Have any questions? Just call us at 1.866.900.4236

Crypto-Ransomware

Ransomware as a Service?

Yes, cyber criminals are using this technique because it is easy, and has a good 'ROI'.

Even cyber criminals are time conscious and use techniques that work. Ransomware will continue to get worse, become more stealthy, and recently the cybersecurity community has continued to see cyber criminals improve their coding instructions making it near impossible to decrypt. The Locky malware that is targeting millions of computers is an example of this crypto-ransomware. Ransomware is not new and has been around for a few years targeting hospitals, local governments, small/large businesses, and even law enforcement agencies. This is a very serious threat to your business and it should be prioritized.

Email and Web-Browsing

So how is ransomware targeting your business and your users? Email and the web browser. Your user receives a spear phishing email (i.e. targets a specific user and looks legitimate) and will either, open the attachment, or click on the URL. Either action will cause the user's computer to download the malware and the encryption files begins, which hold your files ransom. The FBI does not recommend paying the ransom. Email and web-browsing habits should be constantly communicated to your employees. Your users are your human firewall and last line of defense when a phishing email makes it to the email inbox, or web filtering doesn't block a particular malicious website.

IT Admins

Recently, you've more than likely been frantically researching processes, configurations, and technologies to implement in your infrastructure to protect your IT assets from ransomware. There are pros & cons with many of the implementations. Remember, if a phishing email makes it to your user, they are clearly the last line of defense, so it starts with training and educations of your user base. Consider any of the following in your layered security approach:
  1. How-To Disable Windows Script Host: YMMV, but we tested this a Locky malware sample. If you have a server assigned the WSUS role, this may cause an issue, so test in your environment beforehand. However, we would recommend pushing GPO out to all or a select OU for multiple endpoints in your environment for testing.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings > Create a new DWORD value named "Enabled" and set value data to "0".
  2. Software Restriction Policies via GPO: restrict executables (i.e. prevent from running from %TMP% directory). Yes, a software restriction policy may break legitimate applications. Consider whitelisting applications. If you are a GPO expert you can be really creative here with limiting what can run in your environment and monitoring.
  3. Block Remote Use of Local Accounts: Disable the "Administrator" and any Guest accounts. Create an administrator account with a unique name to your environment. Microsoft has a document here on limiting these critical local accounts on your endpoints (workstations).
  4. Spam Filtering: Whatever solution you have implemented right now, turn it on HIGH!
  5. Filter File Extensions (Email & Web): filter inbound email attachments and consider blocking multiple file extensions from being downloaded by users via web browsers.
  6. Country Blocking: If you are a business and do not have international customers, block those countries! Yes, many cloud technologies leverage data centers globally, but separate policies should be in place to limit egress/ingress connections to these services by certain internal resources.
As necessary, uninstall, Java, Flash, and Silverlight installations. If these are not required for mission critical applications, it is highly recommended to uninstall.

 Open Letter to our Clients

 
**Important** Please share with all your employees and be vigilant.  Dear Client: We have seen a surge undetectable ransomware infections going around lately. Ransomware is an encryption virus.  The virus silently encrypts data on not only your PC, but also your server and other devices on your network, rendering it inaccessible.  Once it is done, you will no longer have access to your data, unless you pay the demanded “ransom” or have a means of data restoration that has remained unencrypted.  The only solution to gain access to your data again, in the event of an encryption event like this, is to either pay the ransom, or revert to your backups.  This being the case, we cannot emphasize enough the importance that your business have more than one backup method and more than one backup device securely in place.   Something very disturbing that we are seeing is that zero-day variants of this virus are making it past many hosted SPAM filters, many gateway-level scanning engines, and are even going undetected by many popular antivirus packages.   This being the case, it is imperative that you never open attachments from senders that are unknown to you. It is also imperative that you inform your staff that they never open attachments from senders that are unknown to them, and we recommend that they be forbidden to check personal email on company PCs.  Subject lines such as “You have a Package from FedEx” or “Invoice for Services” often entice an end user to open the attachment.  Other users will open the attachment thinking it must be safe because it is only a Microsoft Word file, not realizing there is macro code within it.  The writers of the crypto-virus are becoming more and more clever in their attempts to lure you to execute or open the attachment or click on hyperlinks to websites that can deliver the payload. We are finding that there is also a delay from the time the attachment is opened to the time the payload begins encrypting data on the device and network, further complicating the matter because the end user does not associate the cause (opening the attachment) with the effect (encrypted, inaccessible data). We go to great lengths to ensure that our clientele have assets in place to prevent infections such as these; however, nothing in technology is bullet-proof, and zero-day viruses can infiltrate a network with one simple click of a single end user. We ask that you remind your employees to be hyper-aware of this threat by following these simple steps:
  1. Never open an attachment from a person you do not know.  When in doubt, delete the email.
  2. Never open an attachment that is suspicious or unexpected without first contacting your systems administrator.  When in doubt, delete the email.
  3. Never click on hyper-links in emails that were sent by people you do not know.  When in doubt, delete the email.
  4. Never click on hyper-links in emails that are suspicious or unexpected without first contacting your systems administrator.  When in doubt, delete the email.
  5. Most importantly, remember that your single click could cripple a company and cost your employer thousands of dollars.
  6. Be aware that the person that opened an infected attachment will be easily identified, as their username will be on the properties of the encrypted files.
  We hope that this information provides valuable information, helping you to maintain a safe and secure network.   As always, if you have any questions about this new Internet threat, feel free to contact us anytime at 812.421.8000.
 

Best Advice

Educate and empower your employees. Change your security awareness culture and it begins with you!
Ransomware: I Want You!

Source: Wikipedia

Test your current backup solutions. If you do not have multiple backup solutions in place, do it now! Offline,air-gapped backups are recommended for a baseline infrastructure image. Offline, regular incremental backups should also be implemented for mission critical data.

Resources

FBI.gov  

Share:
client-photo-1
Brad

About author

Brad Garnett, CCE®, GCFE, GCFA is a Digital Forensic Examiner with Kemper Forensics, a division of Kemper CPA Group LLP. Brad is a certified, experienced forensic examiner, investigator, and IT professional. Mr. Garnett also teaches a cyber crime and computer forensics course at a local university. Prior to joining the Kemper team, Mr. Garnett spent a decade in law enforcement, where he specialized in digital forensics. Mr. Garnett works with clients from various industries, including health care, law firms, local governments, and small businesses, where forensic technology is needed to answer a legal question or make a tough business decision. If you have a situation where forensic technology is needed to help you find an answer or make a tough business decision, please contact Brad at 812-421-8000. IMPORTANT: No public comment by Mr. Garnett (web page, tweet, video, update, status, speech, blog, article, audio, or similar) is legal or professional advice. Information should not be construed as legal advice or legal opinion on any specific facts or circumstances. The content is intended for general informational purposes only. You are urged to consult your own attorney on any specific legal questions concerning your situation.

No Comments Yet.

Leave a Reply