You’ve heard the story before – Company X or Hospital Y cannot access their information systems, nor can they restore from backup for a variety of reasons. How did they lose access? Malware encrypted the file system and “hackers” (if you wish to call them hackers – I refer to them as extortionists) will only provide the decryption key for the right price. This activity is referred to as “ransomware,” and is defined as “malware that infects computer systems and restricted users’ access” (US CERT). Imagine losing either a critical part of your business, or in certain cases, the entire business with no recourse. If the only option was to pay the extortionists, you would need to know how to purchase and send bitcoin, something not many are intimately familiar with.
Ransomware is now the most popular information systems attack vector, as nearly 90% of phishing messages contain, or link to, ransomware. Some of the most recent variants, such as Locky and Samas, created more havoc than earlier versions of CryptoLocker due to their infection and encryption methods.
How is it transmitted?
As mentioned, 90% of phishing messages contain, or link to, ransomware, making malicious e-mail attachments the most popular distribution method. The next vector exploited the most is drive-by downloading, which occurs “when a user unknowingly visits an infected website and malware is downloaded and installed without the user’s knowledge” (US CERT). Web servers have also been targeted and exploited to gain entry into a company’s network.
Prevention and Eradication
There are several techniques organizations can employ to prevent, and if infected, eradicate ransomware.
- The first and most effective technique is education. Users are responsible for over 75% of security incidents on an organization’s network. Instructing users on proper e-mail screening and web browsing habits is not only cost-effective, but it also provides the biggest value per dollar spent.
- Have an effective data backup/restoration process for all business-critical information. Organizations should create backups on a regular schedule, perform regular restoration tests, and ideally store them offsite/isolated from the primary network.
- Patch management is critical. Malware can easily proliferate through unpatched systems and cause more damage. This reduces the number of exploitation points on a particular system, shrinking the attack vector.
- Ensure all endpoints have anti-virus/anti-malware protection installed. It provides an effective means of preventing known strands of malware.
- Restrict users’ permissions. For example, if users don’t need domain or local administrative privileges, remove it. If a limited-permission user is infected, the malware will only affect the files/folders/systems able to be modified by that particular user.
- Implement a proxy or sandboxing solution. Policies can be implemented to inspect all web traffic and “test” files/applications on a sandboxed appliance. If malicious traffic and/or files are detected, the solution will prevent it from infecting the network.
First National Technology Solutions offers a variety of information security protection mechanisms aimed at keeping organizations secure. Reach out to a representative to see how First National Technology Solutions can enhance your security posture against ransomware.
Referenced: US-CERT
