What is ransomware?
Why do they become so common? Who has been affected by this type of threat? What to do in case of an attack? How to protect yourself? It is to these questions, and many others, that our practical guide responds.
For those who may not have known about the May WannaCry attack, let’s briefly recall what is a ransomware, or a ransomware. The first generation of ransomware software was designed to lock your keyboard or computer. Your data was not encrypted and the payment of the ransom had to theoretically allow you to recover the use of your PC and its data.
More recently, a new generation of ransomware has adopted a more devious technique of encrypting your files using a private key that the attacker is the only owner. Today, ransomware do not just attack fixed or mobile personal computers, they also target smartphones (mostly Android).
For PCs, the vast majority of attacks target computers running a version of Windows, due to the widespread distribution of this OS in personal and professional environments. Macs seem so far less targeted. And yet, Olivier Bogaert, Commissioner for the Computer Crime Unit in Belgium warns: “We are seeing a sharp increase in the number of malware that attacks Macs. “
Some examples of attacks
Before WannaCry’s global surge, ransomware had already made headlines.
In February 2016, the Hollywood Presbyterian Medical Center in Los Angeles was the victim of the Locky virus, which blocked only a small number of users by making their files illegible. Hospital executive director Allen Stefanek said: “The malware locks the machines by encrypting files and demanding ransom for the decryption key. The fastest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. “The hospital paid only $ 17,000, a portion of the required ransom of 40 Bitcoins. The virus was imported into a fake invoice in Word format. The doctors explained that they could no longer access their patients’ medical records, x-rays, and other exam results. As a result, 911 patients had to be diverted to nearby hospitals, and hospital staff pulled out the pencils and papers to perform manual patient admissions. Following the payment of the ransom, it took a fortnight to make the information system fully operational. One of the reasons for this delay was the lack of backups made by the hospital.
In March 2016, another hospital, in Ottawa this time, was infected with the WinPlock virus, a mutation of the CryptoLocker virus. Here again, the virus was introduced into a phishing email that encrypted and blocked the PCs of four users who clicked on the attachment, a ridiculous proportion of the hospital’s 9800 PCs. Probably because of the small perimeter attacked, the hospital chose not to pay the ransom. IT administrators have deliberately erased the contents of infected hard drives. And as this time the backup policy was well applied, things went back to normal very quickly.
In November 2016, during the Thanksgiving weekend, the San Francisco Municipal Transportation Agency was the victim of a ransomware that took control of more than 2000 PCs (out of 8000 of the control room) and blocked the terminals allowing buy the bus, tram and subway tickets of the agglomeration. While waiting for a solution, the transport company has preferred to open access gates, and thus let users travel for free. The pirate demanded the payment of a ransom of 100 Bitcoins. But as he had simply given his email address to receive the payment of the ransom, he could be easily identified. Worse still for him, a security researcher managed to access his email account, reset the password and locked the account.
To finish this list very incomplete (few companies like to communicate on this kind of inconvenience), we must obviously mention the infamous WannaCry ransomware, which has affected more than 150 countries and more than 300,000 computers. In France, Renault was one of the few companies to report on the attack that led to the shutdown of vehicle production at the Douai and Sandouville sites and the partial layoff of employees in the plants concerned.
Why is ransomware so common?
The growing popularity of these attacks is explained by the disarming ease of being able to get ransomware tools on the “dark web”. One can even find “Ransomware as a Service” (RaaS) exploit kits that budding hackers, lacking great programming skills, will be able to deploy very easily, with a small commission taken from the ransoms obtained.
For the modest sum of 160 euros, you can get Karmen, a new RaaS. From its access interface, you can modify the ransomware, see how many machines you have managed to infect and how much you have extorted from your victims.
Who is affected?
While large companies are prime targets, ransomware does not spare mid-cap companies and, to a lesser extent, small businesses.
According to the study “Understanding the depth of the global ransomware problem” published in August 2016 by Osterman Research and sponsored by Malwarebytes, the business sectors most affected by ransomware attacks would be health, followed by the world of financial services, banking and insurance. Of the 450 surveys conducted in 165 companies around the world, 39% of the companies or organizations surveyed admit that they have been the victims of such attacks. The proportion varies among the countries surveyed, with a higher score in the United Kingdom (54%), followed closely by the United States (47%), then Canada (35%) and finally Germany (18%). . At the time of the survey, 67% of Canadian respondents were relatively satisfied or very satisfied with their ability to cope with a ransomware attack. The level of trust was about the same for German companies. Conversely,
But in the end, to judge the level of success of ransomware attacks, the only issue that matters is the payment of the ransom. Should I pay for it, without having the certainty of recovering the corrupted files, or not? Opinions differ.
In its December 2016 study “Ransomware: How Consumers and Businesses Value Data,” IBM X-Force interviewed 600 business leaders and more than 1,000 individuals residing in the United States. The study reveals that 70% of companies that are victims of ransomware report having paid all or part of the required ransoms in order to recover their data. Half of them would have paid more than $ 10,000, and 20% of the companies would have paid more than $ 40,000.
But for its part, the Osterman Research Cabinet study seems to prove the opposite. According to her, only 3% of American businesses would have paid the ransom. Conversely, 75% of Canadian companies, 58% of British companies and 22% of German companies would have chosen to pay the ransom. The question of the utility of paying remains whole. In fact, while 82% of Canadian businesses that chose not to pay ended up losing their files, less than 30% of US companies experienced the same inconvenience. No doubt some had put in place better protection solutions than others …
What to do in case of an attack?
In the first place, disconnect the still healthy external drives to avoid encrypting your still intact files. Disconnecting your system from the internet will at least block potential flows from attackers, who can use their malware to monitor your system and launch other harmful actions. If you are connected to a corporate network, also disconnect to limit the propagation to other file servers.
If you are a professional user, immediately inform your IT department who can quickly take the first steps of isolation, research and remediation.
If you have properly backed up your files, all hope is not lost. From another uninfected workstation, analyze your recent backups and check for malware. Clean up your infected PC, get rid of any suspicious software or files, and start restoring your last healthy backup.
How to limit the risks?
The first action to take is certainly to have its software park up to date. The pace of the appearance and mutation of malware is so high that it forces software vendors and protection providers to come up with fixes as soon as possible to fill security gaps.
Recall that in the case of WannaCry, hackers exploited a security vulnerability of Windows, which had already been corrected in March in Microsoft Security Bulletin MS17-010. The company also provided a security update to protect Windows platforms that are only in custom support, including Windows XP, Windows 8, and Windows Server 2003. The caution of updating apps is obviously good for all users. other software than the OS, from any other publisher and likely to have security vulnerabilities that can be exploited by malicious actors.
It is common to say that the user is also a security breach. The use of workstations for business and personal purposes complicates the application of security policies. Malware often arrives hidden inside emails, or even ad banners. It is the responsibility of everyone to pay attention to what is downloaded on their workstation, and to click on files or URLs of unknown origin with the utmost caution. Beyond the simple sensitization made during annual trainings, some companies do not hesitate to carry out life-size phishing tests, in order to maximize the impact on the users of the risk to which they must escape.
In addition to training, awareness, and implementation of security processes within the company, the use of protection software is no longer an option.
What kind of protection solution?
Much of the protection software has not been designed to withstand modern malware attacks, as is the case with ransomware. Some can migrate very quickly and use techniques to avoid detection by conventional tools, which often rely on static signatures. Others increase their harmfulness by looking for backup devices to encrypt them too, making it virtually impossible to recover files without the payment of ransom.
That’s why the best current protection solution is to perform multi-layer monitoring. A solution like Malwarebytes Endpoint Security will act at every step of the ransomware infection.
During the profiling step, the attacker targets your workstation with for example a fake ad banner, allowing him to retrieve information such as the version of your OS, your type of browser and any security software you use . The security of your PC must be increased by detecting or even preventing the feedback of this information, which will reduce the possible attack surface by the attacker.
The second step is to install the malicious code on your computer. In this step, your protection solution must prevent you from accessing malicious sites, fake profiles, dark subnetworks.
In the third step, the attacker will use vulnerable code of your Internet browser, in Adobe Flash file or Microsoft Word for example. Your protection solution should avoid remote code activation. Behavioral analysis techniques can verify that installed applications run without fail or that they are not used by an external attacker.
The fourth step causes the installation and execution of the ransomware on your computer. Here again behavioral analysis techniques make it possible to identify the actions chained by the main ransomware families and to block them
The last step is the one that will load the encryption keys and encrypt your data. Your protection solution must detect and block connection actions with command and control servers, and block the encryption process in real time.
To conclude, no one is immune to a ransomware attack. If we had to take two tips, the first would be not to skip backups and the second to deploy a multilayer protection solution capable of detecting and thwarting the most malicious malware.