Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/22/2014
11:00 AM
Andrew Hay
Andrew Hay
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Truth About Ransomware: Youre On Your Own

What should enterprises do when faced with ransomware? The answer is, it depends.

Dark Reading Editor Tim Wilson raises an interesting question in a recent comment on Sara Peters’ blog, CryptoWall More Pervasive, Less Profitable Than CryptoLocker:

I'm interested to hear what security professionals advise when faced with ransomware infections such as those outlined in the story. Are there situations when they should consider paying the ransom? What are the implications for their data if they call in law enforcement? Is this something an enterprise can set a policy on, or is it really decided on a case-by-case basis?

When faced with ransomware infections, people need to know their options. As with any attack, it’s better to learn your technological limitations before you get infected. For the enterprise, security professionals should educate themselves (and users) about the current state of ransomware and consider steps to prevent and quickly remediate infections. But the truth is, for practically everybody, we’re mostly on our own when it comes to dealing with the ransomware problem.

Calling in law enforcement won't likely result in the recovery of your files. In fact, the Swansea, Mass., police department paid to have its own files decrypted last November. If the encrypted files are unrecoverable from a previous backup or are important to the continued operation of the business (or livelihood of the individual), paying the ransom might be the best course of action.

Keep in mind, however, that criminals utilizing file encryption tactics are under no obligation to actually decrypt your files once you have paid the ransom. Researchers suspect that some ransomware does not have the related infrastructure to store, nor eventually provide, the key to decrypt an infected user’s files after the ransom is paid.

The ZeroLocker issue
One such ransomware variant that raises this question is ZeroLocker. After ZeroLocker encrypts your files, the encryption key along with other information is sent through a GET request, rather than a POST, to a pre-determined server. This request results in a 404 on the server, which could mean that the server is not storing the key. So if you pay the ransom, you may not see your files restored. On the other hand, you might.

There will likely never be a Yelp or Angie's List review for a "reliable and honest online extortion racket," so unless you actually go through the motions of paying the ransom yourself or hear about the experiences of other infected users, you really won’t know the outcome.

With the current strain of CryptoLocker crimeware, tools such as the FireEye/Fox-IT Decrypt CryptoLocker site can be used to recover encrypted files without having to pay the demanded ransom. The service is not a silver bullet for all future strains of CryptoLocker, however, nor will it help with the decryption of files affected by other crimeware kits such as ZeroLocker, CryptorBit, or CryptoWall.

If your files are not recoverable from a backup, and you’re using a relatively new Microsoft Windows Desktop operating system release (Microsoft Vista and later), you may be able to leverage Microsoft Windows’ System Restore functionality to restore your encrypted files. Using a tool such as Shadow Explorer or Windows’ Previous Version functionality, you may be able to recover your file.

For information on how to restore files via these methods, the Bleeping Computer CryptoLocker guide located at the Bleeping Computer website is an excellent resource on this subject.

Be prepared
There are steps you can take to mitigate or prepare for the next massive ransomware outbreak. Organizations should revisit and reinforce policies surrounding the frequency of data backups (and the testing of data restoration), acceptable email use, and user education to help combat future infestations. The policy should also apply to all devices within the infrastructure including laptops, servers, and workstations as well as cloud instances, employee-owned devices, and even IoT systems.

Individual end-users, including home and remote users, need to be particularly vigilant because the majority of ransomware malware packages are delivered as email attachments -- or as the second-stage malware downloaded after executing an initial email attachment. If you (or users in your organization) are skeptical about an unexpected email asking you to download or view a PDF, DOC, or PPT file, don’t follow the email instructions. Pick up the phone and physically call the individual (if you know them) or delete the email entirely. If it is important, it can always be resent after confirming its validity.

The delivery methods for ransomware continue to evolve from native email attachments, to downloaders that fetch additional malicious malware, to automated bots that pepper the Internet with documents just begging to be opened. Since delivery mechanisms are ever-changing, organizations need to adopt a predictive approach to defending against ransomware. Having the ability to discern patterns employed by criminals before an attack occurs enables organizations to be far more prepared to mitigate any ransomware infections after the fact. This concept is known as predictive intelligence. In my next post I will explain how it works.

Andrew Hay is the CISO at DataGravity where he advocates for the company's total information security needs and is responsible for the development and delivery of the company's comprehensive information security strategy. Prior to that, Andrew was the Director of Research at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
9/22/2014 | 11:41:27 AM
Backups and Malware Scans
I've seen this happen in corporate and personal occurences. From a corporate standpoint, the ones who have defined in policy to not allow the saving of materials to local drives were normally better off than the other scenario. Network drives that have the appropriate security safeguards and that are backed up to another location seem to be the most logical configuration to fight against ransomware from a corporate standpoint.

The only advice I can give to the individual user is to have antivirus and malware scanning capabilities. Scanning on a regular basis and back up your materials to a device such as an external drive that doesn't regularly touch the internet. Before attaching the device, make sure you scan your computer first to ensure the integrity of your systems current config.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...