It’s a black day when management or IT begin receiving the same message from staff saying their computer is locked and the only file they can access displays a note demanding a ransom paid in bitcoin to get their files back.
It means they are victims of the latest ransomware attack and the attacker has encrypted their files. Even acceding to cyber-criminals’ cash demands is no guarantee that the business is out of trouble. In effect, ransomware is like insurance: businesses should not wait for a disaster to happen, without cover from a high-level data security vendor.
In the early days, ransomware demands were a modest 200 to 300 bucks. Now they run into the tens of thousands of dollars. Moreover, the criminals’ encryption was weak and attached a single endpoint (a PC or device).
But ransomware continues to evolve, learning new tricks. Criminals now demand bitcoin payments via the Tor network, making it increasingly difficult to detect and shut down ransomware. The bitcoin default payment method makes it more difficult for law enforcement to trace. Lately ransomware has moved to the cloud, making it almost impossible to decrypt without paying.
So what happens when a company’s files have been encrypted in a ransomware attack?
There is no master key to unlock the files – only the criminal can do that, and there is no-one to negotiate with. Just a TOR-based wallet waiting for the victim’s payment. Law enforcement can help in the long term, but there is little evidence that it will lead to an immediate arrest.
The company will be without its data for at least a few days, and often backup files have been infected too, as attackers usually leave the malware on the system for some time, to ensure that backups are infected. Often an attacker deletes backup files and shadow copies.
What should you do in case of a ransomware attack?
Immediately, call for specialist IT help. Disconnect infected machines and drives from the entire network, and do not move the data. Begin looking for the source of infection.
Many victims pay the ransom demanded and usually the criminal triggers decryption after payment – often the sum demanded is less than the cost of data restoration services. This at least buys a company time, but the data may have been compromised.
Paying up also identifies the victim as a future mark for further cyber-crime. It leaves a system open to exfiltration of data and does not remove the malware. And it does practically nothing to protect a company from liability.
Should your company tell the police?
Many fear that their plight will be publicised. Some companies will baulk at legal exposure, wish to avoid regulatory enforcement and government or industry sanctions. There might be individual claims or class actions.
So there are questions over exposure. Although the police do not disclose details, the results of a crime speak for themselves. Calling in the law shows a desire to get to the truth, helps in explaining to customers and partners, and ultimately might result in punishment of the wrongdoer.
How does the ransomware come?
Ransomware is received via either a spam email, or a targeted ‘spear phish’ email. It arrives in a zip attachment, perhaps an unpaid invoice or a voice mail attachment. This is often password protected to stop anti-virus software from searching it.
Once a staff member opens the email, a ‘dropper’ places malware on the system. The malware contacts a command and control (C&C) server and downloads information-gathering malware. This maps the victim’s computer and all attached drives and devices. It runs RSA-2048 bit encryption and leaves an HTML calling card explaining how to pay.
Zeus malware is an information-gathering malware. It can cause data to be stolen and exfiltrated. It targets credentials such as user name and password. It works by accessing a user’s browsing history, and searching for bank sites. The malware then downloads a fake screen similar to the victim’s bank, then hijacks his/her browser. The victim enters credentials into a fake screen, which goes to the scammer.
What could be done differently?
Call in the data security professionals and scrutinise corporate systems with an endpoint threat monitoring system. Anticipate trouble with an incident response plan and create a crisis management plan. To pre-empt ransomware, train all staff on security and in particular on how to spot suspicious emails. Test their responses. Set up relationships with technical response firm, law firms and a crisis communications firm.
If compromised by ransomware, call in technical experts and outside counsel. Restore the system on a spare server but keep the old machine separate. Allow law enforcement to collect malware. Allow experts to clean the server.
Traditional security tools failing
Signature-based solutions detect only known-bad files
Perimeter-based preventive measures are rendered ineffective by cloud and mobility. Malware sandboxing is unable to keep up with advanced malware.
An endpoint solution monitors and records all endpoints (PCs and other devices on the network) in an enterprise, detects attacks in real-time without signatures, rapidly analyses, contains, disrupts and remediates attacks. Or it will stop attacks with customisable pro-active techniques.
In seeking an effective answer to this growing problem, look for a next-generation endpoint security solution that doesn’t rely on signatures to detect potentially malicious files, and has the prevention and response capabilities required to keep your business safe from whatever the bad guys may throw your way.
Brett Williams is the Senior Regional Security Engineer Asia-Pacific + Japan, Carbon Black
