Ransomware
- Michelle Russell
Purpose
This document can be used as a guideline for Ransomware protection on the system running Moveware.
What is Ransomware?
Ransomware is a type of malware that blocks access to the victim’s data (photos, personal information, documents, backups, etc.) and threatens to publish or delete it unless a ransom is paid. While some simple computer ransomware locks the system in a way, which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which makes it nearly impossible to recover the victim’s files without the decryption key. Many attacks demand ransom be paid in digital currencies, such as Ukash and Bitcoin, which are difficult to trace, making prosecution of the perpetrators difficult. The first known ransomware was deployed in 1989. By 2013, the use of such viruses had become well established around the world.
The attacker generates a key pair and places the public key in a piece of malware. When the ransomware infection is released on a computer, it generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. Then the malware displays a message to the victim with instructions about how to pay the ransom. When the victim sends the payment, the attacker uses the private key from the key pair to decipher the encrypted symmetric key and sends the unencrypted symmetric key to the victim, who can use it to decipher the encrypted data. (Of course, there is no guarantee that the attackers will actually send you the decryption key.)
Ransomware attacks are typically carried out using a Trojan — the malware is disguised as a legitimate file that a user is tricked into downloading or opening when it arrives as a malicious email attachment. However, one high-profile example, the WannaCry worm, travelled automatically between computers without end user interaction.
How does it work?
Via malicious email
Step 1: The process of how ransomware gets on your computer begins with a malicious email a potential victim will receive (most of the time on his spam inbox). This email contains malicious links or file attachments.
Step 2: A potential victim lacking proper knowledge about cyber security will click the malicious link or attachment, which will download and install the ransomware to his computer.
Step 3: Ransomware will now start encrypting all data (videos, images, audio, etc.) saved on the victim’s hard disk and even to other computers that is sharing the same network.
Step 4: Your screen will now display the “ransom note” that contain the instructions on how and where you will pay the ransomware creator in exchange of the necessary decryption passkey.
Via Compromised website
Step 1: Victim will click a malicious ad (aka. malvertising) on a legitimate website that directs him to a compromised site
Step 2: The victim will be directed to a landing page in a compromised website. Ransomware creators typically make these pages look like legitimate websites so your security system will be having a difficult time in detecting the exploit code hidden on that certain landing page.
Step 3: The exploit kit will now start scanning your operating system and running software (Flash, Java) for any vulnerability it can exploit. If they successfully found any vulnerabilities, the exploit kit will inject a ransomware attack to your computer.
Step 4: The ransomware will now infect your computer by encrypting all data saved within the computer’s hard disk. A ransom note will be then displayed. This ransom note contains the instructions on how you will pay your attacker.
How do you know your system is infected with Ransomware?
The ransomware is designed to only target (what is it they target?) and any other files that do not affect the running of your machine. They will not get any value if they encrypt the critical processes, which stops programs from running.
Therefore, you will find you cannot open your documents and the document may have one of the following filename extensions:
.ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters
There would also be a ‘readme’ type text in the directories where the files are encrypted containing details on how to unencrypt your data. To contact the following hacker’s email address and payment details.
How to prevent ransomware
Mailbox security
Remove executable attachment automatically
Apply Office 365 security settings https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide
We recommend you perform at least steps 4-6 in this document, but preferable all steps are desired if you have the right office 365 licence.
Disable hyperlink entirely in the email using group policy, although this is an extreme option
This can be done by renaming the following registry of your computer
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
just rename the command to command1 then reopen MS Outlook
Browser security
Remove outdated plug-in and add-ons from browsers
Patch and keep browsers up to date
Block pop-up in browser
Secure browsing with Google Chrome
enable phishing and malware protection
turn off instant search
don’t sync
configure content settings
configure passwords and forms settings
Secure browsing with Mozilla FireFox
configure privacy settings
configure security settings
disable JavaScript
enable pop-up blocking
don’t sync
turn on automatic updates
use secure protocols
Secure browsing with Microsoft IE
configure security settings
automatically clear history
configure privacy settings
configure advanced security settings
tracking protection
The following link provides you on how to set the above recommendations
https://www.veracode.com/blog/2013/03/browser-security-settings-for-chrome-firefox-and-internet-explorer
Recommended Microsoft Windows settings
Keep your Windows up to date
This is by setting up Windows to check and update automatically or regularly check and install the updateEnable Windows Virus & Threat protection
Virus & Threat protection is embedded in Windows Security for Windows 10Using dedicated admin accounts
Please segregation your admin account from normal user account and only logon using the admin account when requiredMaking sure users have the right access
To ensure the normal user do not have any special privileges on the systemLimiting access rights on Local Windows users
Show hidden file extensions
To show the file extensions on the system so we know what file type we are trying to open or accessConfigure the Application Control Policy
To use AppLocker to allow/deny certain apps for certain group of usersConfigure the Software Restriction Policy
Disable AutoPlay and AutoRun
To ensure the computer do not start anything automatically when the removable device is plugged in to your systemEnable the Smart Screen and popup blocker features in browsers
This helps protecting your computer from downloading malware or accessing malicious website
What do I do to protect against ransomware?
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection
Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
Do not follow unsolicited Web links in emails.
No More Ransom!
If your system has already been infected with a ransomware, a collaboration between Intel Security, Kaspersky Lab, and Europol called No More Ransom! has a collection of decryption tools for Ransomware that has been cracked by researchers
https://www.nomoreransom.org/en/index.html
Backup
If your system has already been infected with a ransomware and you have a backup of your data, then you do not have to worry about paying the ransom to the attackers.
Please find below links for the system backup related to Moveware
Moveware System Backup: Moveware System Backup
Setup a Moveware Database and Backup Procedure on Client’s Server:
Set up a Moveware Database and Backup Procedure on a Client’s Server
References
Wiki: Ransomware:
https://en.wikipedia.org/wiki/Ransomware
How does Ransomware get on your computer?:
https://enterprise.comodo.com/forensic-analysis/how-does-ransomware-get-on-your-computer.php
Browser Security Settings:
https://www.veracode.com/blog/2013/03/browser-security-settings-for-chrome-firefox-and-internet-explorer
CISA:
https://www.us-cert.gov/security-publications/Ransomware
No More Ransom:
https://www.nomoreransom.org/en/index.html
How to Prevent Ransomware Infections:
https://www.netwrix.com/prevent_ransomware_best_practice.html
Top 10 ways to secure Office 365 and Microsoft 365
https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide