S3SS10N Wednesday - These 4 Steps Will Prevent You From Ransomware Destruction
April 6, 2016
April 6, 2016
What is S3SS10N Wednesday?
S3SS10N Wednesdays are weekly 15 minute (or less) white board lessons by Cybrary Instructors and SME’s. They are designed to provide you with a quick dose of cyber security learning. We publish a new episode every Wednesday morning (Eastern Time). Now, check out our newest episode below![insert_vertical_space the_pixels="10"][clear][if_logged_in_show][/if_logged_in_show][not_logged_in_show]
You must be a Cybrary member to view this S3SS10N Wednesday video. Join for free.
Max Alexander Currently a Federal Law Enforcement Officer, Max is a graduate of the Defense Cybercrime Investigation Academy’s Cyber Crime Investigation program. He has 17 years of special operations and investigative experience, and has worked with and provided training to local, state, federal, and foreign law enforcement and military organizations.
(Click the picture below to open in a new tab)[insert_vertical_space the_pixels="10"][clear][insert_vertical_space the_pixels="20"]This Session:This brief session covers ransomware and offers an overview, discussing recent trends as well as methods of prevention. Ransomware is a form of malware that attacks an organization or an individual’s computer system and basically holds the operating system hostage until remuneration is given to the hacker who has done the damage. This is becoming a very lucrative thing for hackers as they have discovered if they get paid in BitCoin that it is very hard for law enforcement officials to catch them. Recent trends include attacks against hospital operating systems in California, Kentucky and Canada. The FBI is currently investigating these attacks and so far the hospitals have not paid off these cyber criminals. There have also been attacks on the operating systems of law enforcement agencies such as police departments. Regarding methods of prevention, it is important to train end users on security so they can be educated about phishing e mails and being careful about opening attachments. There are also patches and updates an IT administrator can install on their operating systems to prevent attacks. In the event of a ransomware attack, there are various ways of responding. It is recommended not to pay the ransom, this is a last resort. First, be sure to disconnect from the Internet so nothing else can get compromised. There are also things you can download to scan your computer and remove the malware. There are also shadow files in the Windows operating system, which is done automatically to create copies of your data. Listen to/Download the MP3
[/two_third_last][divider][toggle_content title="Whitepaper"]Ransomware: The Emerging Threat Against Organizational Data by Max AlexanderRansomware is a growing trend in malware that not only prevents access to the operating system and/or files, but also swindles victims out of money. Ransomware is not limited to making the lives of private citizens difficult, and it does not discriminate between government’s entities, nonprofit organizations, or private citizens. Anyone with a computer is a target. Getting rid of malware is not an easy task and some users and organizations who are desperate to regain access to their data may pay the ransom to avoid the hassle of trying to disinfect their systems, or worse, potentially lose access to their data forever.To provide users and administrators with insight into this emerging trend, this paper discusses the fundamentals of ransomware and what can be done about it. More specifically this paper details the potential impacts of ransomware on public policy and security. It also provides information on what users and administrators can do to prevent a ransomware infection and what actions they can take if they become infected. “Ransomware is a type of malware that prevents or limits users from accessing their system” (TREND Micro, 2016, para. 1). However, unlike other forms of malware that merely prevent access to files, ransomware also seeks remuneration from victims, a ransom, to allow them to regain access to their files. Ransomware differs in type and function and users may encounter ransomware that either encrypts their files and possibly their hard drive, prevents users from accessing their system by locking their screens, or prevents the use of web browser applications (Mircosoft Malware Protection Center, 2016). Ransomware first appeared at the end of 2005, originating from hackers in Russia (TREND Micro, 2016). In the original version of ransomware attacks, hackers utilized the TROJ_CRYZIP.A Trojan to place selected files into a ZIP (compressed) folder, and left behind a ransom note demanding users pay $300 to receive the encryption key to unlock their files. These attacks were so successful that ransomware evolved into more nefarious and deceptive methods of holding systems hostage, and hackers have begun to ask for more than a $300 ransom. These increasing demands make ransomware a lucrative business. Individual users and corporations desperate to retrieve their data will generally pay the $300 - $500 to recover their files, with others paying several thousand dollars. The Cyber Threat Alliance (2015) reports that one ransomware infection, CyptoWall, caused $325 million in damages since its discovery in January 2015. Due to the success of recent ransomware attacks, administrators need to anticipate worsening attacks that demand larger sums of money. They also need to understand how ransomware can infect their system, how to prevent/mitigate an attack, and what steps to take if they become infected.Many organizations may adopt a “It cannot happen to me” mentality, or may assume that because they are using an antivirus they are protected. Unfortunately, and to the detriment of these organizations and their customers, these assumptions are incorrect. Many organizations, some with robust information technology departs, have fallen victim to ransomware attacks. Most recently, in early March 2015, three hospitals in the United States became victims of ransomware attacks. The hospitals, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, California, all shut down operations and switched to backup systems after the attacks (Lee, 2016). The BBC reported that, “None of the hospitals is believed to have paid the ransom” and that “[T]he cases are now being investigated by the FBI” (Lee, 2016, pp. 2–3). These hospitals were lucky in that they had backup data to utilize; however, in another attack that occurred in February 2015, against Hollywood Presbyterian Medical Center, in California, resulted in the hospital paying a $17,000 ransom (Gilbert, 2016).Hospitals are not the only victims of ransomware attacks. The very individuals who are supposed to investigate criminal acts, the police, can also become victims of ransomware. In November 2013, ransomware infected the Glassboro, New Jersey, Police Department’s computers and prevented access to their data for five days (Green, 2013). To retrieve their data, some of which was related to ongoing investigations, the Glassboro Police Department paid the hackers $500. Although the incident received notable media coverage, it was not enough to prompt other law enforcement agencies in the region to take action. On December 7, 2014, ransomware infected Tewksbury Massachusetts Police Department’s computers (Greenberg, 2015). The Tewksbury Police Department also paid a $500 ransom to retrieve their data, as their “most recent backup was 18 months old” (Greenberg, 2015, para. 4). Police departments and hospitals are not the only victims; cyber criminals have also attacked school districts. In March 2015, ransomware infected the Swedesboro-Woolwich school district in New Jersey, with the criminals demanding between $500 to 500 ($124,000) in Bitcoins for ransom (Ms. Smith, 2015).1 city government of Plainfield. In this instance, in March 2016, criminals infected the city’s files with TeslaCrypt 3.0 virus, with some of the intrusion spreading to the backup server, and demanded the city pay 500 euros in Bitcoin (Antonelli, 2016). Conflicting media reports have listed the ransom value at $500 to 500 Bitcoins ($124,000). This is likely due to a 1 lack of understating about Bitcoin currency. Unfortunately, these instances are not an all-inclusive list of ransomware infections, but represent just a small fraction of the cases. Worse, the FBI predicts that ransomware infections are increasing and will be on the rise in the future (Federal Bureau of Investigation, 2015). This rise in ransomware will also signal a rise in ransom costs due to advice published by the FBI indicating in many instances it is easier to pay the ransom (Paul, 2015). These factors have led some computer security experts to posit that future ransoms could rise to millions of dollars (Danahay, 2016). Therefore, preventing ransomware infections is paramount for administrators and information technology (IT) professionals. The first part of prevention is understating how ransomware infects systems. Ransomware, like other forms of malware, infects systems though spear phishing, watering holes, downloading free software, unpatched software, and out-of-date or missing antivirus software. These methods, can be quite sophisticated, but can be mitigated or prevented through layered security, which includes adequate end-user security training and the use of strong security protocols. End-users are the first line of defense against intrusions, including ransomware. Administrators must provide user training on common computer security threats and prevention techniques. This training needs to include information on how to identify phishing emails, information on safe web browsing habits, and information on the risks of removable storage media. Having end-users with working knowledge of prevention techniques can greatly reduce attacks, the loss of information, and the downtime caused by the attack (Cybrary, 2016). Educating users to avoid opening suspicious email, especially those with attachments, and to avoid clicking on links within emails can pay dividends. Hackers/criminals target end-users as they tend to be the weakest link. Spending the time and money to have an educated workforce can prevent security breaches and thwart attacks that can shut down an organization’s operations. Prevention does not end there. The information technology manager or Chief Information Officer must also ensure the organization has and enforces a robust information security policy. The policy begins with an education program for all employees, but also includes ensuring computers receive regular software updates/patches, ensuring antivirus software is up-to-date, continuous network monitoring for intrusions and improper usage, and most important, ensuring regular backups of mission critical data. As demonstrated by the previous examples, all sectors of government, private industry, and non-profits are vulnerable to ransomware attacks. Any organization that has data they value and money to spend to recover the files is a potential target. To avoid the costs of paying ransom to recover data, and the costs of suspending and restarting operations, organizations must ensure they backup and encrypt all important data on a regular basis.As evidenced from the examples, having a backup copy is important, but having a current backup is essential. The Tewksbury Police Department’s backup data was more than 18-months old. They had the right idea, but failed to implement the idea correctly. If they backed up their data nightly or weekly, the disruption to the department would have been minimal. However, it is important to keep in mind that the backup location cannot be a mapped network drive or external device that is continually plugged into the network, as evidenced by the attack against the City of Plainfield, New Jersey, where the ransomware infection spread to the backup location (Myers, 2013). It is advisable to have serialized copies of backup data, “with older versions of files available in case newer versions have been corrupted or encrypted” (Raywood, 2015, para. 9). Once the backup of data is complete, it is important to ensure the data is useable and is recoverable, otherwise it is useless. Since the end-users generally introduce ransomware onto the network, it is also important to ensure users have the lowest level privileges necessary to perform their duties. End-users should not have local or global administrative rights, as having these rights will allow the ransomware to execute and have access to all files and folders of the administrator. Only the IT department should have the ability to execute and install software. It is also advisable to filter and deny emails that contain an executable (.exe) file extension, preventing users from inadvertently executing a ransomware file within a phishing email (Myers, 2013). Finally, there are automated programs such as Bitdefender’s Ransomware Protection Module that protects specific folders on a system, preventing untrusted applications from running in these locations (Bitdefender, 2016). Bitdefender’s module allows a user to protect his or her most valuable files, and prevents criminals from using these files in a ransomware attack. Bitdefender is also now offering, for free, a ransomware vaccine designed to trick malware, making it believe a system is already infected so it will leave the system alone (Wilson, 2016). Bitdefender is not alone in offering this protection, and other corporations such as Third Tier, Lexsi, EasySync, and Malwarebytes also offer their versions of ransomware protection. There is no panacea to prevent ransomware infections, but software will provide a substantial defense. Sadly, once ransomware infects systems, it is profoundly difficult to remove. Many administrators and IT personnel may feel it is easier to pay the ransom than attempt to disinfect their systems. As previously stated, even the FBI suggests paying the ransom is easier (Paul, 2015). However, there is no guarantee that once a victim pays the ransom that the hacker will restore his or her files. Further, the hacker may view a paying victim as a source of income, a victim they already know will pay a ransom, and the hacker may attempt to infect the victim’s system again for a larger ransom. Therefore, many cyber security experts recommend not paying the ransom, as paying the ransom only encourages them to create more advanced malware for future attacks (Thompson, 2016). In the best case scenario, organizations who have backup data available can restore their infected files from their backup server. If restoring files from a backup is not an option, organizations may be able to restore their files by using the Microsoft Volume Shadow Copy Service, assuming the ransomware infection did not disable this service. According to Microsoft, “The Volume Shadow Copy Service provides the backup infrastructure for the Microsoft Windows XP and Microsoft Windows Server 2003 operating systems, as well as a mechanism for creating consistent point-in-time copies of data known as shadow copies” (Microsoft, 2003, para. 3). This service will allow users to flag and restore specified files, if needed. ShadowExplorer, a free download, can assist organizations in quickly restoring multiple files from shadow copies. If this option does not work, there is software that can attempt remove or unlock the ransomware. Kaspersky Labs and Cisco both offer ransomware removal tools that decrypt particular ransomware infections (Kaspersky Labs, 2016). These tools only work on limited ransomware infections and are not guaranteed to work for all infections, especially newer versions. Depending on the type of ransomware infection, users may be able to find decryption keys online from various sources. However, if none of the above options work, users will have to restart their computers in “safe mode and run an on-demand virus scanner,” such as Malwarebytes or Bitdefender (Thomas, 2015, para. 9). If the virus scanner cannot remove ransomware, users may have to restore their computer to an earlier date and time, assuming this option is enabled. If this cannot remove the infection, they will have to reinstall the operating system. If none of the options presented are viable, organizations may have to pay the ransom. Paying the ransom should be the last resort and the organization should exhaust all options before paying. The organization may also want to contact law enforcement or an IT security company for additional assistance. Ransomware is a nasty threat to any organization Ransomware infections are not limited to individual users and can infect any organization with a computer, to include the police. Unlike other forms of malware, a ransomware infection causes victims to lose access to their data and requires them to pay a ransom to recover their data. These payments have made ransomware a lucrative business and the high payoff with low risk is causing its prevalence to rise. Prevention is the best method to protect against ransomware. Hackers and criminals often target end-users and they tend to be the weakest link in network security. Having a robust security plan, which includes end-user computer security training, is essential in guarding against ransomware. Most important, is having redundant and serialized backup of all mission critical data in the event of a ransomware attack, as backing up data is faster and cheaper than trying to resolve the attack after it occurs. [/toggle_content][toggle_content title="References: "]Antonelli, T. (2016). NJ city’s computer files held for “ransom,” officials say. Retrieved March 30, 2016, from https://nj1015.com/nj-citys-computer-files-held-for-ransom-officials-say/Bitdefender. (2016). How Ransomware protection works in Bitdefender 2016. Retrieved April 1, 2016, from http://www.bitdefender.com/support/how-ransomware-protection-works-in-bitdefender-2016-1549.htmlCyber Threat Alliance. (2015). Lucrative Ransomware Attacks: Analysis of the Cryptowall Version 3 Threat. Cyber Threat Alliance. Retrieved from http://cyberthreatalliance.org/cryptowall-executive-summary.pdfCybrary. (2016). End User Security Awareness Training Course - Cybrary. Retrieved March 30, 2016, from https://www.cybrary.it/enterprise-training-solutions/end-user-security-awareness/Danahay, J. (2016). Next wave of ransomware could demand $millions | VentureBeat | Security | by Jack Danahy, Barkly. Retrieved March 30, 2016, from http://venturebeat.com/2016/03/26/next-wave-of-ransomware-could-demand-millions/Federal Bureau of Investigation. (2015). FBI — Ransomware on the Rise. Retrieved March 30, 2016, from https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-riseGilbert, D. (2016). Turkish Hackers Claim Credit For Hollywood Hospital Ransomware Attack. Retrieved March 28, 2016, from http://www.ibtimes.com/turkish-hackers-claim-credit-hollywood-hospital-ransomware-attack-2327065Green, J. (2013). “Ransomware” scam appears in Glassboro; police warn of malware attacks. Retrieved March 29, 2016, from http://www.nj.com/gloucester-county/index.ssf/2013/11/ransomware_scam_appears_in_glassboro_police_warn_of_malware_attacks.htmlGreenberg, A. (2015). Massachusetts police department pays $500 following ransomwareinfection - SC Magazine. Retrieved March 29, 2016, from http://www.scmagazine.com/massachusetts-police-department-pays-500-following-ransomware-infection/article/407584/Kaspersky Labs. (2016). Kaspersky WindowsUnlocker to fight ransomware. Retrieved April 1, 2016, from http://support.kaspersky.com/us/viruses/disinfection/8005Lee, D. (2016). Three US hospitals hit by ransomware - BBC News. Retrieved March 29, 2016, from http://www.bbc.com/news/technology-35880610 Microsoft. (2003). What Is Volume Shadow Copy Service?: Data Recovery. Retrieved April 1, 2016, from https://technet.microsoft.com/en-us/library/cc757854(v=ws.10).aspxMircosoft Malware Protection Center. (2016). Microsoft Malware Protection Center - Ransomware. Retrieved March 28, 2016, from https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspxMs. Smith. (2015). Crypto-ransomware attack encrypts New Jersey school district network. Retrieved March 30, 2016, fromhttp://www.networkworld.com/article/2901527/microsoft-subnet/crypto-ransomware-attack-hit-new-jersey-school-district-locked-up-entire-network.htmlMyers, L. (2013). 11 things you can do to protect against ransomware, including Cryptolocker.Retrieved April 1, 2016, from http://www.welivesecurity.com/2013/12/12/11-things-you-can-do-to-protect-against-ransomware-including-cryptolocker/Paul. (2015). FBI’s Advice On Ransomware? Just Pay The Ransom. | The Security Ledger. Retrieved March 30, 2016, from https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/Raywood, D. (2015). How to avoid being caught out by ransomware. Retrieved April 1, 2016, from http://www.computerweekly.com/feature/How-to-avoid-being-caught-out-by-ransomwareThomas, C. (2015). Ransomware: Should you pay the cybercriminals? Retrieved April 1, 2016, from http://www.welivesecurity.com/2015/04/23/ransomware-pay-cybercriminals/Thompson, C. (2016). Why you should never pay hackers if they take over your computer. Retrieved April 1, 2016, from http://www.techinsider.io/why-you-shouldnt-pay-ransomware-hackers-2016-2TREND Micro. (2016). Ransomware - Definition - Trend Micro USA. Retrieved March 22, 2016, from http://www.trendmicro.com/vinfo/us/security/definition/RansomwareWilson, M. (2016). Bitdefender launches ransomware “vaccine” to boost protection | ITProPortal.com. Retrieved April 1, 2016, from http://www.itproportal.com/2016/03/30/bitdefender-launches-ransomware-vaccine-to-boost-protection/[/toggle_content]