How to pass CEH exam

Ransomware: What is it, and what can I do about it?

Ransomware: What is it, and what can I do about it? 698 364 CyberVista now N2K

Ransomware! What can I do about it?

We live in dangerous times. Your cranky grandfather was right: they are out to get you – but who are “they,” and what the heck are we talking about? Ransomware, of course. It’s out there, and its coming for you.

Mobsters extort money from people. You may be a fan of mobster movies or the Sopranos on HBO, but it’s only fun to watch mobsters at work when you’re not the one getting the shakedown. I don’t know Tony Soprano, and besides, I like Joe Pesci’s character in Lethal Weapon III better than his characters in Casino or Goodfellas. Extortion could be coming to a PC, Mac, or even Linux box near you in the form of ransomware.

It’s fun to watch these guys on TV. It’s not so fun to be a victim in your own home.

First I’ll go over the basics of how ransomware works.  I’ll explain the most common mistake you may be making – even if you’re an IT professional – that might leave you a victim of a drive-by drive-locking. And, of course, I’ll tell you the best ways to prepare to fight ransomware.

In my follow-up post I’ll go over some specific strategies to harden your e-mail and firewall against malware attacks and share a recommended reading list for infosec news.

How the shake-down starts

You can be extorted on the Internet without being infected with ransomware. Hijacking someone’s social media account (like Instagram), changing their login, and then demanding payment for the user credentials is extortion, but it isn’t ransomware.

Ransomware is a type of malware that infects your computer and encrypts your files or blocks access to your own data. The ransomware displays a message stating that the attacker will unlock your files for a price, and that payment should be rendered through a nominally untraceable electronic currency, such as BitCoin or MoneyPak. It usually gives you a time limit and threatens to permanently destroy your data if you don’t pay before the deadline.

For home users, that price is usually set between $150-300 USD or Euros. For business victims, the demand might start at $500 – or it could be $10,000 and escalate from there.

How did the ransomware get there?

The malware that carries the encrypting payload is loaded on your computer in a number of ways. The malware could have come from a downloaded file or from a browser hijack. The malware could be hidden in another program. Any web site that hosts third-party ads, like recipe blogs and your favorite vintage car forum, can be a huge vector for malware no matter how innocent the site itself is; just visiting the site or clicking an ad by accident can expose you to a silent malware download.

No operating system is immune (not even mobile phones or home appliances). Ransomware can affect PCs running any operating system and Macs. Yes, I said Macs. A ransomware called KeRanger was found in a BitTorrent software that was designed to install on the Apple OS X operating system. The KeRanger malware will encrypt files on your computer and try to encrypt Time Machine backup files to prevent you from recovering the data from a backup. The KeRanger malware attackers want $400 for the private key.

[Note: If you frequent Bittorrent sites, you know they have pirated files for download from shady servers. Don’t be surprised when you lie down with dogs and get up with fleas.]

What happens when the ransomware activates?

A majority of active ransomware uses a variation of Cryptolocker. Once the malware is loaded on your computer, it first contacts a central server on the Internet. That server creates a unique encryption key pair. A public key that is kept on the local computer and the private key used for decryption that is kept on the attacker’s central server. Once the public key and private key are created, the malware will begin encrypting files locally on your computer and any mapped drives.

The attacker has the private key and will sell it you to use to decrypt your files. If you have ransomware on your computer, you will get a pop-up that instructs you to pay money via BitCoin, MoneyPack, or something similar.

When ransomware is an offer you can’t refuse

Ransomware is common because it’s cheap to implement (for the attackers) and hugely effective. Steve Perry of Journey once sang the wheel in the sky keeps on rolling. Well, when it stops rolling, everybody raises hell. If your business has an outage, the data has to be restored. Money never sleeps; your network has to hum along 24 hours day. The Internet is like Waffle House: it never closes. (I can go on and on in this vein. Don’t try me.) In short, your customer expects that you will never be closed and that your (and their) data will always be there. Ransomware that locks your data up has kneecapped you right in the business income.

Many business victims would rather just pay the ransom and get access restored. The logic goes that it’s better to pay rather than to lose an unknown amount of revenue from the downtime they’ll incur while trying to root out the infection and restore systems.

Unfortunately, this is EXACTLY why ransomware continues to flourish, and exactly the wrong response to an attack.

Whatever you do, if at all possible: DON’T. PAY. THE. RANSOM. There are two very important reasons why this is a bad idea:

  1. You are dealing with criminals. There is no guarantee you’ll even get the private key to unlock your files.
  2. If you pay, you only encourage this crime to continue.

However, it’s easy for me to lecture you on this. I didn’t have my laptop full of all my kids’ photos, my graduate thesis, the last video of my late wife, or some other valuable data extorted from me. I can honestly say that if I was in that situation, I don’t know whether I would pay to get that data back.

The #1 mistake that leaves you vulnerable to ransomware

Pirating movies. Frequenting shady websites. Buying a “smart” refrigerator and letting it connect to your home wireless router without changing the default settings. Failing to keep your anti-virus programs updated. All of these are bad ideas, but they’re not the #1 mistake that makes you most likely to shell out the (bit)coin and retrieve your data.

Sure, our goal should be to never get infected with ransomware. But given the speed at which these attacks evolve, it’s not realistic to assume that our firewalls and anti-virus software will be 100% effective. The best offense is always a good defense; with ransomware, the best defense is a secure recent backup.

“Threats only work if you’re afraid of the consequences. With a secure external backup, you can wipe your system and walk away from the demands.”

After all, if you have a full image of your system and a secure external copy of your data, you can risk losing a few days’ worth of files while you wipe and reimage your system to remove the malware.  You could use a snapshot to restore your system, or clean your machine and restore your data.

Unfortunately, home users (and many small businesses) rely on cloud-connected file servers like OneDrive and Dropbox to back up the physical copies stored on our hard drive. Or we never keep a local copy of our files, assuming that our cloud providers have better intrusion security than we could provide for ourselves.

Rest assured: backing up to the cloud won’t protect your data. Malware like Cryptolocker can encrypt files on mapped drives and external drives. This definitely means your Dropbox, OneDrive, Google Drive or cloud service that is mapped to your machine can also be infected and your cloud-based files can be encrypted just like your local ones.

You should treat the personal data on your laptop or desktop, company data on your company’s laptop, or data on your company’s devices just like the data on corporate servers and schedule regular backups. Furthermore, you need to back up to external drives.

“You should have your drives backed up to an external drive on a regular basis or use a backup service that does not use an assigned drive. Why does it have to be an external drive? Variations of Cryptolocker can check for shadow files on your computer and disable or delete them.”

How often you perform backups will determine how much you lose.

Until next time,

George Monsalvatge