Translate
Phone
USA +1 813 304 2544 IRL +353 91 54 55 00
TitanHQ

Ransomware Business Survival Guide

Ransomware Business Survival Guide - 2017 does things differently

Part 1 – The Here And Now

From WannaCry to Locky to Spora to CryptoLocker, today’s ransomware variants can take down businesses in minutes. Ransomware will prevent file access, web browsers, applications, and entire operating systems. 

Ransomware continues to evolve with new strains released on a continuous basis.  After last year’s intake of $1 billion dollars in ransomware, it should be assumed that every Tom, Dick and Harry of the cybercriminal world is working right now to improve its distribution in order to gain more victims while at the same time, streamlining the user experience in order to improve collection rates.

Star Trek Themed Ransomware Continues its Ominous Proliferation

The newly discovered ‘Star Trek themed Kirk ransomware’ targets 625 file types and demands the ransom be paid in Monero instead of Bitcoin.

Beam Me Up Your Ransom

In a bizarre twist, a new strain of ransomware not only exploits your data, but the Star Trek theme as well.  Simply dubbed, 'Kirk Ransomware', it announces its presence on your screen with an image of Captain Kirk of the Starship Enterprise who informs you that your data has been encrypted as well as details of the required ransom.  As a ‘playful’ gesture, all of the encrypted files are renamed with a “kirk” file extension. Victims who pay are then directed to the image of Mr. Spock who then provides instructions on how to recover your data using a “Spock Decryptor” that is sent once payment is received.  The malware disguises as the Low Orbit Ion Cannon (LOIC) denial of service tool that is commonly used for stress testing. 

Monero cryptocurrency requested not Bitcoin

The embedded code is very efficient and is obviously the creation of a team of skilled programmers.Besides the incorporation of a creative twist within this new malware threat, its creators have strayed away from the usual protocol of Bitcoin as a payment currency and instead require the use of Monero.  This cryptocurrency exponentially grew by 27-fold in 2016 and is beginning to establish itself as a viable alternative to the default cryptocurrency leader.  Its growing popularity amongst the dark web black market is due to its increased steal ability which makes it more private and elusive.

Has Bitcoin become too mainstream for scammers?

It is these factors that make Monero the first choice amongst sinister characters such as drug and gun dealers on the dark web.  Perhaps the developers of Kirk believe that Bitcoin has become too mainstream, especially with the interest of public investors who are looking at Bitcoin as a financial venture.  In the short term, ransomware developers run the risk of users becoming even more confused concerning the process of actually how to pay the ransom with multiple cryptocurrencies being utilized.  Kirk developers are currently demanding a ransom of 50 Monero at the outset of the attack which is roughly $1,072 (£867).  The fee increases as time goes on until upon the 31st day of the infection, the decryption key is permanently deleted as stated in the ransom note.

WannaCry Attack

WannaCry was a comprehensive attack driven by a replicating worm stolen from the National Security Agency (NSA) by a hacking organization, the Shadow Brokers. The WannaCry ransomware cyberattack proves that ransomware has now matured from a malicious menace to a global threat. For many people up to now, ransomware has been a foreboding threat limited to poor end user security awareness or the organization afflicted with poor patching practices and a dearth of enforced security policies.  We have written numerous times about the fact that Ransomware became a $1 billion industry in 2016. 

A billion dollars brings a lot of interest and spotlight to something, even something as dangerous as encrypting malware.  It also brings a lot of legitimacy to those who create it, design, package it and deliver it.  Having surpassed the billion-dollar watermark, it was obvious that malware was not going to be a mere flash in the pan. Something big was surely going to happen in 2017, and on Friday afternoon, May 12, 2017, it did, surpassing all expectations. Although Wannacry ransomware has gained massive media exposure, affected 150 countries and put more than 200,000 computers out of service, we block dangerous malware like this daily with both SpamTitan anti spam and our content filtering solution, WebTitan.

You can read all about it here in this recent TitanHQ article.

Part 2 – Payment Methods, More Monero, More Problems?!

Cyber Criminals Love Monero

Monero, the cryptocurrency launched in April of 2014, has become a favorite among the online criminal community, owing largely to the extraordinary privacy and security it offers. Unlike most cryptocurrencies, Monero employs an opaque blockchain rather than the more common transparent one used by most other cryptocurrencies. With Monero sending and receiving addresses, along with transaction amount are hidden by default, although they may be viewed by auditors.

Popularity of the currency is evidenced by the 2760% increase in value during 2016, and with a doubling of its price to $23 in February of 2017, it is on track to repeat that performance, this year. A huge driver of this growth is owed to it being accepted by AlphaBay, the largest dark net black market, beginning in August of 2016.

The rise in popularity of Monero and other cryptocurrencies, where there is no readily available audit trail, has caught the attention of law enforcement. In January, FBI Special Agent Joseph Battaglia had this to say: “There are obviously going to be issues if some of the more difficult to work with cryptocurrencies become popular. Monero is one that comes to mind, where it’s not very obvious what the transaction path is or what the actual value of the transaction is except to the end users”.

Your Monero or Your Files

Kirk ransomware, which made its debut in March, offers another indication of how popular Monero has become with hackers. This Star Trek themed piece of malware, which disguises itself as a network stress-testing application, encrypts files on the infected system and adds a .kirk file extension to the exploited files. To decode the files, a ransom must be paid in exchange for an application named Spock, used to decode the files. Unlike previous ransomware attacks, where Bitcoin was the demanded payment, Kirk victims can only pay with Monero. While this is the first piece of ransomware that will only accept Monero, it is probably the first of more to come.

Monero Miners

As with other cryptocurrencies, hackers have begun mining Monero. One hacker in particular, Bond007.01 who is suspected to be out of China, has unleashed a botnet, that has infected over 15,000 machines and is using these to mine the currency. Most of the infected machines are older Windows servers, frequently underutilized by the owners, so the activity goes unnoticed. Damage comes in the form of the machine owners paying the electricity, maintenance and other expenses to maintain the systems, making the estimated $25,000 a month earned by Bond007.01 pure profit. Concern here among security professionals is that the highly profitable endeavor will encourage Bond007.01 to continue and others to follow suit, and that the infected machines may be used for future online scams or attacks, when mining becomes unprofitable.

Scammers are Scammed

While there are legitimate investors, who purchase Monero coins in the expectation that they will appreciate, and shoppers who want privacy for lawful transactions, most Monero users are engaged in some unlawful activity. They may be purchasing drugs, malware, stolen credit card numbers and other contraband online, or demanding payment to free data in a ransomware attack. It may come as consolation to some that millions of dollars’ worth of Monero coins have been stolen from Monero wallets.

Some of the heists have been through the establishment of bogus Monero wallet sites, set up for a short time and vanishing shortly after. Others wallet sites have reportedly been hit by hackers and had the Monero coins stolen from accounts. With no easily audited trail in the block chain and many criminal users of the currency, it is impossible to know how much has truly been stolen.

Security experts recommend that anyone who might need a Monero wallet thoroughly research the site providing the wallet.  It is also advised that users should only use these sites as quick pass through, rather than store for any length of time to reduce likelihood of having coins stolen, given that there is little hope of being compensated in the event of theft.

Part 3 – Tailored Ransomware

Granular Targeting of Ransomware through Customization

Ransomware has been characterized as a passive attack in the past, meaning that a user happened to stumble across an embedded email link or made an unfortunate visitation to a drive-by site and was infected.  Unfortunately, ransomware is getting a whole lot smarter.  Developers are now designing ransomware to purposely target prescribed destinations be it industries or folder directories.

Philadelphia ransomware kit

For instance, a new strain of the Philadelphia ransomware kit that is sold on the Internet for a few hundred bucks to anyone who can afford it (and brave enough to install it) is specifically designed to target healthcare organizations.  This should be no surprise as healthcare organizations have become the #1 target of ransomware attacks ever since the much publicized attack on Hollywood Presbyterian Hospital early last year.

In this instance, the malware is distributed through a spear-phishing attack that is intentionally directed at hospitals.  The message contains a URL that points to a DOCX file that contains the logo of the targeted organization, a signature of a medical practitioner from that organization as well as three document icons that pertain to patient information.  Once any of the icons are clicked, the attack is launched and the ransomware variant begins its dastardly deed.  This ability to customize the look of the “bait” vastly increases the likelihood of someone being lured in.  Thus far, two hospitals on the northwest coast of the United States have fallen victim. 

Tailoring ransomware attacks to specified file extensions

Customization isn’t just allowing hackers to purposely target select industries. Through customized fields, ransomware builders give their distribution customers the ability to tailor their attacks to specified file extensions, folder directories and even computer names. Someone who has done their homework on a select company can create a fully customized attack.

Be it the ability to integrate iconic TV characters into ransomware or to create multiple customized adaptations, it is obvious that ransomware builders have ample time to innovate and development new strains.  It is also evident that ransomware development has entered a new stage, perhaps ransomware 2.0. The concern is that ransomware delivery strategies will outpace the strategies that prevent it.

Thankfully so far recorded infection and exposure rates to the Kirk ransomware are low. Saying that, 2017 looks to be another dark year for network security thanks to the escalating rate at which new ransomware variants are coming to market. Ransomware is the fastest growing malware threat today. Security must be inherent and pervasive across the organisation, that includes the  entire network, the data center, on end points and in the cloud. Lean on your security vendors and leverage their in depth experience in order to increase your organisations security posture.

Part 4 –   What are the Best Ways to Stop Ransomware?

The Internet is a buzz this week as organizations scramble to learn more about how to stop WannaCry and other ransomware variants.  If ransomware did not have people’s attention previously, it does now after the global attack that paralyzed hundreds of thousands of computers in over 150 countries.  With $1 billion dollars in revenue through 2016, the unprecedented attack is surely just a foreshadow of things to come.  With that kind of money at stake, it is probably safe to say that no one within the ransomware hacker community is thinking of retiring yet for sure.

So how do you stop ransomware?  There are numerous ideas and methods out there that are implemented, some successful, some not so much.  In this article, we will look at what doesn’t work, and what is involved in the solutions that actually do.

First what doesn’t work?

Some people think that not allotting local admin rights to users will prevent ransomware from being installed on their devices.  This premise makes sense since users are unable to install traditional applications on laptops running the Windows operating system without privilege access.  Though denying users admin rights will protect devices from some types of malware, ransomware will install on a user’s device in the same fashion that Google Chrome does for standard users. 

Some people think encrypting their files or drives will prevent ransomware from encrypting them in return.  Although using Windows BitLocker or some other application to protect your files from being confiscated is an excellent idea in order to prevent data breaches, it has no effect on ransomware, as the malware will simply just re-encrypt the files.

What partially works?

Email continues to be the main deployment method for ransomware, through either embedded links or attachments.  One way to prevent users from clicking embedded links is by simply eradicating them by enforcing plain text mode for user email clients.  This was a more common practice years ago when some email clients allowed emails to run JavaScript code automatically when a user opened an email and infecting the computer.  Fortunately, this vulnerability no longer exists today.  Although this will not deter attachments from getting through, it will reduce the attack surface of your emails.  Do not be surprised however when your users overwhelm your help desk with complaints however as to why their email suddenly looks so primitive.

Modern browsers today offer various configuration settings that can help stifle the ability of malware to download from drive-by sites.  Chrome offers settings such as “Protect you and your device from dangerous sites.”  Firefox has settings that will warn users of attempted add-ons and block reported attack sites while IE can disable file downloads.  The challenge is to configure these settings for all of your users and enforce them.  Outside of a third party management solution, the endeavor of enforcing settings for all supported browsers is extremely difficult.  Although enforcing browser settings should be viewed as only a supplemental solution at best.

What does work but requires much configuration

Application White Listing is a solution that is growing in popularity with schools, financial institutions and healthcare organizations.  Using a tool such as Windows AppLocker, network admins can foist a list of preapproved applications on users that utilize a device running Windows Enterprise or Education versions of Windows 7, 8 and 10.  Any application or executable that is not on the list is simply denied.  In essence, this makes the user device a kiosk computer, allowing the user to only utilize what is available.

Windows 10 unveiled a new security tool called Device Guard that only allows applications or executables signed by a certified publisher to function.  This means that you must supply a certificate for every application in order to approve it.  As an added security level, Device Guard operates within a virtualized container in order to protect itself as well.  Like AppLocker, it does require considerable configuration and testing.  It also has specific hardware requirements and does require considerable configuration and testing.  

Simple Solutions that Require Little Management

Why the 3-2-1 Backup Strategy Works

The best way to recover a system without making payment is to ensure that there are up-to-date, reliable backups created for all data (operational, development, configuration files, etc.). Backups can be created to roll a system back to a point in time just before the ransomware attack occurred, minimizing the loss of data and damage done to your computing devices. Additionally, larger organizations have begun looking at “air-gapped” solutions, in which continuous backups are created and sanitized, before being stored in a “vault”. This vault solution provides an immediate method to restore systems, while scanning all data entering the vault to verify the absence of malware or malicious activity.

Ransomware can be detrimental to an both individuals and organizations alike if it makes its way into your systems. Though attackers have become more sophisticated in their attack methods, if we invest time and resources into our security strategies we can greatly harden our networks and rid ourselves from the vulnerabilities that plague us. Both preventative and fail-safe measures are extremely important to protect your data (and wallets!), and the extra effort into your security approach will provide much peace of mind.

Every organization depends on email today, which is why they need an email protection solution.  This is different than a mere spam filtering system.  Today’s email protection systems must be able to eliminate viruses, malware and links to malicious websites as well.  IT leaders should not only consider comprehensive solutions their in-house email systems, but for cloud based solutions as well such as Office 365.  With today’s ransomware worms, you cannot afford to sit passively and assume your emails are protected.  This blaring fact was made evident by the recent Gmail attack that affected a million accounts.

Web filtering is not just about filtering distasteful and disturbing web content.  Yes, email is the primary delivery system for malware but it still draws it from the Internet.  In fact, ransomware can be downloaded from a multitude of sites that have been infected by hackers.  Some financial institutions and health organizations even use web filtering to enforce white listing for URLs.

Why you need Layered Protection

At TitanHQ, we use a multi-layered approach to security to eliminate a wide variety of malware, including ransomware. Our multi-layered security approach uses several different inspection and detection techniques determine whether the file is malicious.

Malware-writers are constantly changing  their code to bypass filters and target different parts of the IT environment. You may have spam  protection at the email gateway but what if one of your employees visits an infected website? Likewise, cybercriminals are now using ransomware-as-a-service platforms as well as targeting their malware at server infrastructure.

In short, the threat landscape is constantly changing and there is no silver bullet to preventing this cyber threat – it’s all about mitigating risk as effectively as possible, by putting more checks and blocks in the way.

If you’d like to get a pdf version of this guide sent to you please email us at info@titanhq.com.

To learn more about ransomware protection from TitanHQ, visit this page.

TitanHQ

Need Help Ordering?

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us