Focal Point: Beware of ransomware, says Threatscape’s Williams
11 April 2016 | 0
The usual aim of criminal hackers and malware spreaders is to steal some information from you that would be of value to them. Now there is ransomware, which is not aimed at getting your information but at preventing you from doing so. Essentially, a small but powerful bit of malicious code is infiltrated to your systems which encrypts and locks your data away from access. You are then asked to pay a ransom to get the decryption key.
It is a clever crime in many ways. Once the data is locked, the criminal needs to do nothing else, so cannot be caught through further activity like selling on the data to other crooks. The data kidnappers are effectively untraceable, even when a ransom payment is made. That is because they look for bitcoin, which is itself anonymised and encrypted, so ‘Follow the money’ is not a viable detection technique.
It is also a crime with a high rate of success, unfortunately. It can attack businesses, state agencies, ordinary consumers and students and little old ladies. It has been successfully perpetrated against IT firms and even police forces in the USA. A recent survey suggested that up to 20% of Irish businesses have been victimised.
Cryptolocker is probably the best known ransomware variant but others include Cryptowall, AlphaCrypt and TeslaCrypt. Not that the branding matters. What they all do is stealthily encrypt target file types, the ones that are most likely to be indispensable to the person or organisation.
Remember the phrase ‘script kiddies’ in relation to mischievous hacking? Today we have almost the same with ransomware being constructed using tools kits such as Angler, Nuclear, Neutrino and Magnitude – all easy available to anyone with the money to pay.
There are two main methods attackers use to get their malicious code onto victim’s computer. Neither are new, but one slip in how your defences are designed and configured is all an attacker requires.
First we have the old stalwart of malware propagation – email attachments. Educating users reduces the risk but does not eliminate it. Even the tech savvy can be misled by executables with less obvious file extensions, or wrapped into a .ZIP or dressed up with a misleading icon. A good anti-virus solution will zap most malicious code but nothing can detect 100%. Attackers invest enormous efforts — and often great talent — into crafting new code designed to evade detection. If in any doubt, delete all incoming executable files at your mail gateway or server.
Then there is web traffic. Users may access an infected email on a web mail site, or visit a legitimate web site which has been compromised with malware, or be tricked by a phishing email into visiting one created specifically to spread malware. The latter can be hard to recognise, as the drive in recent years to get web sites to improve their security by encrypting all traffic, facilitated by the introduction of free SSL certificates, has had an unintended consequence. Now malware criminals can set up web sites at little or no cost which use SSL encryption (https) to give them with a spurious air of authenticity.
“There are two main methods attackers use to get their malicious code onto victim’s computer. Neither are new, but one slip in how your defences are designed and configured is all an attacker requires”
But even worse, the encryption means older firewalls cannot decrypt and inspect the web traffic, opening a massive hole in network defences. If you are allowing SSL connections from within your organisation to external web sites and your firewall is not decrypting and inspecting it, you are playing Russian roulette with your security. Close this hole – or get those bitcoins ready…
There are various endpoint configuration techniques which can further harden systems against attack, and standard endpoint security advice continue to be relevant. Browser plug-ins are a key attack vector for web attacks, exploiting vulnerabilities in Flash Player, Silverlight, Adobe Reader or Java.
Keep operating systems, applications, browsers, extensions and plugins updated and patched. Don’t wait to do them periodically or in batches, well organised though that might seem to be. When security patches are issued it means a vulnerability has been discovered and exploited. There is no time to spare as the discovery of a new flaw is like a starter’s pistol to the digital black hats.
Dermot Williams is managing director of Threatscape