I am writing this on a train (to a conference) to pass time [1]* and as readers will know I love and hate malware. Ransomware is not new, it has been around for a decade or more but it is only in the last few years it has jumped into the spotlight. Starting off with fake antivirus suites which would claim to find an “infection”, offer “cleanup & protection”, hide your data in the background and charge a “license” fee, really a less obvious ransom demand. Funny it is it requests payment for protection but is the infection itself.
Move on to the last 2-3 years and Cryptolocker, Cryptowall and Cryptoguard have appeared along with various other names and variations. Typically you open a macro enabled Office document, download an executable or an exploit kit is run in the web browser. All of these download an executable which calls back home to generate a public/private key. Files of various extensions are encrypted locally along with USB devices and mapped drives. Thus if a low level user gets infected the external hard drive used for backup along with an entire file server can get encrypted.
Often 0.5BTC (Bitcoin) is requested; 24, 48 or 72 hours is given to pay and if you do your files are decrypted. Criminals are actually quite honest since if you pay you have a very high chance of getting your data decrypted. Less advanced infections simply rename your file extensions, change the first few bits of the file structure or use a central “shared” private key. In a few instances the same private key is used for thousands of computers thus it is possible to decrypt your data without paying. Serious infections which use unique public key infrastructure (PKI) pairs would mean you are doomed since the encryption is too strong. Though I am sure vigilantes have hacked into the command and control (CnC) servers to extract keys.
Last year it was reported that a sheriff’s department in North America was infected and IT support staff I have spoken to are reporting weekly ransomware infections on the business network. Infected laptops are getting their files encrypted along with entire servers contents which are mapped. This is not just in small accountancy firms but multi-national financial regulated companies with offices in tens of countries and turnover of tens of billions.
If a fairly simple ransomware infection can: A. get past the email & web gateway, B. download additional payload & the public key and C. easily propagate then infect other devices & drives then what else are corporates letting through and missing? Ransomware is not the most advanced of malware and is often spread by off the shelf kits not always by zero-days or exploits. Advanced persistent threats (APTs)* are most likely getting through and remain undetected for months or longer. *Though at times these are just created from kits as is ransomware.
Many security professionals will tell you a layered approach is needed and often this just means a few layers of antivirus at different points. Additional types of defences are needed which include: application whitelisting, URL whitelisting, URL on entry & on click scanning, security focused DNS, code stripping and endpoint anti-exploit. On top of this security can be increased at no cost by having someone review and tweak existing products not just click next next next and install the out of the box defaults. So many security and non security products are just simply installed without customisation.
Yes, there is no silver bullet or wooden stake for werewolf or vampire malware but if good effort and money is put in infections will greatly reduce. Do not simply think protection cannot be 100% and give up, aim higher. Be able to say “at least I tried” - Newzoids and a certain MP! When you ask many IT security staff they simply say the business told us to do this or we don’t want to slow down staff installing their own software or copying data to USBs. There are ways to balance security but let staff have a small amount of freedom. Like: A. using a separate account to run admin rights and B. allow USBs but encrypt data on fly.
[1]: Rest assured I have picked a seat with no one sitting next to me and the seats behind face the other way. Practice as you preach..... at home and on the job.
[2]: This is written based on my own personal knowledge and contacts, not of those at my employer.