Ransomware and how to Stay Safe
2016 saw a lot of hacking activity, from government agencies, big and small businesses down to individuals and everything in between…no one was spared from the constant threat that occurs in our connected world. We have all heard or read about the high profile attacks, but it is the smaller, “under the radar attacks” that we need to understand and ultimately protect ourselves from.
Here’s some of the big news that occurred in 2016.
A phishing attack on Ukraine’s power grid resulted in a total blackout in the western part of the country
Ransomware continues to grow and spread.One of the largest attacks was against Hollywood Presbyterian Hospital.The hospital ended up paying a $17,000 ransom to regain access to their files, which included patient medical records.
Hackers upped the ante in 2016 by targeting banks.The biggest heist was against Bangladesh Bank where the hackers initiated an $81 million wire transfer by utilizing vulnerability within the SWIFT system, an interbank messaging system.
Individuals and groups fell prey in 2016, the most notable being Saudi Arabian group. In this case Zuckerberg used a weak password which the hackers figured out.According to the hackers, his password was “dadada”. Mark should know better.
We all love reading about the big ones, they make good press. But up until recently, even the big threats that occurred in 2016 were limited to a small number of victims. Now, here we are in 2017 and we have recently seen one of the largest ransomware attacks unfold around the world. Over 300,000 systems infected, with the WannaCry malware, in over 150 countries. All of these threats were focused on targets both big and small. Two types of threats have grown unabated in 2016 and look to be prevalent in 2017:
Ransomware and other cyber extortion schemes
The utilization of IoT (Internet of Things) devices as an attack platform
This blog post will focus on ransomware; we will address the Internet of Things on a separate post.
Ransomware
Ransomware is nothing new, in fact, it’s been around for quite a few years. But with the new WannaCry variant recently released, it seems everyone has sat up and taken notice, and for good reason. Ransomware is a malware program that infects your computer, encrypts your data or locks you out of your computer, and then demands a ransom. Ransomware comes in many flavors too numerous to discuss in this short article, but let’s look at the typical setup:
Entry
Clicking on and opening an email attachment is the most common entry point for the majority of ransomware
Visiting an infected website is another method of downloading the malware
What it Does
The majority of ransomware encrypts your data (Office files, databases, photos and videos) thus rendering your data unavailable. It will encrypt data on all of your connected drives (your computer hard drive, USB drives, and network drives). It does all of this without you knowing.
In some cases the malware locks your computer system, making it unusable.
The malware then displays a message demanding a ransom to be paid in Bitcoin. In return the hackers promise to supply you with a decryption key that will unlock your data.
Getting back to Normal once you’ve been Infected
Some tools do exist that can eradicate the malware and un-encrypt your data. However, it’s important to note that these tools only work on some older variants of the malware.
Having an up to date, secure, offsite backup of your data is the best option for surviving an infection.
If you don’t have a backup, paying the ransom is many times the only option. Many hackers will fulfill their promise to supply you with the key to unlock your data, but some hackers do not. Paying the ransom is a risky decision.
So, what’s so special about the WannaCry ransomware that makes it different? In the case of WannaCry, the hackers combined the typical code associated with ransomware with code developed by the NSA that was previously used to secretly enter and spy on unsuspecting computers and networks. The NSA code relied on a vulnerability existing in Microsoft operating systems. The hackers then deployed the code via a worm, spreading itself within a network rather than relying on humans to spread it by clicking on an infected attachment. If this sounds confusing, here’s the simple explanation. In a typical ransomware deployment, the malware can only infect the drives that are connected to the computer that was used to click on the bad email attachment (remember, any drive the user has permission to use on the network is fair game, however, most users only have limited permissions based on their work responsibilities). In order for the malware to spread to other user’s computers would require other users to receive the same bogus email and to click on the same bad attachment. With the WannaCry variant, the malware can spread to all users and all drives on the network. In a large organization, literally thousands of systems and drives can be infected by only one user clicking on one attachment…and that’s what makes WannaCry so dangerous.
Another significant difference with WannaCry is quickly becoming apparent. The hackers have been swamped with ransom payments and requests for unlock keys to the point that they are not providing the keys, thus, security experts are warning infected organizations that there is no guarantee that access will be granted after payment.
As we mentioned earlier, ransomware has been around for a while, providing hackers with an easy revenue stream. This threat shows no sign of slowing down. Ransomware has become easier to deploy, thus, it has attracted the most novice of hackers, and, it makes the bad guys a lot of money.
The FBI has reported that ransomware payments in 2016 have exceeded $1 billion, that’s a significant increase from the $24 million paid in 2015. Ransom demands tend to be highly variable, but one thing is for sure…they are going up. The average ransom demanded in 2016 was $679, up from $295 in 2015.
A survey conducted by IBM in 2016 found that only one-third of consumers have actually heard of ransomware. Of those people and businesses that were victims of ransomware, 70% paid the ransom.
To be clear, ransomware is not going away anytime soon. So what can the average person do to avoid this threat? We have discussed this in past blog articles, but it’s probably worth reviewing here.
Don’t open suspicious emails. But what constitutes a suspicious email? Any email from someone you don’t know, or an email you did not expect. These days, even an email from someone you know may not be as it appears. It’s easy for hackers to use one of your friend’s or associate’s email address to send you an infected attachment. It’s important to stay vigilant.
If you do open a suspicious email, don’t click or open any attachments. This is important; it’s the attachment that contains the malware.
Be careful when visiting websites, refrain from clicking on ads. Hackers have even found ways to infect the ads of major retailers. Some forms of malware do not even require you to click on anything; just passing your mouse over the infected area of a web page is enough to infect your computer. And, the most sophisticated of malware only requires that you visit a web page…no clicking required.
Use a good spam filter that will weed out most suspicious emails before you even see them.
Use a good anti-virus program and keep it up to date. However, don’t become complacent just because you have an anti-virus program installed. Anti-virus programs only protect you against known variants of malware, a new variant like WannaCry would most likely not be caught until the anti-virus developer had a chance to analyze the malware code and issue a virus definition update.
Keep your operating systems up to date, but don’t assume you are protected just because your systems are up to date. A new variant exploiting a newly discovered vulnerability within an operating system can and will infect you if you click on an infected attachment.
Last but not least, backup your data to the cloud. Don’t rely on a local backup to save you; most ransomware will encrypt data on all drives connected to your network. Only a good cloud backup, properly configured, is ransomware proof.
Even if you follow all of these recommendations, you may still fall victim to a new virus, it happens. If your system is acting different, if strange popups appear, if all of a sudden you can’t access some of your data, then immediately turn off your system and call a professional. The longer you leave your system on will only increase the time it takes to get your system restored. So, turn your computer off ASAP.
Summary
Of all the things discussed above, the best way to reduce the potential of getting attacked by ransomware starts with the user. Specifically, learn to spot suspicious emails, and more importantly, don’t click on attachments within those emails.
Stay Safe,
The technical team at Great Lakes IT Services
