WINDOWS SECURITY ALERT: Stop Ransomware at the Door

The number of enterprise victims being targeted by ransomware is increasing day by day. Usually, the attackers specifically research and target a victim (similar to whale-phishing or spear-phishing – and these in fact may be techniques used to gain access to the network).

The sensitive files are encrypted, and large amounts of money are demanded to restore the files. Generally, the attacker has a list of file extensions or folder locations that the ransomware will target for encryption.

Due to the encryption of the files, it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which only the attackers will have access to.

The best advice for prevention is to ensure company-confidential, sensitive, or important files are securely backed up in a remote, un-connected backup or storage facility. 

What is ransomware?

Ransomware is a category of malware that restricts users from accessing their devices or data. Ransomware attackers force their victims to pay the ransom through specifically noted payment methods after which they grant the victims access to their computers or to their data. With ransomlockers, the attacker pretends to be local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.

CryptoLocker is a ransomware variant where malware often encrypts a user's files and often deletes the original copy. The attacker requests a ransom for the files to be unencrypted. Not only are files on the local computer damaged, but also the files on any shared or attached network drives to which the computer has write access.

What does ransomware do?

There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.

Ransomware can:

• Prevent you from accessing Windows.
• Encrypt files so you can't use them.
• Stop certain apps from running (like your web browser).

Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.

There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.

How did ransomware get my PC/Server ?

1. In most instances ransomware is automatically downloaded when you visit a malicious website or a website that's been hacked.
2. Visiting unsafe, suspicious, or fake websites.
3. Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
4. Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.
5. You are accessing remote Computer/Server data which was already infected with Ransomware.
6. Network Drive mapping through RDP accessing remote Computer/Server which was already infected withRansomware.

To avoid ransomware infection, follow these steps:

1. Back up your computers/Servers and critical file servers regularly.

Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.

2. Lock down mapped network drives by securing them with a password and access control restrictions.

Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.

3. Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.

Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.

4. Update your computer or server Antivirus signatures every day.

New definitions are likely to detect and remediate the ransomlockers. Anti Virus Management server automatically downloads virus definitions to the client, as long as the client is managed and connected to the Anti Virus Management server.

5. Safe Internet browsing.

Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender. Don’t install any browser plug-ins from non trusted download sites. If you’re ever unsure – don’t click it.

6. Safe e-mail browsing.

Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).

How to identify whether ransomware attacked or not ?

• Your PC or server file system extensions will be changed to encrypted format which can’t be opened as regular way. You will receive Web POP-UP to pay money to access your files.
• If you are not able to open any of your regular accessible files (*.docs,*.xlsx, *.pptx, etc..) then remove your computer or server from your network before the ransomware can attack other network drives to which it has access.
• Inform to your Local IT, Sever Management Team and Security Teams to investigate further on restoration of backups.

we’re excited to announce Sophos Intercept X, our new signature less anti-exploit technology, designed to stop ransomware before it takes hold.