whenaninfection isdetected, administrators areimmediately notified, sothey canrollbacktoclean data andsignificantly minimizethedisruption.


RANSOMWAREMITIGATIONIfyou’vebeen infectedwith ransomware, therearestillsteps youcantaketomitigate theimpact. Here’s howtocontain theinfection andgaincontrol,beforethingsturncatastrophic.

1) Isolatetheinfectedmachine. Remove the infected computer fromthe networkimmediately. Thiswillhelptopreventthe infection fromspreading toothermachines. We’veseen some companies nowincluding thisstepaspartoftheiremployee ransomware education: ifaransomware attack becomes evident ontheuser ’scomputer, theyareadvised todisconnect the networkcable fromtheircomputer immediately. Notabadidea.

2) Isolateand/orshutdownunaffectedorpartially infecteddevices. Whenindoubt,shutitalldown. Yes,anetwork-wide shutdownwillsignificantly disruptoperations. But itcoulddrastically shorten theoverall length ofthedisruption.Poweringdownmachines thathaven’t been completely infected willaffordtimetocontain damage andrecoverdata beforethings getworse. Particularlyonlargenetworks, youneed toknowwhere theinfection hasspreadbeforeyourecover.Otherwise, yourrecovered datacouldbere-infected alloveragain.

3) Deleteregistryvaluesandfiles. Withaffected machines isolated, youcanattempt toidentify(anddelete) newlycreated oredited registry filesandvalues, whichshouldpreventthemalicious programfromexecuting.

4) GivetheFBI acall. Yes, really.Forreportingpurposesalone, businesses arestronglyadvised tocontact theauthorities (ideallyyourlocalFBIfieldoffice)abouteveryransomware attack, evenifyouhavealreadyresolved theproblem.Butalso,theFBIstresses that lawenforcement maybeabletouseadvancedtoolstounlockencrypted datathat areunavailable tomost organizations.


RANSOMWAREREMOVAL

1)Restoreabackup frombeforetheinfectionoccurred. Onceyou’veidentified exactly where andwhenthe infection occurred, it’s time togetyourdataback! Chooseaclean recoverypointfrombeforetheattack. Thiswillrestoreyourdataand—poof—thethreat willbeeffectively removedatthe same time.


2)Changeallpasswords. Asanadded safetymeasure, allaccount andsystem passwords shouldbechanged at least once duringthemitigation andrecoveryprocess, iffeasible. FBI’sexperts advise:“Change allonlineaccount passwords andnetworkpasswordsafter removingthe systemfromthenetwork. Furthermore, change allsystem passwordsoncethemalware isremovedfromthe system.”

CONCLUSION

CHAPTERFIVE

CONCLUSIONEducation+TheRightTech=TotalBusinessContinuity

Cyberextortionists usingransomware areadefinite threat totoday’s businessesfromthe localpizzashoptotheFortune500.However, a little bitofeducation andtherightsolutions goalongway.Make sureyouremployees understandwhat towatch outforandyoucanavoidalotofheadaches. Never underestimate thededication orexpertise oftoday’s hackers. Theyareconstantly adapting andimprovingtheirweapon ofchoice. That’s whyyouneed top-notchsecuritysoftware andbackup.Keepyourbusiness safeandgiveyournervesabreak.

Tosumitallup,knowledge spreading andsecurity software canhelpyouavoidcyberattacks. Patchmanagement isessential. Becertain thatyoursoftware isup-to-date andsecure. Inthe end, it isbackupthat willhelpyoupickupthepieceswhenallelse fails.Considerusingamodernbackupproductthatoffersfeaturesthat canpermanently eliminate downtime.


AboutInvenio IT

InvenioIT isanaward-winning industryleader indataprotection andITsecurity, with aspecialization inbusiness continuity solutions. ThefirmprovidesITservice andcounseltoClients throughout Europe,theUnited States andtheCaribbean. InvenioIT isaDattoBluepartner, adistinction reservedfortheonlytop5%ofpartnersworldwide. InvenioIt isalsorecognized asDatto’smost innovative partnerfortheir integrated approachtobusiness continuity.

27

DON’T PUT YOUR BUSINESS AT RISK

Protect your data and get VIP support from a top-tier partner today.

Invenio Itisatop-tier,Datto Bluepartner,whichmeansweareoneoftheirtoppartnersworldwide.

AsaresultofourstatuswithDatto,wereceiveadditionaltrainingcertificationsaswellasVIPsupport thathelpsusprovidethebestservicetoourClients.Wanttolearnmoreaboutus? Let’schat.

Let’s chat!

the comprehensive guide to ransomware...

Documents