What is Ransomware?

Ransomware is a sophisticated piece of Malware.  Once your machine is infected, Ransomware encrypts the files on a system’s hard drive using an unbreakable key,  typically an RSA-2048 encryption, and is virtually impossible to decrypt. The only way to  reclaim the files is to pay the attacker. Once the ransom is paid, typically using an online currency such as Bitcoin, a key is given to decrypt the files. At least that is how it is supposed to go. The growth of ransomware over the past few years has driven the security industry to create standalone and “bolt-on” tools that purport to block threats. In reality, very few are 100% bulletproof, due to the changing nature of the threat itself.

How is the Ransomware payload delivered?

Like the first viruses and Trojans, most ransomware is delivered via email. Jens Monrad, systems engineer at FireEye, confirms that it is typically delivered via email opportunistically with typical themes involving shipping notices from delivery companies. Unlike other threats, featuring emailed pleas from the treasury agent in Nigeria, for example, the content of recent ransomware  emails have been targeted by locale, language and look much more legitimate. Jens said that “While the majority of ransomware attacks still happen opportunistically, we often see them being ‘localized’ so they fit into the targeting countries.” Another method of attack is through the use of random mass-emails. Mark James, a security specialist at ESET, says that the intention is to infect as many machines as possible to maximize the chances of getting  a hit. The third method of infection is the drive-by-downloadattack in which the payload is delivered from a compromised website. Although the problem is well known, avoiding infection is half of the battle, while knowing what to do once your computer is infected is the other half.

Prevention is Key

To protect your file, you will need a layered solution, including some old school, but very valid advice; backup, backup, backup and backup! Tapwire posted great lists of 22 things you can do to protect yourself from this threat. It is such a good list that I am including it here:

1. First and foremost, be sure to back up your most important files on a regular basis.
2. Personalize your anti-spam settings the right way.
3. Refrain from opening attachments that look suspicious..
4. Think twice before clicking.
5. The Show File Extensions feature can thwart ransomware plagues, as well.
6. Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.
7. In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
8. Think of disabling vssaexe (Volume Shadow Copy Service).
9. Keep the Windows Firewall turned on and properly configured at all times.
10. Enhance your protection more by setting up additional Firewall protection.
11. Adjust your security software to scan compressed or archived files, if this feature is available.
12. Disabling Windows Script Host could be an efficient preventive measure, as well.
13. Consider disabling Windows PowerShell, which is a task automation framework.
14. Enhance the security of your Microsoft Office components (Word, Excel, PowerPoint, Access, etc.).
15. Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.
16. Use strong passwords that cannot be brute-forced by remote criminals.
17. Deactivate AutoPlay.
18. Make sure you disable file sharing.
19. Think of disabling remote services.
20. Switch off unused wireless connections, such as Bluetooth or infrared ports.
21. Define Software Restriction Policies that keep executable files from running when they are in specific locations in the system.
22. Block known-malicious Tor IP addresses.

Again, Your Best Defense: Backup, Backup, Backup

For now, the best solution is fairly simple. Backup early and often! Consumers and small businesses with a good backup process will be able to recover much of the data encrypted by the attackers. Larger companies who are doing backups on premise should make sure they can recover an image of the data for months in the past and keep multiple copies. Any backups made between the time of infection and when the attack is detected will be encrypted, and thus unrecoverable without paying the ransom. Backups with automatic incremental backups can be a great help and at the very least, companies should be keeping at least one set of backups offsite.

Other Considerations

You may also defend your system by installing a firewall. Most ransomware reaches out to get an encryption key from an online server somewhere in the world. Detecting and blocking that request can prevent the encryption of the data. This can be done by limiting connections through your firewall to only what is really needed. Using Geo-Locate tools to prevent connections to certain countries can help too. Having a “layered approach to security” should be taken seriously. Fred Touchette, manager of security research at AppRiver, an email and web security firm, says the best way to protect against a virus is to set up defenses to ensure you never receive a virus in the first place. Having a layered approach means using technologies such as anti-virus, web filtering and firewalls. In addition, installing patches and being up to date remains one of the best forms of security. FireEye’s Jens Monrad says that as most ransomware compromises are still more opportunistically driven than targeted, the delivery of the ransomware payload usually take advantage of some known vulnerability rather than using a zero-day.

Breaking Tech Practices

The purpose of this article is to make you aware of the best tech practices to keep you and your data safe. Keeping an eye on the mix of patches, appliances and software used for protecting your data, while also keeping backups of that data is something that will pay dividends should you have a problem with an infection on your computer or your enterprise. If you have questions or comments about this article, contact me.