Trevor Hawthorn | December 30, 2015

Ransomware: Understanding and Avoiding It (Security Info Watch)

Ransomware has come back into the spotlight, with a Krebs on Security report highlighting a recent attack targeting Linux web servers — in addition to consumers and business users. Though ransomware itself isn't anything new, this approach is unique in that after the attackers exploit a server, they use a CryptoWall-like method to hold the victim's files hostage.

To understand how to best protect yourself, it’s often helpful to know the root of the issue and why ransomware is a successful approach for attackers.

How We Got Here

If there is one thing we've seen over and over, it’s that cyber criminals run their operations like a business:

A) They work on their craft — cybercrime — full time. (This is a prime reason, by the way, that it’s hard for organizations to catch up let alone get one step ahead. Cyber security just doesn’t get the same time or attention.)

B) Ultimately, they have to figure out how to monetize their efforts.

Phishing has been a lucrative delivery method for malicious links and software, and the path from phish to profit has gone something like this:

Step 1: Send an email with malware to a target

Step 2: Malware infects the target's PC

Step 3: <Monetizing effort here>

Step 4: Profit!

Historically, Step 3 has been the hardest — and longest — part of the plan. Sure, more sophisticated operations can take a foothold in a single email account and turn it into a big-time payday. But this can be time consuming; let’s just say it’s a long conversion cycle. Every business loves to land the whale, but you need minnows to keep you going day to day, right? CryptoWall made quick-hit monetization a possibility — and a very real threat.

I often wonder at the origin of CryptoWall. Using the business analogy, I think it might have looked something like a corporate brainstorming session in a conference room, only with attackers and criminals instead of IT and accounting staff. I imagine it might have gone something like this:

Boss: We need to streamline operations and efficiently convert prospects into paying customers.

Malware Guy: How about if we infect them with new malware, something that steals their accounting files?

Malware Gal: And then what? How could we possibly use that to get rich?

Boss: There are no bad ideas here! But I need solutions, people, I need solutions!

Malware Intern: Why don’t we infect their PC, encrypt all their files, and then have them directly pay us untraceable currency in exchange for unlocking their systems?

Malware Guy: Intern, you're way out of your league!

Boss: Now wait a minute…it's so crazy it just might work!

How We Prevent It from Happening to Us

The attack described by Krebs isn't anything new. And attackers hacking people's PCs isn't anything new. But unlike many “under the radar” attacks, which organizations may not discover for days or months (if at all), a ransomware attack immediately presents itself — and requires immediate action to counteract.

Individuals and small and medium businesses face the most risk from these types of attacks because they are less likely to have automatic file backups in place. The “ransoms” requested in these attacks are generally valuable enough to make a difference to a hacker but not so valuable that a business would have a hard time paying it. Many times, attackers ask for between $250 and $1,000 dollars to unlock files or sites, generally requiring payment in Bitcoin or another similarly untraceable cryptocurrency.

Naturally, though, bigger targets demand bigger ransoms; according to the Krebs article, the FBI received nearly 1,000 complaints tied to CryptoWall in a year’s time, with the total losses clocking in at more than $18 million (or more than $18,000 an incident, on average). A recent report released by the Cyber Threat Alliance upped that total considerably, indicating that $325 million in damages have been tied to CryptoWall ransomware attacks.

So how do we not “let bad things happen" in the first place? Here are some key tips for business owners:

  1. If you run your own WordPress blog, install a well-rated and well-known security plug-in. Many will mitigate key exploit methods, auto-update your site, and even lock out bad guys. These plug-ins aren't perfect, but they are a start.
  2. Keep your computers up to date. Windows makes it really hard to not update your machine with Microsoft patches. Microsoft doesn't push out patches for fun. They do it to keep you safe. If your computer needs a reboot, reboot it.
  3. For the best browser security (at this writing), opt for Internet Explorer 11 or Google Chrome. And regardless of the web browser you choose, one of the single best things you can do to improve your security is to enable "click-to-play” plug-ins. Here's how to do that in the five most popular commercial browsers: http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/.
  4. Educate yourself and your staff. There is a growing trend where attackers are sending conversational emails to their targets to wire money. This is often directed at employees with access to the corporate bank account (bookkeepers, controllers, CFOs, etc.).
  5. If you outsource any of your financial operations, tell them that any outbound wires over a certain amount must be approved via a phone call to authorized personnel.

About the Author:

Trevor Hawthorn is currently CTO of Wombat Security Technologies, a SaaS-based security awareness and training company. With over eighteen years of information security experience in both consulting and enterprise security, he has seen a wide array of security successes, failures, and everything in between across a wide range of industries.

Read the article on Security Info Watch