Handling a Ransomware Attack

A recent wave of ransomware attacks has hit countries around the world, with a large number of infections reported in the United States, the United Kingdom, Germany and Israel. It appears that the attackers have no specific target, since the attacks have struck hospitals, financial institutions and private institutions, indicating that no specific industry has been targeted.

In Israel, two types of ransomware were identified in the most recent attacks: the familiar TeslaCrypt and the new ransomware, Locky.

The Evolution of Ransomware

The vigorous usage of ransomware tools by cybercriminals and their success in this area has led to the development of new ransomware and the constant upgrading of known models. During the past several months, researchers have reported on the development of ransomware that is capable of file encryption without Internet connection, i.e., they do not communicate with their C&C servers for the encryption process.

New ransomware tools that were reported are Locky ransomware, whose modus operandi resembles the Dridex banking Trojan, and a new version of CTB-Locker that attacks web servers.

Additionally, RaaS (Ransom-as-a-Service) offers are becoming popular on closed DeepWeb and Darknet forums. These services allow potential attackers to easily create ransomware stubs, paying with profits from future successful infections. Recently, we identified a new RaaS dubbed Cerber ransomware, which is offered on a Russian underground forum. Previously it was ORX-Locker, offered as a service via a platform hosted on an .onion server.

1
The ransom message presented by the Cerber ransomware

Ransomware Distribution

The majority of the distribution vectors of ransomware stubs involve some kind of social engineering trap, for example, email messages including malicious Office files, spam messages with nasty links or malvertising campaigns exploiting vulnerable WordPress or Joomla websites with an embedded malevolent code. The distribution also takes advantage of Macro commands and exploit kits, such as Nuclear or Angler. Sometimes browser vulnerabilities are exploited, as well as stolen digital certificates.

In November 2015, attempts to deliver ransomware to Israeli clients were identified. In this case, the attackers spoofed a corporate email address and tried to make recipients believe the email was sent from a company worker.

2
RaaS offered on a Darknet forum

Handling a Ransomware Attack

Please find below our suggestions for recommended action to avoid ransomware attacks on an organization, and how to deal with an attack after infection:

Defend Your Organization from Potential Threats

  • Train your employees – since the human link is the weakest link in the organizational cybersecurity and the majority of the cases involve social engineering on one of the employees, periodical employee briefing is extremely important. Specify the rules regarding using the company systems, and describe what phishing messages look like.
  • Raise awareness regarding accepting files that arrive via email messages – instruct your employees not to open suspicious files or files sent from unfamiliar senders. Consider implementing an organizational policy addressing such files. We recommend blocking or isolating files with the following extensions: js (JavaScript), jar (Java), bat (Batch file), exe (executable file), cpl (Control Panel), scr (Screensaver), com (COM file) and pif (Program Information file).
  • Disable running of Macro scripts on Office files sent via email – in recent months, many cases of ransomware attacks employing this vector were reported. Usually, Macro commands are disabled by default and we do not recommend enabling them. In addition, we suggest using Office Viewer software to open Word and Excel files.
  • Limit user privileges and constantly monitor the workstations – careful management of user privileges and limited administrator’s privileges may help in avoiding the spread of the ransomware in the organizational network. Moreover, monitoring the activity on workstations will be useful for early detection of any infection and blocking it from propagating to other systems and network resources.
  • Create rules that block programs from executing from AppData/LocalAppData folders. Many variants of the analyzed ransomware are executed from these directories, including CryptoLocker. Therefore, the creation of such rules may reduce the encryption risk significantly.
  • Install a Russian keyboard – while monitoring closed Russian forums where several ransomware families originated, we discovered that many of them will check if the infected computer is located in a post-Soviet country. Usually, this check is performed by detecting which keyboard layout is installed on the machine. If a Russian (or other post-Soviet language) keyboard layout is detected, the ransomware will not initiate the encryption process.
  • Keep your systems updated – in many cases, hackers take advantage of outdated systems to infiltrate the network. Therefore, frequent updates of the organizational systems and implementing the published security patch will significantly reduce the chances of infection.
  • Use third-party dedicated software to deal with the threat – many programs aimed at addressing specific ransomware threats are constantly being released. One is Windows AppLocker, which is included in the OS and assists in dealing with malware. We recommend contacting the organizational security vendor and considering the offered solutions.
  • Implement technical indicator and YARA rules in the company organizations. We provide our clients with intelligence items accompanied by technical indicators. Additionally, a dedicated repository that includes ransomware indicators was launched.
    3
    A closed forum member looks to blackmail companies using ransomware

    What if I am Already Infected?

  • Restore your files – some ransomware tools create a copy of the file, encrypt it and then erase the original file. If the deletion is performed via the OS erase feature, there is a chance to restore the files, since in majority of the cases, the OS does not immediately overwrite the deleted filed.
  • Decryption of the encrypted files – the decryption will be possible if you were infected by one of these three ransomware types: Bitcryptor, CoinVault or Linux.Encoder.1. Therefore, detecting the exact kind of ransomware that attacked the PC is crucial.
  • Back-up files on a separate storage device regularly – the best practice to avoid damage from a ransomware attack is to backup all your important files on a storage disconnected from the organizational network, since some ransomware variants are capable of encrypting files stored on connected devices. For example, researchers recently reported a ransomware that encrypted files stored on the Cloud Sync folder.
  • If ransomware is detected in the organization, immediately disconnect the infected machine from the network. Do not try to remove the malware or to reboot the system before identifying the ransomware. In some cases, performing one of these actions will make the decryption impossible, even after paying the ransom.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s