Friday, April 29, 2016

Crypto Ransomware Awareness

By: Lucas Zrelak, CISSP

What is Crypto Ransomware?

Crypto Ransomware is a type of malware that, when run, will encrypt files on your computer and any drives attached.  There are also more sophisticated versions, such as LOCKY, that will not stop with just your computer, but will scan an entire corporate network in an attempt to encrypt anything that the executing user has access to.  It uses very strong encryption and is difficult to decrypt without paying for the key to unlock it.  Paying to unlock the files must not be an option as this will only serve validate the malicious actor’s actions.


How do I recognize Crypto Ransomware?


Crypto Ransomware can be difficult to recognize, but there are telltale signs.  It generally is executed from attachments received through email such as emails claiming to be invoices or scanned documents that may even say they are coming from within your company.  Some signs that these emails are malicious are as follows:


  • The email seems incomplete or rushed
  • The email contains spelling mistakes
  • Not using your actual name such as being addressed as “Dear customer”
  • An unrecognized company or sender
  • The email is unexpected

If the email you have received fits any of the above, it is best to just delete it.  If you think the email may be legitimate, you should contact the sender to confirm that they actually sent you the email and attachment prior to downloading and opening it.
If you do download an attachment and open it and receive a message stating that the text is unreadable and that you must enable macros to read it, stop there.  Most documents will not contain a macro, especially invoices.
 

Conclusion

Preventing Crypto Ransomware begins with the end user and their awareness.  You must be vigilant to protect, not only company data, but your personal data as well.  It is important to be aware of what you are downloading, and if you recognize any of the above signs, it’s always better to be err on the side of caution.


Friday, April 15, 2016

Crypto Ransomware

By: Lucas Zrelak, CISSP
. 3

 

How does it work?

Crypto ransomware generally affects a computer after a user downloads and runs an attachment through email.  These attachments can be word documents with embedded macros, javascript files, zip files, hidden executables, etc.  Once the files have been downloaded and executed the encryption of files on your computer begins.  The files that are encrypted vary by the flavor of ransomware that you have executed, but are generally TXT files, Microsoft Office files, PDF files, picture files, etc.  Once the file is encrypted it is then generally renamed and the extension that is appended is what helps identify the type of ransomware that you have been hit with.  The problem is, it doesn’t stop with just your local computer.  Most crypto ransomware will then find any drives attached to your system and also begin to encrypt files there as well.  These drives can be direct attached external storage or network shares.  As if that weren’t bad enough ransomware is now getting even more sophisticated.  LOCKY Ransomware, for example, introduced the ability to scan your entire network and begin to encrypt files on any share that may be available to the user that has executed the ransomware.  This can make it extremely difficult to identify all of the locations that have been hit by the ransomware and can extend the damage far beyond what was previously possible.

What to do when your files have been encrypted?


First you need to identify which locations have actually been hit by the ransomware.  This can be a difficult task, but there are tools that can assist in an automated search.  A tool such as LAN Search Pro which, when used by a Domain Admin, can search your entire network or specified IP address ranges for any files with identified extensions, such as .locky.  The identified files can be exported to a CSV file where they can then be sorted by location to help better identify what shares have been compromised. 

Now that you have identified the compromised locations and files you can begin the restore process.  This is where your backup solution and schedule plays a large role.  I cannot stress enough how important it is to have proper backups of important data.  It’s always good to have a weekly full backup as well as incremental backups that are performed each night that there is not a full backup scheduled.  This can help limit the amount of data that is lost.  The frequency of the backups depend on the importance of your data, of course, but that is something that must be determined by the business unit that accesses the data.  Any data that cannot be restored from a backup location will be lost unless you pay the ransom requested as the encryption used tends to be very strong and very hard to break. 

Thankfully, there are also organizations and individuals out there that are constantly working on breaking these encryptions.  For example, recently the PETYA ransomware, which worked by encrypting your master boot records and essentially rendering your computer useless, has been cracked.  You can now get the password to decrypt your hard drive without having to pay, but this is more the exception than the rule unfortunately.

How can I prevent ransomware from happening in the first place?


Of course the number one answer to the question of “How can I prevent ransomware from happening?” is going to be awareness.  Awareness is always the best answer.  Train yourself and train your users.  Do not open attachments that you are not expecting.  If you think the attachment may be legitimate, contact the person that sent it and make sure that it truly is something that they intended to send to you.  If you can stop it from ever being downloaded and executed then you’re already a step ahead.

However, no matter how many times you raise awareness, there will be times when that awareness goes out the window and the attachment is downloaded and executed.  Standard virus scan solutions such as McAfee or Norton cannot always catch ransomware as it’s not really a virus.  It’s a program that is executed and is simply just encrypting your files.  Malware protection with up to date DAT files can block this as well, but with how quickly these ransomware packages are being created and introduced into the world it can be tough for them to keep up. 

That doesn’t leave a lot of options available to you, however, there are other ways to prevent ransomware.  Local computer security policy can play a large role in preventing ransomware and even other types of malware from running even if it is downloaded and executed.  By disallowing execution of files from locations such as %appdata%, %programdata%, %userprofile%, and startup folders, which is where the majority of ransomware and malware execute from, we can stop it before it starts. 

The challenge this can introduce, however, is that there are some legitimate applications that can execute from these locations.  We don’t want to cripple our users by applying these policies even if it does save our data.  That’s where software like CryptoPrevent from FoolishIT.com can come into play.  This software allows an easy way to implement the required local security policies, but also provides a way to whitelist any specific locations that are valid so that programs that are legitimate can be executed when needed.  To identify such programs CryptoPrevent utilizes the Event Viewer to log any blocked executions so that you identify where the program is being blocked from so that an entry can be made to allow it.

Where should software like CryptoPrevent be installed?


CryptoPrevent should be installed on any endpoint where users may access their email and download attachments.  You may wonder if it should be placed on servers.  While I don’t necessarily see a problem with this, it won’t help server shares from being compromised by your standard user that has executed the ransomware from their workstation.  The shared location just sees this type of activity as copying a file, renaming a file, etc.  This is all considered normal activity.  There are, of course, solutions that can help detect mass file changes and prevent them after so many occur, but those solutions can be very expensive.
 

Conclusion


There are, of course, other options than CryptoPrevent for preventing execution and LAN Search Pro for finding locations that have been compromised, however, these are the solutions that I have tested and found to be very good at what they do and that is why they are highlighted here.  The more research we all do in preventing the execution of these types of ransomware and/or providing solutions to mitigate the damage and quicken the recovery should that damage occur, the less effective ransomware will become.  If ransomware becomes less effective and those that were making money off of it stop getting paid then perhaps we will see it drop-off.  Until then, we must raise awareness, block what we can block, and ensure that our data is properly backed up should it become compromised.