Over the last few months, there is one topic raising eyebrows and raising security-awareness in the cybersecurity world and that is the rampant rise of ransomware. Yes, we have covered this topic before in my column, but I feel a strong sense of duty in keeping you informed on what the latest hot-buttons in Security are, and ransomware is IT! Need proof? On March 31, 2016, The United States Department of Homeland Security (DHS), in collaboration with the Canadian Cyber Incident Response Centre (CCIRC) issued a joint Security ALERT pertaining to guess what? Ransomware. I feel it is worth covering again. It harkens me back to when I was in deep with my parents for some crazy stunt I pulled as a kid and BOTH my mom AND my dad joined together to sit down and talk to me. I quickly understood that when both parents were present, I was in for a serious discussion. Similarly, this very rare joint-cyber-alert with the U.S. and Canada, providing additional information and caution on ransomware, is no different.
Ransomware is a form of malware developed to encrypt (prohibit access to) files on a computer with the sole intent of extorting money from its victims (paying a ransom to recover encrypted files). Generally speaking, there are two main classifications for ransomware—Encryptor (encrypts all important files and demands a ransom to decrypt files) and Screen Locker (locks an infected system, preventing proper access until a ransom is paid). Most of the latest strains that our Thirtyseven4 Labs are observing fall under the Encryptor classification. In a report released by the FBI late last year, the FBI stated that they have received over 2,400 complaints about [Encryptor-style] ransomware for the year costing victims upwards of $24 million dollars.
According to the most recent joint release, while the ransoms demanded can vary, the individual dollar amount is typically around $200-$400 to restore files. According to internal research on our end, after carefully reverse engineering thousands of samples, we have seen this ransom set as high as $10,000. In fact, officials at Hollywood Presbyterian Hospital in Los Angeles said they paid the equivalent of $17,000.00 to the ransomware creators! Can you imagine having your critical (and potentially lifesaving) patient files encrypted and at the mercy of cyber thugs? And this wasn’t just a single hospital incident, there are numerous reports of other hospitals recently falling victim to ransomware within the last month. (i.e. Baltimore’s Union Memorial Hospital, Chino Valley Medical Center, Desert Valley Hospital and the list goes on).
So you may be asking how all these individuals and organizations are becoming infected with ransomware. In the case of the hospitals above, security professionals believe they have traced the infections to “phishing” emails. Phishing emails may contain links to websites that are infected with malware. Most ransomware infections are a result of opening an infected email attachment. Ransomware attachments have been maliciously and cleverly disguised as Invoices, Resumes, Mail Package Delivery Confirmations, etc. to trick users into opening them. A user or company could also get infected by using an infected USB drive, through unpatched security vulnerabilities or visiting an infected website through drive-by-downloading). In one of the most recent cases, Cisco’s Talos group discovered that ransomware authors were taking advantages of an older version of Follett library management software, in association with JBoss web servers. The cyber criminals would use a known vulnerability in this software to install thousands of backdoors putting over 3 million computers at risk.
To paint a picture of the severity of the ransomware threat, in 2014 the ransomware “CryptoWall” infected 600,000 computers and took 5 billion files hostage! Here at Thirtyseven4, we have seen ransomware detections shoot up by 300% in the 1st Quarter of 2016 (from the 4th Quarter 2015), and our Thirtyseven4 Viruslab has already discovered 28 new families of ransomware. Here is one more additional statistic that is both startling and sad: about 50% of users and businesses hit with ransomware pay the criminals the demanded ransom to get (or maybe not get) their data back.
According to the issued DHS Alert, the US-CERT (United Stated Computer Emergency Readiness Team) recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
1Go back to a paper file system. Just kidding—wanted to see if you were paying attention! The following are the real recommendations . . .
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
2 Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
3 Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
4 Maintain up-to-date antivirus software, and scan all software downloaded from the internet prior to executing.
5 Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the Network.
6 Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
7 Beware! Do not follow unsolicited Web links in Emails.
The threat of ransomware is the real deal! The topic of ransomware has increased significantly in the media lately, as it’s a concerning issue on the minds of computer users today. I can personally tell you that we [Thirtyseven4] field more questions regarding ransomware than most all other malware related topics combined.
Here are just a few real-world examples of questions/concerns we receive about this “Hot topic”:
- •“Does ThirtySeven4 protect us from this?”
- •“Oh, I was also going to ask, how is your product doing at preventing and detecting Ransomware? That freaks me out these days hearing some of the horror stories out there!!”
- •“On our technical listserv, there are many schools that are being infected with Cryptowall and are using other Antivirus software other than Thirtyseven4. They mention their Antivirus is not ‘catching it’. Can you tell us what we can do to prevent this ransomware and do your definitions include it?”
- •“We were hit three times with Encyptor using a free EDU solution. How is Thirtyseven4 different?”
I feel a very important piece of the topic is to also understand why installing security software is so important to combating ransomware, and to grasp what the antivirus industry is doing about it (understanding that not all security solutions are created equal).
To illustrate this point, here are some steps Thirtyseven4 is taking to lead the industry in its aggressive approach against combating the rise of ransomware. [Let’s just look at the Locky ransomware example]
Signature Detection: For many antivirus vendors this is the primary approach to battling all forms of malware, including ransomware . . . they create and add new signature detections based on their intercepted malicious Locky attachments . . . the problem is that the files keep altering in each variant to evade detection so covering ransomware in signature based detection alone is ineffective. Thirtyseven4’s approach is to create signature based detection after we’ve already proactively (see below) stopped unknown samples. We do not use signature-based detection as the sole means to stop new infections for happening.
Browsing Protection: All Locky files and malicious attachments are executed and reverse engineered on our end and all coded active and inactive URL’s used by Locky to connect to or possibly connect to in the future are properly blocked within our Browsing Protection Module.
Generic Detection: This is the procedure used by some AV scanners to supplement Signature detection. The problem with this approach when it comes to Locky is that their files also vary in their internal structures (in addition to simply scrambling garbage code to evade signature detection) and utilize different and ever changing wrappers. This newer process used by Locky renders Generic Detection ineffective, as it makes it very difficult for a security vendor to block Locky simply by adding Generic Detection. However, Thirtyseven4 still utilizes this detection technique to supplement the additional steps below especially for some of the more “common” groups.
PathBased Detection: A third step is to include and implement PathBased detection. PathBased detection is only being successfully used by a couple of providers as a proactive approach to detecting ransomware. Thirtyseven4 incorporated this technique a few years back in our Advanced DNA Scan module (added feature in our Thirtyseven4 Endpoint Security Console 5.3 release). Up until recently, it has been an absolute way of detecting unknown ransomware threats. However, the logic behind Locky changed that. Instead of copying itself into a users Application Data directory, Locky began dropping itself in the %temp% directory under random names. Previously used PathBased Detection resulted in likely high possibility of false detections. More needed to be done to reduce false detections and yet keep a high level of proactive detection. Due to growing number of cases, we still utilize Pathbased detection on the basis of their names that are commonly found in Locky cases.
Engine Enhancements: Given the new nature of Locky and desiring to provide our customers with the absolute best protection against Locky and similar threats, we quickly incorporated new industry leading engine enhancements. For this section, I am electing not to disclose all the nuts and bolts of what we are doing here due to the sensitivity of the “cat and mouse game” between us and the bad guys! All I will say is that its high-level, industry leading stuff that has been proven 100% effective against the Locky threat! We are continually adding new engine enhancements as the techniques of the cybercriminals evolve.
In conclusion, even children can sense when a situation is serious. When both my parents had me sit down with them, I knew that we were in for a “teachable moment” as they called it. And when both the United States and Canada release a warning together about the dangers and vulnerabilities associated with ransomware, we would be like ignorant children to turn our heads the other way. We must educate ourselves (reread this article!) and take proactive measures in keeping our information and data (and family and lives!) safe. Consider this our little “teachable moment”, and let’s move forward positively!