[BreachExchange] How to prevent ransomware: What one company learned the hard way
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Sep 22 20:03:32 EDT 2016
http://trueviralnews.com/how-to-prevent-ransomware-what-
one-company-learned-the-hard-way/
In the real world, kidnapping is a risky crime—getting paid usually means
getting caught. In the digital world, however, demanding ransom for data,
or ransomware, is an escalating epidemic, a popular crime which is leaving
many businesses and consumers at risk of losing data.
One small company in New England—a retailer with some two-dozen
employees—learned that the hard way. A click-happy employee ended up
infecting one system with a prevalent threat known as CryptoWall, according
to the company’s co-owner, John, who asked that his real name and details
of his business not be revealed.
Ransomware may roam undetected
Quietly, the malware reached out over the Internet to get a unique key and
then, over the next three days, encrypted data on the compromised system.
Much worse for the company, the malware encrypted accounting data on a
mapped drive on the firm’s server.
The retailer learned of the infection when its accounting software failed
to open financial data on the mapped drive the following Monday. “The
ransom note never popped up on the screen,” John said. “The accounting
program just stopped functioning one morning.”
When a support tech investigated the accounting software’s problems, more
than 200 copies of a ransom note were found scattered around the file
system, directing the firm to pay $500 in Bitcoin to the criminals.
Ransomware is on the rise. Kicking off with Cryptolocker in 2013, a steady
parade of pernicious ransom-demanding software has hit unfortunate victims.
Cryptolocker likely made its operators tens of millions of dollars until
authorities disrupted the network in May 2014, shutting down Cryptolocker
command-and-control servers and the GameOver Zeus botnet infrastructure
that spread the malware. Yet, other ransomware variants have arisen.
Between mid-March and August 24, 2014, for example, more than 600,000
systems were infected with the CryptoWall variant of ransomware, according
to research conducted by managed-security firm SecureWorks.
Data-nappers are going mobile as well, according to recent data from mobile
security firm Lookout. In 2014, four of the top five malware programs
encountered by Android users in the United States were ransomware, posing
as a legitimate app and then, after installation, locking the phone and
demanding payment. While the threat of mobile malware continues to be
low—only 7 percent of Android users even encountered malware—ransomware
accounted for nearly all of the 75 percent increase in encounters from the
previous year, according to the company.
Your best defense: Back up, back up, back up
The solution to ransomware is fairly simple—at least, for now. Consumers
and small businesses with a good backup process will be able to recover
much of the data encrypted by the attackers. Companies who are doing
backups on-premise should make sure they can recover an image of the data
for months in the past and keep multiple copies. Any backups made between
the time of infection and when the attack is detected will be encrypted,
and thus unrecoverable without paying the ransom.
For that reason, online backups with automatic incremental backups can be a
great help, Brian Foster, chief technology officer of network-security firm
Damballa, advised. At the very least, companies should be keeping at least
one set of backups offsite.
“I’m a big fan of online backups,” he said. “You should expect that, if you
get hit by ransomware, you are not going to get the PC back.”
Another possible defense: Ransomware typically reaches out to get an
encryption key from an online server. Detecting and blocking that request
can prevent the encryption of the data.
Unfortunately for the New England retailer, the infection revealed that the
company’s backup program had not been working correctly for more than two
years. The company had no choice but to pay. Yet, even that did not go
smoothly: Unable to deal with the mapped drive, the ransomware’s decryption
routine failed to unscramble more than 100 of the thousands of encrypted
files, leaving financial and customer information encrypted. Because the
ransomware scheme requires trust that the criminals will hand over the data
after receiving payment, the operators offered support to the firm’s owner,
and even offered to try to decrypt the data, if the company sent the files.
The firm declined.
The infection also leaves the owner in a quandary. While the criminals have
said that the infected system should be clean, John understandably does not
trust them.
“The fear, as an IT person, is you feel like you need to format every drive
in the network,” he said. “I don’t trust the other computers, but do we
shell out $10,000 to rebuild our infrastructure?”
The company is still considering its options.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160922/95f6dae8/attachment.html>
More information about the BreachExchange
mailing list