Quick Guide to Outsmarting Ransomeware
At the end of 2015, our security advisor Sean Sullivan predicted 2016 would be the year of extortion. So far, he’s been absolutely right. Crypto ransomware has been headlining security news in recent months, crippling businesses and organizations small and large. With no visible alternatives, many have been forced into paying the ransom – which may get their computers back online, but it also encourages the cybercriminals in their data racketeering.
Here’s our quick guide to ransomware – what it’s all about, and what you can do to protect your organization.
What does ransomware do?
Crypto-ransomware encrypts the files on a computer, essentially scrambling the contents of the file so that the user can’t access it normally without a decryption key that can correctly unscramble it. A ransom payment is demanded in return for the decryption key. Once the malware has infected one machine, it can spread to others in the network, making it impossible to carry out normal business operations.
The payment is often asked for in Bitcoin, a virtual currency that is difficult to trace. The attacker usually imposes a deadline by which payment should be made. After the deadline, often the payment amount increases and a new deadline is set. If the second deadline is missed, it is likely the attackers will delete the decryption key altogether. Once the key is deleted it may be impossible to ever recover your data.
How does ransomware infect a machine?
Users may encounter ransomware in a number of ways. The most common method is via email, as an attached file. The file is usually either disguised as a document containing urgent information or desirable content, or in a ZIP or packed file with a misleading name. This method depends on tricking the user into opening the attachment and running the malicious file. Aside from attachments, email can also spread ransomware through malicious links they include (read on to the next paragraph).
Another common way attackers distribute ransomware is to include it in the payload of an exploit kit. Users can be exposed to exploit kits when they visit a compromised website or are redirected onto a malicious site (for example, via an email link). The exploit kit probes the user’s computer for any exploitable flaws or vulnerabilities, which are common in outdated software. If one is found, the exploit kit downloads and installs the ransomware onto the user’s machine. To an average user, this can happen completely without their knowledge.
What is the impact on business?
The ransom fee demanded is usually around $300 to $500 for a computer. If 20 computers are infected, that can add up to as much as $10,000. It’s also possible that cyber criminals who conduct ransomware attacks targeted to specific businesses can ask one lump sum of their choosing. (For an interesting discussion on the monetization of crypto-ransomware, check outthis F-Secure Labs blog post.)
But the money that’s demanded is only a tiny fraction of the actual cost. The real damage comes from the effects of network downtime (lost productivity, lost business opportunities, reduced customer satisfaction and damage to the brand) and the costs of restoring the network (resources to respond to the attack, repairing or replacing systems).
How can you get your files back?
F-Secure advises against paying the ransom. While doing so is one way to get an organization’s system working again, a better way of getting your businesses’ files back begins before you ever get hit – by taking regular backups. That way if you do get attacked, you can relax – and restore from the backups. If everyone took backups of their work, ransomware would cease to exist as a business model for the criminals.
If your files have been ransomed and you don’t have backups, it’s worth going online and seeing if a decryptor tool exists for the ransomware you’ve been hit with. This list is a good start, although decryptors are typically only available for early versions of some families. And keep in mind that attackers update their approach to use ransomware that doesn’t have a decryptor tool available.
You also might find it useful to share your situation on a help forum like Bleeping Computer, where there are threads for help with Locky, TeslaCrypt, CryptoWall, Petya, CryptXXX, Locker and many others.
How can you prevent your business being a victim of ransomware?
Prevention is better than cure, and that’s certainly true for ransomware. Take precautions to prepare for and avoid a ransomware attack and you’ll be much better off. Here are our tips to keep your business running:
- Take regular backups of your organization’s data. Store the backups offline, so they can’t get infected too. And test restoring them from time to time to make sure that they really will work. With good backups, if you do get hit, you can get back on your feet faster without having to fork over cash to the criminals.
- Make sure you’re running a robust security solution that covers all your endpoints and provides layers of protection. F-Secure Protection Service for Business is a layered approach that protects against all the known ransomware threats that are out there, and it can block brand new zero day threats as well. As new ransomware variants are popping up rather often lately, this is important.
- Keep the software on all your endpoints up to date to prevent exploits. With automated patch management like F-Secure Software Updater (included with Protection Service for Business), this is easy.
- Train your employees on current social engineering tactics used in spreading ransomware. Teach them to be wary of emailed attachments, and links, especially from untrusted senders. Make sure they are aware of their role in protecting your business data.
- Limit the use of browser plugins. Disable commonly exploited ones such as Flash Player and Silverlight when not in use.
- Manage access controls. Limit the use of admin accounts to only those for whom admin access is absolutely necessary, and those with admin accounts should only use them when necessary. Also, file, directory and network share permissions should be structured so users don’t get more access than they really need – users who only need to view certain files don’t need write-access to them.
- Implement application controls so programs can’t execute from common ransomware locations (for example, temporary folders supporting popular Internet browsers). Also implement whitelisting so only known and approved programs are allowed to execute.
- Categorize and separate data. Limit lateral movement within your network by separating networks and data for different business units.
- Disable macro scripts from Office files received via email.
- Use an email filtering gateway and configure it to block executable attachments.
Webinar Recording: Post-mortem of a Data Breach
In the webinar recording, our cyber security experts Janne Kauhanen and Jani Kallio walk you through a recent real-life data breach we investigated. This was a textbook example of strategies and tactics used by adversaries to gain access to the data they were after, including all the steps from the initial recon-phase to the final data exfiltration to the attacker’s servers.