Andy Cormack this week looks at a topical threat – Ransomware. The world recently witnessed its biggest reported cyberattack, with a mammoth number of machines, systems and organisations affected across the globe.
Andy takes a look at what it is, how it works, and how you can thwart this particularly insidious form of blackmail.
After the events that have transpired recently, it seems like there’s no better time to talk about ransomware. If you’ve kept up with the news you’ve probably heard the term, along with the name WannaCry; If you haven’t, then here’s a quick primer on both.
Ransomware is basically defined as malicious software that prevents access to your computer’s files, typically through encryption of the files, or a cruder approach via blocking of the user interface. It then attempts to hold said files to ransom, under threat of deletion or even publishing them online, depending on the intended target and the sensitive nature of the files unless the victim pays a demanded sum of money, or other relevant payment in some form. Given that decrypting the said files would take an incredibly large amount of time without the key, these types of attacks prey on the time factor more than anything else, sometimes even with a timer to hasten the time pressure to give an appropriate response before shredding files. In order for attacks of this nature to get onto a computer, they are usually delivered via a mechanism known as a Trojan virus under the guise of some legitimate download (See Starjammer Bulletin: The Bulletin’s Guide to Computer Viruses).
WannaCry is a recent and large scale example of ransomware, targeting older and unpatched versions of Windows that an alarming number of companies and individuals still use, making the recent attack far more effective than it really should have been. This particular ransomware software encrypts files on the victim’s hard drives and then proceeds to demand a relatively small ransom payment via the Bitcoin cryptocurrency.
The critical part of this particular attack is how avoidable it was. The virus specifically targets a vulnerability in Windows that was patched by Microsoft almost two whole months prior, proving yet again how important it is for people to keep their software, and, more specifically their operating system, up to date as often as possible. Microsoft even went the extra mile and made a patch for Windows XP and Windows Server 2003, both of which are products that the company has long ended official support for. That being said, most of the victims of the attack were running Windows 7, which is even less of an excuse as to why the attack was so successful, when you consider the advances in the operating system’s update tools by that point.
Much commentary and controversy have surrounded the specifics of how the attack was so easy to pull off, referencing the fact that the United States’ National Security Agency (NSA) had discovered the particular vulnerability that allowed WannaCry to work, quite some time before the attack. But instead of informing Microsoft so that they could patch the issue sooner, they decided to create their own hacking tool using the vulnerability, code named EternalBlue. Only much later was the vulnerability made public by the hacking collective called “The Shadow Brokers”, after they leaked the NSA hacking tools online, resulting in nearly 200,000 machines being infected within two weeks of its public release, and then leading on to the development and release of WannaCry a couple of months later in May 2017.
The rise of ransomware’s popularity
Ransomware has been sharply increasing in popularity, so much so that in the first quarter of 2013, McAfee published a threat report showing that there had been an increase in unique ransomware samples, which had more than quadrupled in just three years.
The report reads: “Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen. The number of new, unique samples this quarter approaches 250,000, but the most worrying aspect is the number of reported infections. We have limited visibility into these figures because only our consumer products can share detection data with us. (We make that information public.) This trend is also reflected by warnings from law enforcement and federal agencies around the globe.”
This threat sees no signs of slowing either, with a more recent McAfee report from March 2017, which shows that the number of total ransomware samples held had increased by 88% in 2016.
So what can you do?
Numerous security companies will give you various pieces of advice on how to keep your computer and files safe. Microsoft, for example, has a page dedicated specifically to ransomware in its Malware Protection Center section on its security pages.
There is a wealth of information and data available on their site, some of which we’ve already talked about here, ranging from what ransomware does, as well as information for both home users and businesses, and relevant data on ransomware and some of the popular software variants.
There is also an article posted by the Microsoft security team from May 2016 that gives you some stats and maps about most targeted areas as well as some data on the basic types of ransomware. In it there is a table with the top twenty countries where ransomware is most prevalent, and the UK is at number four on the list, showing just how common finding ransomware is, or being directly targeted by it actually is.
Variations of Ransomware
There are two main variants of ransomware that are recognised as being in current use:
Lockscreen ransomware – a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
Encryption ransomware – changes your files so you can’t use them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.
So despite the different types, the end result is much the same. Either way it’s a huge problem that is only becoming more prolific as each successive year passes.
Here are some key points that will help you remember the kinds of activities that can leave you open to such attacks, so you can be on guard about suspicious looking files and websites.
1. Never browse untrusted websites.
2. Be careful about downloading or opening file attachments which are known to contain malicious code from spam emails. This includes compressed files or files inside archives. Some possible attachments can be executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
3. Microsoft Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
4. Installing unlicenced or pirate software, outdated software programs or operating systems.
5. Using a PC that is or has been connected to an already infected network.
As you can see, the mechanisms and processes that can be used to infiltrate your PC in ways you might not have even known were possible are manifold. So, how can you attempt to take steps in preventing this from happening to you?
There are a number of ways in which you can keep your system and files safe. Some of these are obvious, where others are common sense when you think about it.
1. Always make sure that your Operating System and antivirus software is up-to-date.
2. Regularly backup your files onto an external hard-drive.
3. Enable file history or system protection. For example, on devices that run Windows 10 or Windows 8.1, you must have your file history enabled, and you have to setup a drive for file history.
4. Use OneDrive or Google Docs for business or personal documents.
5. Beware of phishing emails, spams, and clicking on suspected malicious attachments – if in doubt, run a virus check.
6. SmartScreen protection. Available via the Microsoft Edge web browser, it will prevent you from browsing sites that are known to be hosting exploits, and protect you from what are known as socially-engineered attacks such as phishing and malware downloads.
7. Disable the loading of macros in Microsoft Office programs. – this is a common gateway for attacks.
8. Disable your Remote Desktop feature whenever possible.
9. Use two factor authentication whenever possible.
10. Use a safe and password-protected internet connection at all times.
11. Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc).
12. Install, use, and regularly update an antivirus solution like McAfee, Symantec, Nortons or Windows Defender in order to detect ransomware before it has a chance to cause any issues, and enable the Microsoft Active Protection Service (MAPS) in order to get the latest cloud-based ransomware for both detecting and blocking potential attacks.
There is also an article in Wired Magazine that does a good job of picking out some key points that could save you from the heartache of ransomware attacks.
Of course, there’s still the matter of what happens if, despite your best efforts, you get infected. If all else fails, and you really need those files, and no backups were made, then despite recommendations by security experts such as Anup Ghosh from the security firm Invincea, interviewed in the Wired article, he says he understands the impulse to pay.
“In traditional hacks, there is no pain for the user, and people move on,” he says. But ransomware can immediately bring business operations to a halt. And in the case of individual victims who can’t access family photos and other personal files when home systems get hit, the pain involved with that is so off the charts…. As security people, it’s easy to say no [to paying]. Why would you feed the engine that’s going to drive more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the money, because you’re not in their shoes.”
So avoid this undesirable result and stay prepared! Backup your files so they can’t be held to ransom, keep vigilant on suspicious looking links, and above all, keep your operating system, software, firewall, and antivirus all up to date.