Ransomware

Ransomware is not new and it’s not a single thing. It’s a class of malware characterized by holding your data hostage until a “ransom” has been paid. Your data continues to reside on your drive but has been encrypted by the attacker. Your computer’s operating system continues to work, a ransom-note file is left for you to read about how to pay off the attacker, but all your personal files are unreadable as they have been encrypted. The decryption key, which will decrypt the files and make them readable again, is then sold to the victim, then the victim can then regain access to his files by running the decryption software. (In some cases, the criminals are really mean, take the money, and don’t even provide the decryption key.) Individuals may pay $50 to $500 dollars in ransom and institutions often pay hundreds of thousands of dollars. The risk from ransomware is so great that there is even business insurance policies that specifically cover it. Such insurance policies are now starting to come with clauses stating that the policyholder has to prove that they have have taken basic security precautions if they are to be compensated.

Ransomware typically gets on the victim’s computer via a malicious web link. (See diagram on the next page.) The link is usually in an email message, but it might come in via SMS or via some social media app. The key element is that the user believes they are clicking on something useful, such as information about an abuse of their bank account, but is actually downloading a malicious app. The app starts a process of encrypting all the data on the computer, then all the data the computer can reach on the local network and then it attempts to compromise other systems on the network. Once the encryption has been completed, the user often sees some sort of message demanding payment. In some cases, there is a time limit of a day or two. After that time period, the ransom increases or the decryption key will no longer be offered. The ransomers want to keep their targets in a constant state of panic.

Sometimes, it is possible to know that a system is being taken over. If the computer becomes very slow or you hear the hard drive constantly working, that might be a first sign that the drive is being encrypted. Second, data or applications may stop working. If you spot ransomware in the process of encrypting the drive, turn off the computer immediately and call for technical help.

As mentioned in the first section, the EU has a repository of tools for helping with encrypted systems. If you’re lucky, you’ll have one of the older ransomware applications. There is a 10-20 percent chance that your system can be decrypted without any payment. Prevention is the best strategy.

Keep in mind that some Ransomware is so poorly crafted that no decryption is possible, one poor version simply writes over your data with zeros. They will gladly take your money however.

Below are some steps that should be useful in reducing the chance that you or your institution will be a victim. Not all steps apply to all situations. An organization’s server would be addressed differently than would a remote worker’s laptop. Unfortunately, one of the corporate world’s most effective anti-ransomware strategies, that of educating staff via sending out faked social-engineering emails to see who can be fooled into clicking on suspect links, is not possible for our institutions. Those systems tend to be expensive and assume the ability to hold training sessions for the staff and remediation for staff found to be clicking on malicious links.

The steps below, when combined, are effective and inexpensive. Additionally, they greatly increase an organization’s overall security profile.

• Keep all software updated. Ransomware often takes advantage of known bugs to take over the target’s computer. A large percentage of successful attacks are due to unpatched software.
• Run your personal computer as a “standard user”. Malware uses the victim’s access to work. If the victim is a standard user on the computer, only their information will be encrypted. On the other hand, if the user is an administrator, everything on the system will be encrypted.
• Use antivirus software. Sophos UTM has a free home version that protects against ransomware. There are other AV vendors that sell effective solutions.
• Use a DNS service that filters out the bad websites. Ransomware often resides on known websites – usually in countries where the authorities are slow to take down malicious sites. A DNS service that knows the addresses of the bad sites can block a malicious link from reaching its control server when selected. Three such services are OpenDNS, CleanBrowsing and Quad9. Cloudflare and Google’s DNS currently do not filter DNS traffic.
• Some firewalls and antivirus applications have a feature called “geo blocking”. This means that traffic coming from parts of the world that are geo-blocked will be stopped. If there is no reason for your staff to visit Russian websites, then blocking traffic with addresses located in Russia will block ransomware hosted there. Geo blocking does not prevent email coming in from any of the blocked locations because your email server’s location is the important factor, not the email sender’s location.
• Having a good backup could be the only form of help for an encrypted drive. First, you may not be able to pay the ransom demand. Second, some ransomware attacks don’t have decryption keys. The creators may have moved on or they may have had no intention of ever sending a decryption key. The main problem with typical backups is that ransomware will encrypt them, too. Backups need to be done in such a way that an infected computer cannot encrypt the backups. For example, connect a backup device for a backup and then disconnect it after it has been completed. A Network Attached Storage (NAS) device used for backups can be also be encrypted by ransomware. If the NAS is only being used for backups, consider turning it on for the backup and then having it physically turned off the rest of the time.
• Data created and stored online typically cannot be encrypted by ransomware. For example, Google Docs cannot be encrypted. Likewise, Office 365 documents created online are immune. However, anything created on the user’s local PC can be encrypted. Files synchronized to an online system, such as Google Drive, Dropbox, or OneDrive, would not get flagged as bad. Uploading a virus would certainly get flagged but uploading a document encrypted by ransomware would be indistinguishable from a document encrypted by the user. The key element to keep in mind is not where the data is eventually located but where it was created. Local content is accessible to the ransomware application and online content is not.
• A good form of protection for an institution is to use a transparent proxy. Essentially, a transparent proxy intercepts Internet traffic as it comes and goes. It can scan all interactions. Some antivirus systems have this ability, but generally, this is a system that an office would have setup for it by an IT expert.
• Every institution should have email anti-spoofing settings in place on their DNS server. Those settings are known as SPF, DKIM and DMARC. These three standards are all based on DNS entries and allows email servers to know if an email message is from the organization that it claims to be from. The three standards work together. Given that attackers prefer to send social engineering emails from the target’s email address, anti-spoofing measures block emails from your institution’s domain name from coming in. We have a document on how to create these records.
• Attackers, knowing that spoofing email addresses are becoming more difficult, look to see if they can break into a real institutional account and then send a well-crafted email from it. Recipients see a believable message from someone they know. Perhaps it says “I’m a new grandfather! See the photos here” or “We have changed the retirement policy. Please click here to read and then sign the relevant forms”. Even the most knowledgeable people fall victim to such clever messages. When security organizations get compromised, it’s most often a clever spoofed email message that started the process. The best form of protection is two factor authentication to all online accounts. Using two factor authentication essentially eliminates the threat of the account being protected from being taken over – email or otherwise.