Ransomware — Cyber-Extortion
Imagine turning on your computer and seeing a message “We have encrypted all your files. Pay us a ransom if you want them back,” This is ransomware, a costly form of cyber-extortion. In February, Hollywood Presbyterian Hospital paid a $17,000 ransom to get their files back after a ransomware attack. The problem has become so serious that the United States Computer Emergency Readiness Team [US-CERT] recently issued an alert, advising organizations to strengthen their information security management practices to manage the risk of ransomware.
Ransomware encrypts the files on your computer or network with an ‘encryption key’ known only to the cybercriminal. The cybercriminal then offers to sell you the key to decrypt your files. Ransomware, like other forms of malware [malicious software], often gets on a computer through phishing. Other ‘delivery vectors’ include visiting a booby-trapped website and infected USB-drives.
Citadel urges all organizations to review their information security management practices to ensure they are taking appropriate steps to guard against a ransomware infection and to test their backup / recovery capabilities to ensure their ability to fully recover from a ransomware attack.
What to Do to Keep From Being Infected
- Provide all users cybersecurity awareness training so they can be vigilant against phishing attacks. [Citadel provides awareness training, including simulated phishing attacks. Contact us for more information.]
- Teach users the phishing danger signals.
- Teach users to not click on links or attachments in emails unless they know the email is legitimate and its contents are safe.
Make Sure IT Does Their Part
- Keep operating system and applications patched with the latest updates. [Sign up for Citadel’s Free Weekly Cybersecurity Newsletter, including our Weekend Vulnerability and Patch Report]
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Set all user accounts with limited — non-administrative — privileges.
- To the extent IT can manage it, they should use application whitelisting to identify the programs that are allowed to run.
Recovering from Ransomware: Make Sure IT Has Good Backups
Good backups are the only way to recover from ransomware. With backups, you can restore the files that have been encrypted. Without these backups, you’re stuck without your valuable files until you pay the ransom.
It is critical that IT verifies its ability to fully recover from a ransomware attack. It’s not enough for them to test their ability to recover a file or a folder. IT needs to test their ability to fully restore all working files from backup.
Ransomware attacks have become increasingly common since the FBI first issued a warning about ransomware in January 2015. The just-released FBI Internet Crime Complaint Center [IC3] 2015 Intenet Crime Report identifies ransomware as one of the three most serious cyberthreats affecting organizations. In another recent report, this one by Kaspersky researchers, ransomware was called the “biggest cybersecurity threat.” According to a study by BitDefender, ransomware cost businesses $350 million in 2015.
As Citadel continues to document in our Weekly Cybersecurity Newsletter, ransomware attacks are becoming increasingly dangerous.
Updated CryptXXX Ransomware becomes more dangerous as it now steals credentials CryptXXX ransomware has received a major overhaul by its authors, putting it on the fast track to unseat Locky as top moneymaker for criminals. ThreatPost, June 3, 2015
Ransomware-as-a-Service business model emerges in Russia; cybercriminals easily earn $90,000 / yr: Ransomware as a business is maturing and nowhere is that better illustrated than in Russia, according to Flashpoint researchers. The security firm released two reports on Thursday, one on a burgeoning ransomware-as-a-service business model (PDF) in Russia and the second on new developments in Russian ransomware kingpins targeting hospitals (PDF). ThreatPost, June 3, 2016
AMAZON USERS TARGETS OF MASSIVE LOCKY SPEAR-PHISHING CAMPAIGN: Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year. ThreatPost, May 26, 2016
ZCryptor ransomware spreads via removable drives: The newly spotted ZCryptor ransomware has also the ability to spread like a worm, Microsoft warns. HelpNetSecurity, May 27, 2016
Nuclear Exploit Kit: $100K monthly revenue installing Locky Ransomware on vulnerable computers: The Check Point Research team has uncovered the entire operation of one of the world’s largest attack infrastructures. Exploit Kits are a major part of the Malware-as-a-Service industry, which facilitate the execution of ransomware and banking trojans, among others. Their creators rent them to cybercriminals who use them to attack unsuspecting users. Nuclear is one of the top Exploit Kits, both in complexity and in spread. CheckPoint, May 17, 2016
CERBER RANSOMWARE ON THE RISE, FUELED BY DRIDEX BOTNETS: Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous. ThreatPost, May 13, 2016