A second wave or second-generation Ransomware has appeared in the wild, with researchers describing it as more dangerous than its predecessor. This week, Synology experienced a targeted attack, crippling customers’ data, while Trend Micro report a potential successor to CryptoLocker called CryptoBlocker.
Ransomware is not a new technique but over the past 18 months it has become a serious threat because data is now at risk of being lost – for good – unless…
Ransomware is a type of malware designed to disable a computer, laptop or mobile device, typically by encrypting the data in such a way that prevents the user from accessing the device or data. The malware does allow random notices to appear, telling the victim what the solution is.
The main purpose of ransomware is to make money for the cybercriminals. Once the data on an infected machine is encrypted, the victim is told that unless they pay a certain amount, they will not be able to get their data back.
This type of malware is constantly under development and makes the most of the latest technologies. The first instances of ransomware date back to 1989 with the AIDS Trojan. This piece of malware misled users into believing their software licenses had expired, it encrypted file names on the hard drive and asked for payment to be sent to a particular bank account. In 2010, WinLock did something similar by blocking the victims from accessing the user interface of their operating system and asking for payment via SMS to unlock it.
Last year, ransomware came back with a vengeance, using anonymity networks (TOR) and asking for Bitcoins instead of real money. This made it even harder for the authorities to identify the cybercriminals (CryptoLocker). The newest breed of ransomware (Critroni) uses military-strength encryption to make sure user files can be recovered. The malware is supported by a cloud-based infrastructure designed to make it easier for the victims to pay the ransom (and more money to make its way into the criminals’ pockets). It also introduces a new and important element – stealth, as the malware avoids most antivirus engines. This latest outbreak highlights the importance and need for more security layers and alternate ways of mitigating this risk.
Let’s have a look at how ransomware works
a) Initial ransomware infection: typically via an email attachment, a malicious download or installed by other malware;
b) Getting comfy: ransomware alters the relevant registry keys and files to make sure its code is running when the computer runs;
c) Calling home: malware calls the attacker’s server to get encryption keys and register the attack;
d) Doing the dirty work: it then proceeds to encrypt the user’s files using the key obtained from the attacker’s server;
e) Making some noise: ransomware displays ransom notices and links that allow the victim to access websites accepting payment in Bitcoins.
Although ransomware is becoming even more sophisticated by the day, that doesn’t mean users are help to prevent these infections. Here are three, easy-to-follow steps to protect your device against ransomware:
1. Scan all emails and web downloads with at least two antivirus engines
This ensures that the initial infection has a much lower chance of propagating over the corporate network. Multiple antivirus engines help to mitigate zero-day threats and increase the likelihood that the malware is identified and stopped before it enters the network.
2. Block user access to malicious or vulnerable websites
Apart from email, ransomware can propagate itself via malicious and vulnerable websites. Vulnerable websites are a major concern because they are legitimate websites that users trust and use regularly. However, these sites can be used as an accessory for a ransomware infection because the attackers will have exploited vulnerabilities, like XSS, to execute code on the user’s machine, and instruct the browser to download the malicious payload. The ability to prevent user access to trustworthy, but vulnerable, websites as well as dangerous, malicious websites greatly lowers the risk of a ransomware infection.
3. Monitor and block outbound connections to TOR / anonymity networks
If a ransomware infection occurs, in spite of advanced perimeter antivirus protection, having the capability to monitor web traffic will help to identify the infection and its source. Furthermore, the capability to automatically block traffic to anonymity networks, used by the ransomware to get the encryption keys, will prevent the malware from applying strong file encryption. Without an encryption key, the malware will not work, the infection will not be registered thus preventing the attackers from knowing if the malware infiltrated the corporate network or (and therefore launch other attacks on the corporate network).
These are important steps to take however it is impossible to monitor traffic manually 24/7. Automation is a sysadmin’s much-loved word. At GFI, we have been monitoring these latest outbreaks and with GFI WebMonitor, ransomware can be kept at bay.
Here’s how GFI WebMonitor does this:
- Antivirus scanning with up to three engines will ensure that no ransomware is downloaded from the internet, including zero-day threats;
- Robust security features provide layers of protection when users are accessing malicious or vulnerable websites, further reducing the risk of infection;
- If antivirus and security features fail, advanced web filtering technology will prevent the ransomware from connecting to the attacker’s servers on anonymity networks, thereby rendering the malware ineffectual because encryption of data cannot take place.