Over the last few months, there has been tremendous growth in the number of ransomware attacks running rampant in the wild. Cybercriminals have not only cracked this ‘business model’, but are successfully generating a significant amount of money through this attack avenue. What was once an attack technique that was aimed solely at susceptible individual users has now been strategically developed into the ability to penetrate advanced enterprise networks as well. Ransomware attacks are capable of causing significant system downtime, loss of critical data, Intellectual Property (IP) theft and more. In several industries, a ransomware attack is now considered on par with a significant data breach.
When compared against other malware, ransomware is highly destructive in nature and its popularity indicates how at-risk critical/important user data is and how this data is made unusable until a ransom is paid.
Here we will discuss ransomware under the following broad sections:
•What is Ransomware?
What is Ransomware?
Ransomware is a type of malware that restricts access to or damages infected computer systems for the sole purpose of extorting money from victims (holding them ransom). This money can be in the form of direct payments or via Bitcoins. Ransomware also has the capability to encrypt user files on a system and display threatening or incriminating messages on screen in order to demand money via online payment mechanisms. Ransomware can be broadly classified into the following two types:
In this case, it encrypts all important files and asks for a ransom to decrypt the files.
It locks the infected system completely and prevents the usage of the system until a ransom is paid.
Because computer users save and store multiple mediums of important documents, images, photos, source code etc. on their systems, ransomware variants ensure that they have the capability to encrypt all possible file types, in order to capitalize on saved personal data and images across the board. The extensions that are culpable to attack by ransomware are listed below:
*.c *.h *.m *.ai *.cs *.db *.db *.nd
*.pl *.ps *.py *.rm *.3dm *.3ds *3fr *.3g2
*.3gp *.ach *.arw *.asf *.asx *.avi *.bak *.bay
*.cdr *.cer *.cpp *.cr2 *.crt *.crw *.dbf *.dcr
*.dds *.der *.des *.dng *.doc *.dtd *.dwg *.dxf
*.dxg *.eml *.eps *.erf *.fla *.flv *.hpp *.iif
*.jpe *.jpg *.kdc *.key *.lua *.m4v *.max *.mdb
*.mdf *.mef *.mov *.mp3 *.mp4 *.mpg *.mrw *.msg
*.nef *.nk2 *.nrw *.oab *.obj *.odb *.odc *.odm
*.odp *.ods *.odt *.orf *.ost *.p12 *.p7b *.p7c
*.pab *.pas *.pct *.pdb *.pdd *.pdf *.pef *.pem
*.pfx *.pps *.ppt *.prf *.psd *.pst *.ptx *.qba
*.qbb *.qbm *.qbr *.qbw *.qbx *.qby *.r3d *.raf
*.raw *.rtf *.rw2 *.rwl *.sql *.sr2 *.srf *.srt
*.srw *.svg *.swf *.tex *.tga *.thm *.tlg *.txt
*.vob *.wav *.wb2 *.wmv *.wpd *.wps *.x3f *.xlk
*.xlr *.xls *.yuv *.back *.docm *.docx *.flac *.indd
*.java *.jpeg *.pptm *.pptx *.xlsb *.xlsm *.xlsx
Here are some screenshots of a few ransomware families:
Screen Blocker: Urausy
Spam emails are a major contributor to spreading ransomware across the globe. This infection vector usually comes with attachments with two level .zip files and .scr file. However, recently these attachments have been spotted with .cab extensions as well.
Below is a sample email:
The malicious file inside this attachment is a downloader which installs and executes ransomware on the machine.
Ransomware samples commonly use various payment mechanisms that are mentioned below in order to collect ransom:
•SMSs or phone calls to premium-rate numbers
•Prepaid electronic payment – Ukash, MoneyPack etc.
•Bitcoins – virtual currency which makes it difficult to trace the actual recipient of the money
Ransomware creators have also started hosting dedicated payment gateways running behind TOR networks for anonymity, as seen in the case of TorrentLocker.
Users are strongly advised not to pay ransom amounts that are demanded. Making such a payment encourages this menace and moreover, it does not provide any guarantee that decryption and data recovery will be provided by the attacker.
We also recommend the following security measures to remain protected against ransomware attacks:
• Ensure you are using the latest version of Thirtyseven4 and it is updated with the latest virus databases.
• Thirtyseven4 provides multiple lines of defense against malware, including Virus Protection, DNAScan, Advanced Behavior Detection System and Email Protection. All should be enabled within your settings. We strongly recommend that you configure your Thirtyseven4 security product for maximum protection.
• Since Thirtyseven4 makes use of behavior based detection, we recommend that our users stay alerted to any Behavior Based Detection (BDS) prompts that they receive. There have been cases where the BDS has detected a ransomware but a user has allowed execution without actually reading the prompt anyway.
• Email Protection: Since ransomware commonly enters systems as spam emails with multiple levels of compressed .zip or .cab archives, or at times links to other downloadable files, you should make sure email protection is ON. Thirtyseven4 Email Protection actively blocks such malicious and suspicious attachments.
• Browser Sandbox is a great tool against malware using the Internet as infection vectors. Please enable Browser Sandbox from the Thirtyseven4 dashboard & Internet and Network Settings. Alternatively, you can use the “Thirtyseven4 Secure Browse” feature by launching it from your desktop while you are checking emails or accessing the Internet. The feature creates a secure layer around the OS to avoid tampering that can be carried out by malware.
• Advanced Behavior Detection System is a proactive detection-based tool that takes into account the behavior of an application. If the application under suspicion is not installed by you, it is recommended to block activity of this application by selecting the ‘BLOCK’ action.
External Drives and Devices: Enable Autorun Protection and scan USB drives or external hard drives before copying any files from them.
Periodically, scan the system using AntiMalware (Thirtyseven4 dashboard >> Tools >> Launch AntiMalware) which detects Adware, pop-ups and potentially unwanted applications (PUAs). It removes the risk of downloading malware through “Malvertising”.
Applying important software updates and patches
Ensure that Windows Update is enabled to automatically download and apply regular security updates. Also ensure that your system has the latest Windows security patches installed. Also apply updates for important software which is regularly targeted, such as:
– Microsoft Office
– Adobe Acrobat Reader
– Web browsers like Internet Explorer, Chrome, Firefox, Opera etc.
– Adobe Flash Player
Regular backup of important data
It is very important to understand the need for data backup policies for all your important data. It is highly recommended that you periodically backup your important data using the right combination of online and offline backups. Do not keep offline backups connected to your system as this data could be encrypted in case of an infection.
Follow best security practices
• Do not open and execute attachments received from unknown senders. Cybercriminals use ‘Social Engineering’ techniques to allure users to open attachments or to click on links containing malware. Don’t be duped!
• Keep strong passwords for login accounts and network shares.
• Avoid downloading software from untrusted P2P or torrent sites. At times, they are Trojanized with malicious software.
• Do not download cracked software as they could propagate the added risk of opening a backdoor entry for malware into your system.
Thirtyseven4, LLC is dedicated to serving customers with a full palette of security solutions including AntiVirus, AntiMalware, Anti-Ransomware and Zero-Day Threat Protection.