» » » Ransomware Prevention – Responding to WannaCrypt

Ransomware Prevention – Responding to WannaCrypt

posted in: Blog | 0

The WannaCrypt Scare – Part I

The global WannaCrypt ransomware attack that hit over 230,000 victims in at least 150 countries on Friday 5/12/17 sparked concern about how businesses can best protect themselves from ransomware.

What is Ransomware?

Ransomware is malware that encrypts the victim’s files (on the PC’s hard drive and any connected devices) and demands a ransom payment, in an untraceable digital currency called Bitcoin, to receive the decryption key. If ransom is not paid within the specified time period, the price to recover the files increases.  After a longer time period, failure to pay results in the permanent deletion of the decryption key.  There is no guarantee that paying the fine to the hackers will give you access to your PC or files again.

A ransomware infection is most often the result of clicking on a malicious link in a phishing email or opening a malicious email attachment, but ransomware can also be delivered when victims click on malicious advertisements on websites.  A computer can also be infected by other computers.

WannaCrypt Ransomware – how did it spread to so many private and public sector organizations?

In the case of this recent attack, WannaCrypt ransomware targets Windows 7, Windows XP and other older Microsoft operating systems by exploiting a known vulnerability in the operating systems.  The vulnerability was identified by the NSA, and was stolen and then leaked by hackers.  Other names for this ransomware are WannaCry, WanaCrypt0r and Wana Dycrypt0r.

Microsoft issued a patch for the targeted vulnerability in March, but those who were victims of this attack had not installed it.  WannaCrypt does not affect Windows 10 or the older systems that have been patched with the latest security patches.

The threat arrives as a dropper Trojan and spreads like a worm to unpatched Windows machines in the local network and by executing massive scanning on Internet IP addresses to find and infect other vulnerable computers.  To slow the spread of WannaCrypt ransomware, Microsoft made a rare exception to its policy of only issuing patches to supported operating systems and issued a patch after the attack that protects even Windows XP.

Shortly after the attack, new infections stopped when a malware researcher discovered a web domain in the code and registered that domain.  This was a hard coded kill switch.  The malware could not spread as a worm if it could not connect to that domain.  This delayed the spread of the initial infection.  However, new versions of the malware have since been detected.

It is believed that the initial infection point of WannaCrypt ransomware was a Spear Phishing email.

What are Phishing and Spear Phishing?

Cybercriminals frequently “fish” for confidential information by sending phishing emails to unsuspecting victims.  The emails often appear to be from a company with which you regularly do business.  If you fall for the bait and click on the malicious link in the email, you may be redirected to a look-alike site in which enter your login credentials and provide other information – directly to the cybercriminal.

Other phishing emails, are designed to install malware on your computer.  If you open the attachment, your computer will be infected.

Spear Phishing emails, like the one that may have started WannaCrypt, are targeted Phishing emails that appear to be from a known or trusted sender, using information about the target to make the email appear legitimate.

Don’t fall for Phishing! (and other things users should know)

Your IT provider should be proactive about security, keeping your company’s systems patched and using a defense-in-depth strategy to protect your systems. However, even the most secure infrastructure can be bypassed through user error.  Most ransomware infects a computer through Social Engineering – tricking a user to click on a link or open a malicious file.  These are some things your users should know about cyber security so they will not invite ransomware into your network.

  1. Hover over links before clicking

Cyber criminals use links to direct people to install malware or to collect data.  The link might direct you to a site that installs malware on your computer.  Or the link may direct you to a fraudulent site (that appears to be a legitimate site such as a bank website) to collect your login credentials.  Employees should verify that links are legitimate before they click on them.  Fraudulent sites often contain a domain name that is similar to a legitimate site, but having a misspelling or a different domain name suffix (such as .com or .org).

Employees should be trained to place their mouse over the link without clicking, and look at the popup that shows the site to which they will be directed if they click on the link.  They should only click on the link if the domain name looks legitimate.

An email account can be commandeered by a hacker to send mass emails to everyone in the address book.  These emails frequently contain only a link.  If the content of the email does not reference the link, send a new email to the person who appears to be the sender and ask if they sent it.  Do not click the link.

  1. Don’t open suspicious attachments

Malware can be delivered in attachments.  If you receive an email from an unknown sender that does not reference the attachment, don’t open the attachment.  Even if you receive an email from a friend or colleague, be wary of files that have a .zip, .vbs or .exe format. These files can contain malware that will make changes to your computer.  Note that malware is sometimes hidden in files that have a double file extension such as “name.pdf.exe” and may even have the icon of the application you know and trust, in this case .pdf.

  1. Look at the email address of the sender of the email

Is the sender who you believe it to be?  Check the email address.  Hackers may spoof a legitimate email address by changing one letter in the domain name, so you believe that the email is from your boss or friend.  If the spoofed domain is a registered domain name, it can get past your spam filter.

  1. Don’t use your computer under an administrator account

If a virus infects a computer that is running in administrator mode, it can spread and make changes on the computer.  If that computer is attached to a network, it can make these changes to every computer on the network!   While it is necessary to use the computer as an administrator to install software, regular work should not be done in administrator mode.

  1. Remember password safety

Passwords are more of a concern to protect against data breaches than to prevent ransomware, but password safety should be included in any discussion about cybersecurity.  Use strong passwords – with upper and lower case letters, numbers and symbols, and a minimum of 8 characters.  Use a different password for each site, so if they are breached on one site, they cannot be used to access another site.  Change passwords periodically, so if a password is breached, it cannot continue to provide access.  Don’t share your passwords with anyone else.

Don’t let Ransomware like WannaCrypt make you Wanna Cry.  Restore from Backup.

As cyberattacks become even more sophisticated and targeted, even the best end-point protection and user training cannot protect against them.  As part of its proactive cybersecurity strategy (reviewed in Part 2), your IT provider should back up both systems and data.  (If your systems are not backed up, you will need to re-install your operating system, settings and applications before you can restore your files, a time-consuming process.)  In the event that ransomware does succeed in bypassing the protections, and in the event of other disasters, your IT provider can restore your systems and data from backup.  You should never need to pay the ransom to receive the encryption keys to restore your data.