It’s Monday morning, and Joe Enduser logs on to his workstation, ready to kick off another work week. Unfortunately, this particular Monday is going to be extra rough. Upon login, Joe is immediately greeted with an ominous pop-up dialog on his machine:
Source: See CryptoLocker in Action
“Your personal files are encrypted!” Joe’s heart sinks as he goes on to read about his current dilemma. Important files on his workstation have been encrypted. The dialog warns him that he will need a private encryption key in order to decrypt these files, and that the key is only available after paying a ransom using a cryptocurrency to the attackers. The attackers hide from justice at a secret web address hosted on a secret web server on the “deep web”. Worse, the dialog warns that any attempt to remove the software responsible for the dialog will result in “the immediate destruction of the private key by the server”. Worse still, the software warns that access to the private key will cost $300.00. Joe perspires heavily as he realizes that if he tries to uninstall this malicious software rather than pay the ransom, his files could NEVER be decrypted. Joe begins to wonder how he is going to explain this to his system administrator. As he watches a timer count down on the dialog, he realizes he must act fast. He only has 72 hours before the private key is destroyed forever.
The scenario above is an example of a “ransomware” attack. This type of attack is becoming more and more prevalent, especially in the healthcare space. According to an article from helpnetsecurity.com, “The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1”. Some examples of Ransomware are Cryptolocker, Locky, and Dridex. While malware that encrypts all of the files on the victim’s machines is a recent development, the tactic employed to move it onto that machine is not. Read the following e-mail:
Source: CryptoLocker Ransomware Information Guide and FAQ
Seems legit, right? Other examples of e-mail subjects seen on ransomware e-mails include:
USPS - Your package is available for pickup ( Parcel 173145820507 ) | USPS - Missed package delivery ("USPS Express Services" <service-notification@usps.com>) |
USPS - Missed package delivery | FW: Invoice <random number> |
ADP payroll: Account Charge Alert | ACH Notification ("ADP Payroll" <*@adp.com>) |
ADP Reference #09903824430 | Payroll Received by Intuit |
Important - attached form | FW: Last Month Remit |
McAfee Always On Protection Reactivation | Scanned Image from a Xerox WorkCentre |
Scan from a Xerox WorkCentre | scanned from Xerox |
Annual Form - Authorization to Use Privately Owned Vehicle on State Business | Fwd: IMG01041_6706015_m.zip |
My resume | New Voicemail Message |
Voice Message from Unknown (675-685-3476) | Voice Message from Unknown Caller (344-846-4458) |
Important - New Outlook Settings | Scan Data |
FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13] | Payment Advice - Advice Ref:[GB2198767] |
New contract agreement. | Important Notice - Incoming Money Transfer |
Notice of underreported income | Notice of unreported income - Last months reports |
Payment Overdue - Please respond | FW: Check copy |
Payroll Invoice | USBANK |
Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages) | past due invoices |
FW: Case FH74D23GST58NQS | Symantec Endpoint Protection: Important System Update - requires immediate action |
Source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
In each case, the goal is the same, to trick the recipient into downloading the attachment. Typically, the attacker will send an e-mail that tricks the user into downloading an attached .zip directory. In the e-mail, the reader is then instructed to open up the .zip directory. Inside there will be a file. The file is usually named something like “DeliveryProblem.pdf”. I place emphasis on named, because .pdf is not the actual file extension. A closer inspection would reveal that “DeliveryProblem.pdf” is actually DeliveryProblem.pdf.exe, an executable program! The victim double-clicks over it, expecting a PDF to open explaining the details on why their package was not able to be delivered. Instead, the malware is executed, and the encryption of all of the user’s files kicks off.
The name says .pdf but the icon is clearly suspicious…did I mention that continuing to use Windows XP is a TERRIBLE idea?
Source: Watch CryptoLocker in Action
Many hospitals have evaluated their options after a ransomware attack, and determined that it would be less costly in the end if they just pay the ransom. Remember the old adage of "If you give a mouse a cookie, he will ask you for a glass of milk"? You may have seen dramatic movies or TV shows where a hostage negotiator steadfastly warns the bad guys that "Our government refuses to give in to the demands of terrorists." Unfortunately, attackers armed with ransomware appear to have identified the ideal target in hospitals. The victims cannot bide their time and evaluate their options when critical systems and files that their patients NEED access to remain useless. They often give in and pay. This money presumably serves to perpetuate more attacks, as the bad guys have proven the efficacy of this sinister business model. One can only hope that after being hit with a Ransomware attack, and being forced to pay out, that the team in charge of security takes the steps necessary to ensure that they are not subject to the same kind of attack again in the future.
When it comes to ransomware, prevention is far, far easier than reaction. Here are four things that you as a user can do to make sure that you don’t become the victim of a ransomware attack:
- Use anti-virus software and make sure it is up to date
- Do not open/download e-mail attachments unless you are confident that you know who sent the attachment and that it is not malicious
- Disable macros in Microsoft Office
- Do not store important file locally if you do not have to, use a file server or a cloud-based solution (I heard that there’s an absolutely awesome one called ShareBase)
- Back up your files, and make sure you’re backing them up somewhere other than your local machine
- Check Windows Folder Options and ensure that file extensions are shown
Let’s take a look at each of these:
1. Use anti-virus software and make sure it is up to date
No surprises here. Many anti-virus suites include an “on-access scanning” features which can stop ransomware dead in its tracks. Provided your anti-virus definitions are up to date, this will defend against many ransomware applications. This holds true for an organization’s mail servers as well. However, relying on anti-virus alone would be unwise. When speaking about application security, one concept that we often evangelize is “defense-in-depth”. This refers to the practice of having multiple layers of defense, so that if one layer fails the attacker has several other layers to contend with before successfully compromising an asset. Think of the medieval knights of Europe. They wore heavy helmets and strong outer armor. However, they also wore chainmail and thick clothing underneath that just in case the outer armor failed. View your assets the way that medieval knights viewed their body armor by adopting a multi-layer approach
2. Do not open/download e-mail attachments unless you are confident that you know who sent the attachment and that it is not malicious
Take a second to refer back to all of those e-mail subjects I posted. Even I must admit that at first glance some of them seem legitimate. Attackers have upped their game in terms of social engineering and deception. Whereas one used to be able to spot a malicious e-mail because it was accompanied by poor grammar and an obviously sketchy e-mail address (CheapBluePills@ValuePharmacy.com), this is not always the case today. If the e-mail is warning you about a problem with your bank, delivery, etc, you should verify with that entity that there is a problem. These e-mails are attempting to use social engineering to manipulate the reader. They are gambling that the reader will panic, then act quickly and carelessly to resolve the situation. The bad guys know that downloading and opening the file is quicker and easier than verifying that the problem described in the e-mail is legitimate.
3. Disable macros in Microsoft office
One feature that has been abused by Ransomware creators is the “Macro” feature in Microsoft office. Macros are powerful snippets of code that can be embedded in Microsoft Office files. As is often the case with innovative technology, the motivation behind the creation of macros was well-intentioned. Macros allow for the automation of tasks. Macros can communicate with other files or databases, manipulate data, Change the formatting of text, and even create new files. Unfortunately, attackers have caught on to how powerful these macros are, and how they can be exploited for evil rather than for good. A tactic often employed by attackers is to embed macros in a word document. Typically, a convincingly worded e-mail will instruct the user to download the file, open it, and fill in the necessary fields. However, when the user goes to open the file, they are greeted with this message:
Source: One in the eye for ransomware: Microsoft adds new macro controls to Office 2016
Take a look at the Security Warning near the top of the image. A security best practice is to disable macros, because of how powerful they are. The attacker is attempting to use social engineering to trick the user into believing that the garbled characters on the document can only be viewed once macros are enabled. The user can then be tricked into enabling the macros. The embedded code is executed, the ransomware is launched, and the attack is successful. It’s only a matter of time before files on the machine are encrypted and the pop up demanding ransom is displayed. I had a college professor who often reiterated that we should NEVER play around in the command line unless we were 110% sure of what we were doing. The same can be said for using macros: if you didn’t write the macro, and you don’t know who wrote the macro, you should adhere to the security best practice and leave macros disabled.
4. Do not store important file locally if you do not have to, use a file server or a cloud-based solution (I heard that there is an absolutely awesome one called ShareBase)
Even if you install anti-virus, enforce macro-disabling across your entire organization, and train your end users on how to recognize malicious e-mails, a ransomware attack could still occur. Remember that the “security team vs attackers” dynamic is constantly evolving; the cat-and-mouse nature of the game means that attackers will eventually come up with even more clever ways to circumnavigate defenses. You should prepare for a ransomware attack in the event that all of your defenses fail. Ask yourself: Do the users in my organization need to save work files to the same machine where they answer e-mails? Storing the files on a remote file server, or a cloud-based storage solution like ShareBase may strengthen your organizations defenses against ransomware. The machine can be disconnected from the network upon detection of the attack in case the malware attempts to encrypt remote files that it has access to. ShareBase’s Desktop Sync feature allows users to restore a file from a previous version. If the synced folder were to get hit with ransomware, the user would only need to retrieve the (unencrypted) version from ShareBase that was saved prior to the attack. Another Hyland solution that can add a layer of defense is our Distributed Disk Services module. By adding an intermediary between you and your documents (The DDS Server), an extra layer of defense is present.
5. Back up your files, and make sure you’re backing them up somewhere other than your local machine
Just in case all of the aforementioned steps fail to protect the critical files on your machine, a strong and reliable backup solution could help mitigate a ransomware. If an organization backs up their data nightly (and does frequent testing of the backups), a ransomware attack may not be the end of the world. The machine could be wiped, then restored from the backup with minimal loss of data.
6. Check Windows Folder Options and ensure that file extensions are shown
In the hypothetical attack scenario I described earlier, the attacker had named a file “DeliveryProblem.pdf”. If Joe Enduser had the “Show file extensions” checkbox selected, he would’ve seen that the actual name of the file was “DeliveryProblem.pdf.exe”. Enabling this checkbox makes files that may be malicious easier to spot. While .pdf or .docx files are not typically associated with ransomware, the real file extensions of .exe, .scr, or .vbs are.
Make sure that the “Hide extensions for known file types” check box in the Folder Options dialog is UNCHECKED.
Much like the recent spike in distributed-denial-of-service(DDoS) attacks, Ransomware attacks show no sign of waning in the near future. It is imperative that organizations adopt a strong, layered defense and contingency plan for what they will do if Ransomware infects a machine. As the number of hardened targets increase the creators of these programs will be forced to abandon their efforts and move on. Will you and your organization be a hardened target or a victim?
For more information on preventing and mitigating ransomware attacks, check out www.nomoreransom.org
