[BreachExchange] How does ransomware encrypt files?

[Audrey McNeil]

https://hakin9.org/ransomware-encrypt-files/

The very word strikes fear in the hearts and minds of CEOs, CSOs and IT
security managers alike. So much trepidation over the word is caused by the
fact that it is usually mentioned after an attack has struck. The majority
of the time, companies do not even consider protecting their systems from a
ransomware attack until it is too late. A reactive approach to ransomware
has time and again shown to be a case of “too little, too late”. However,
no one seems to have learned, and mistakes on how to prevent or handle them
are still being made.

There are those within the IT security community that believe that one of
the reasons why ransomware has become so prevalent is due to the lack of
general knowledge regarding their method of transmission and activity.
Sure, people sort of know that such  attack is usually characterized by a
file being locked up and then being confronted with a ransom note from the
attacker, but not much else besides this.

Ransomware attacks are, in essence, Trojans or worms. They usually make
their way into company systems as a result of phishing campaign laid out by
the attackers. The Trojan or worm is embedded in a downloadable file. Once
the unsuspecting employee (and this can include C-level executives as well)
opens the phishing email and downloads the file, the Trojan or worm are let
loose within the company system. Depending on how they are programmed or
controlled the attack can be executed on the endpoint, immediate system,
wider network, or server levels.

The worm will then burrow itself in the system locking up a file
immediately or, just as likely, sit and wait, until the day comes when it
is activated by the cybercriminal. Once the worm has latched on to a file,
folder or drive, it will then encrypt the file with a password, often times
changing the filename in the process, to make it even more difficult to
find within the company’s network.

As if this wasn’t bad enough, there are ransomware attacks that will start
by encrypting a file, then go through the entire network and go about
deleting all copies of said file, bring the maliciousness of the act to a
whole new level.

With this knowledge in mind, companies, CSOs and IT security teams can map
out how to deal with and, more importantly, how to prevent ransomware
attacks from crippling their businesses. The situation brings into mind an
idea from the world of martial arts, if you do not want to get hit, give
them nothing to attack. Meaning that email filtering and handling protocols
in conjunction with download policies should be implemented and strictly
adhered to, without exceptions. In general, no one likes doing backups.
They are tedious and often boring tasks, but just think of it as your
digital insurance policy. With a backup of files safely tucked away in a
separate and unconnected location, there is nothing that ransomware
attackers can hold over you and your company’s collective heads.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161018/e095cb9e/attachment.html>