Ransomware Primer

29 Apr 2016

As a proud Australian I take inordinate pride when Australia and Australians succeed on the world stage. A country that ranks about 56th in the world by population certainly achieves far more than our relatively small population would lead one to expect.

Amongst other things, I take pride in Australia’s sporting prowess, its scientific achievements and its contribution to the world’s artistic environment. But there is certainly one area where Australia is leading the world that is not so positive: Cybersecurity.

According to a recent article from CSO Australia, we were the number one target in the world in 2015 for ‘ransomware’ attacks. Due to our relative wealth and lax approach to security (she’ll be right mate) Australia is an attractive target.

Australia has consistently been in the top ten list of ransomware attacks since the early days of ransomware, so it is not altogether surprising, nor unbelievable, that we finally managed first place.

If you are not familiar with ransomware, it is a name given to several rather nasty pieces of malware that essentially encrypt your data and then ‘charge’ you if you want the decryption key. The cyber-criminals use strong commercially available encryption algorithms that are resistant to attack even at the ‘national level’ (US vs Apple) so recovering the data by defeating the encryption is usually impossible.

In other words, if you are the victim of a ransomware attack you are, most likely, either going to lose data (everything since the last ‘safe’ backup) or you are going to pay.

Ransomware, in the early days, primarily targeted SOHO environments. Hitting a mum-and-dad operation was relatively easy due to the lack of security awareness and since the target was so small there was a relatively small chance they would be caught.

Ransomware developers did not ‘charge’ exorbitant ransoms to unlock the data. A few hundred dollars (usually increasing the longer the payment was delayed) was often a cheaper option than having to restore/rebuild. In a ‘twisted’ way the ransomware developers operated with a fairly good ‘customer service’ ethic and although there was no guarantee, they usually provided the decryption key if the ransom was paid. As a result, the business model seemed to work.

However, of late, the ransomware developers are targeting larger environments. A recent ransomware infection at the Hollywood Presbyterian Medical Centre resulted in a partial evacuation of patients, problems in the operating rooms, etc., forcing the hospital to pay a ransom of approximately US$17,000 (rumours suggested US$3.5 million but the hospital refutes that). This was by no means an isolated incident, with reports that a senior FBI official ‘unofficially’ gave the advice that paying the ransom is often the most effective way of dealing with the infection (Special Agent Joseph Bonavolonta at 2015 Cyber Security Summit, Boston).

Ransomware primarily depended on ‘social engineering’. These attacks involve Trojan-horse style attacks where ‘malware’ is disguised as legitimate software or apps. Australians in particular seem to revel in ‘sharing’ new software and apps, often spreading the malware as a result. Phishing attacks which rely on the victim clicking a link in an email, instant messages or on social media are also quite common. Malware is now also being seen delivered via ‘drive-by’ type attacks where infected websites download the malware in the background (without the user’s knowledge) or via the user clicking a malicious link. Interestingly, one of the most common attack vectors is still the venerable ‘macro virus’!

Finally, another point of concern is that the malware developers are also using techniques to identify the location (for example based on IP address) and then the malware ‘customises’ itself to reflect the locale. This, of course, allows the ‘bait’ to look even more legitimate.

It’s not all bad news though. The avenues of attack (the attack vectors) are well known and with the right user education, security policies and well trained, alert security staff these attacks can be headed off before they impact your business.

Educate your users. Perhaps unfairly, perhaps not, but users are often considered the ‘weakest link’ in the security chain. I have advised for many years that no matter what technical measure you put in place, if your users are not security aware you have left a gaping hole in your defences.

The advice is fairly simple, and I am sure you have heard it all before, but amongst others:

  • don’t open emails from people you don’t know, even if the email is from a known source,
  • don’t click on links on emails that ‘don’t look right’,
  • avoid ‘pirated’ software,
  • don’t relax security settings on your browser (actually tighten them up if required),
  • browse wisely,
  • backup your data regularly,
  • keep anti-malware/anti-virus patterns up-to-date,
  • and keep your patching regime up-to-date.

Of course, that is not a comprehensive list but certainly will cover some of the most likely attack vectors.

CERT Australia have a good advisory that deals specifically with CryptoLocker but also has some good general defence hints. It’s well worth spending a few minutes reading time on this.

DDLS offers comprehensive security training for everyone from computer users (Certified Secure Computer User), administrative staff (Security +) and security staff (Certified Ethical Hacker).