Ransomware has been in the news a lot in recent weeks following attacks on businesses (less-publicized) and hospitals (Kentucky, Three Hospitals, CA Hospital, etc.). As a service to the healthcare community, we are providing a centralized resource for information on the issue, as well as links to pro-active and reactive remediation.
What is Ransomware?
According to Trend Micro, Ransomware is a type of malware that prevents or limits users from accessing their systems. This type of malware forces its victims to pay a ransom through certain online payment methods in order to regain access to their systems, or to get their data back.
Unfortunately, due to the success of these attacks, the problem is likely to get worse before it will get better.
Symantec provides the following history:
The Rise in Ransomware
Norton by Symantec has witnessed an increase in the amount of professional cyber gangs using ransomware in the last two years. This fraudulent activity, designed to take over your computer and blackmail you for cash, has developed in the following ways:
- After first emerging in Russia and Eastern Europe in 2009, ransomware has spread to Western Europe, the US and many other countries, causing high infection rates and a great deal of frustration for consumers.
- Professional cyber gangs use intelligent malware, which, once it’s on your computer, identifies which country you live in (via your IP address) and presents the message in the local language with a logo of a local public authority.
- The ransomware completely disables the device and is designed so that it seems that the only way to restore functionality is to pay the fine. This raises the chance of the consumer being tricked to pay the ransom.
- Different variants of malware are being developed, and within those variants criminals vary the code slightly to help the malware get past security software. One of the most serious variants was detected 500,000 times in 18 days.
$33,600 in one day
Symantec experts analyzed how criminals monetize the scheme. In the month-long period the experts studied one specific attack in more detail, 2.9 per cent of compromised users paid out. This may seem like a small percentage, but it pays off for the criminals:
- During the month, 68,000 computers were infected: the equivalent of 5,700 every day.
- Ransomware typically charges from $60 to $200 to unlock the computer.
- On a single day, 2.9 per cent or 168 users paid the ransomware, permitting the criminals to potentially earn $33,600; this means the criminals could have made up to $394,000 in one month.
However, given the number of different malware variants and criminal gangs operating ransomware attacks, an estimated $5 million is being extorted from victims per year.
How Can I Protect my Organization?
All the experts seem to agree that the best way to prevent a Ransomware attack is by taking preventative steps. One of the key elements that leads to these attacks is so-called “social engineering” or using average people’s behavior to open up access. In other words: You need to educate your users to defend the system.
There is general agreement on the following steps to prevent an attack:
- Have regular backups of all systems and automate the process.
- Train your users to be cautious – Many of these attacks begin when they are inadvertently executed by users. Make sure your users know where they are going when they access remote sites, and that they know the sender of any emails, especially if there are any attachments.
- Filter mail and downloads – Since many of these attacks begin by a user inadvertently launching an executable file, make sure that email filters do not allow .exe files (or files with multiple extensions) to be downloaded.
- Show File Extensions – As above, many experts recommend that Windows be set to show file extensions. The reason for this is that some attached files may be named something like: “anything.pdf.exe.” Without extensions turned on, it will look to the user like “anything.pdf” is fine, when in fact it is an executable file.
- Apply updates and patches – Software vendors are trying to correct vulnerabilities.
- Use Protection suites (anti-virus, anti-spam) and make sure the software is updated.
- Disable files running from AppData/LocalAppData folders – You can create rules within Windows or with Intrusion Prevention Software to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run – not from the usual Program Files area but the App Data area – you will need to exclude it from this rule.
- Disable or restrict RDP –The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP).
- NetSafe – If you don’t already, you should have a business continuity solution, such as Interbit Data’s NetSafe, to allow on-going access to critical information if it is unavailable due to a ransomware attack or any interruption of data access.
More Details are Available at:
11 things you can do to protect against ransomware
How to prevent ransomware: What one company learned the hard way
CryptoLocker Prevention: Top 12 Defenses
PCWorld: How to rescue your PC from ransomware
What To Do If You Suspect an Infection?
- Remove suspect machines from all networks immediately
- Try System Restore
- Access tools from your anti-virus provider and/or resources below
Other Resource Links:
(We are not trying to endorse particular solutions and we receive no compensation for promoting these links.)
Bleeping Computer: CryptoLocker Ransomware Information Guide and FAQ (Very good)
Microsoft: Malware Protection Center
Sophos: How to stay protected against ransomware
TechWorld: The 7 best ransomware removal tools
Kaspersky: Ransomware Decryptor