Ransomware – a brief overview
- — 08 March, 2013 10:57
There have been a number of ransomware attacks on Australian businesses lately. Awareness of this threat is increasing, but a number of small businesses, in particular, are still in the dark around what this is and how to protect themselves against it. Within this brief article, I shall try and cover both these points.
Firstly, ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.
Ransomware typically propagates like a conventional computer worm, entering a system through, for example, a downloaded file (usually send via a link in an email) or a vulnerability in a network or operating system service.
Ransomware has become a major concern with a series of well publicised attacks crippling small businesses, including most recently, two small businesses in South Australia and a school in Byron Bay. This follows attacks on a Queensland medical centre and other businesses across Australia.
Two styles of 'ransomware attacks' have emerged.
The first may be the more likely of the two to strike but it is also potentially less debilitating. This version simply locks the victim's screen. The second style of ransomware is a more targeted attack, and actually encrypts files on the target computer.
In the first type, criminals have, to date, been using an official looking logo to intimidate the victim (such as a local law enforcement agency or a government department) and simply locking their victim's screen so they cannot access their computer until a payment has been made. It is a broad brush approach, distributed en mass in the hope that a percentage of victims will chose to pay the 'fine' or ransom demand presented on the locked screen. This scenario does not typically encrypt any files on the victim's computer (although early examples may have) and is more often now just a form of malware, for which most security vendors have tools to assist.
The second type of ransomware is a more targeted and challenging concern. Under this scenario, cyber criminals specifically target a particular victim, typically a small business. The computers targeted are actually hacked and files on the computer encrypted. Without payment, files remain inaccessible. This type of specific, targeted attack is more difficult for small businesses to remediate. The best solution, once you've been targeted, may be to simply cut your losses and restore your systems from a regularly updated back-up, so it's important to ensure you have good back-up processes in place.
So having discussed what ransomware is, let’s look at some simple ways of trying to prevent this type of attack:
1. Make regular backups of all your important files, and importantly store copies of your back-ups offsite. The attackers are known to also encrypt or delete backups that are connected to the computer or network.
2. Ensure all your systems are fully updated.
3. Limit remote access to your systems directly from the Internet.
4. Enforce strong passphrase/password policies on your IT systems to reduce the risk from brute force attempts at cracking passwords.
5. Implement account lockout policies (account locks if too many false attempts are made) on your IT systems to reduce the risk from brute forcing attempts.
6. Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems and services that really require remote access.
7. Use up-to-date anti-virus software, and consider using different vendors for gateway and desktops / servers.
8. If feasible, implement host intrusion prevention systems (HIPS) and enable personal firewalls on all desktops / servers.
9. Limit the amount of personal information placed on the Internet.
10. Do not provide financial or other personal information to people that you do not know or trust.
11. Never click on links contained within spam or unexpected emails.
12. Implement mail and web content filtering to try and prevent malicious content entering your network via emails and the Internet.
13. Develop basic guidelines on IT, email and web security and distribute this to staff.
14. And above all, ensure that all your staff members are aware of the threat, the policies mentioned above and these basic steps to help prevent infections.
Ransomware attacks are unfortunately likely to keep increasing. However, the steps above can go a long way towards preventing an infection on an unsuspecting victim’s IT systems.