The driving factor for most cyberattacks or cyber-crime is money. Ransomware is a type of malicious software designed to block access to a computer system/ file until a sum of money is paid. Though the concept of ransom attack is fairly new, the attackers have been successfully making millions just by these attacks. The file/ system is encrypted by the attacker with an unknown algorithm and can be decrypted by the attacker when a ransom is made after the attacker sends a ransom note to the victim.
The attacker uses a compromised site to include exploit kit which directs the user to download the malware. The malware executes and encrypts the files. Then the ransom note is written in each directory. Once infected, there are 4 options
- Pay the ransom
- Restore the backup
- Lose the files
- Brute force the key
Payment is done in cryptocurrency like bitcoins and is given the key to decrypt. Some of them even provide free technical support. If the ransom is not paid in said time, then it is doubled or tripled. The most common infection mechanisms are malicious Office documents(example email) and drive-by downloads.
The email when opened is protected and lists the steps on how to make it readable by enabling some macros. Once the user runs the macro, the payload is delivered and will commence the infection. Sometimes it could be a zipped file that will run the script while unzipping the file by the user. Some sites also appear to be useful or genuine and trick the customers to download the malware. In both cases : office document or driven by downloads, the actual malware is usually delivered from a randomly generated subdomain of a legitimate domain. Attackers compromise the DNS account for a domain and register different subdomains, then use those for attack. These subdomains are only used once for a given victim’s public IP and is known as domain shadowing. Preventing these type of attacks is difficult as most of the times the code is obfuscated and ineffective until the machine is well beyond the event horizon.
Some of the controls an organization can adopt are:
- Disallow Flash for untrusted websites. Identify and implement a formal help-desk process to add sites to the whitelist. Ensure only knowledgeable personnel can approve adding to the whitelist.
- Filter inbound email for attached ZIP and Microsoft Office documents. Block macro-enabled Office documents. inform the user that the attachment was filtered; identify and implement a formal help-desk process whereby users can request the attachment after it has been screened.
- Disable or enable notification macros within the Office suite.
- Application whitelisting
- Use enterprise data management solution which will monitor the creation of these files and even take an action such as disabling the user’s Active Directory account if these files traces of the files are detected. It also assists with post-infection investigations, including identifying the time and date of the infection and which files were encrypted.
- Use quality intrusion detection system can also be coupled with SEIM to better investigate attacks. IDS recognizes the pattern and alerts the administrator.
- A policy regarding storage of important data on network shares.
- A centralized backup is a lot easier to schedule and restore.
- Apply least privilege access policy, which allows users to have only access as and when needed. Create separate accounts for high-privilege operations and documenting their appropriate use.
- Frequent and reliable backups.