The spate of recent ransomware attacks on U.S. healthcare providers and businesses has prompted US-CERT to issue a warning about the destructive ransomware variants, Locky and Samas.
The latest alert was issued by the Department of Homeland Security in conjunction with the Canadian Cyber Incident Response Centre (CCIRC) to raise awareness of the threat from ransomware, the mode of action of the malicious software, the variants that are currently proliferating, and the actions that can be taken to reduce the risk of attack.
While ransomware has been around for several years, attacks have been limited until recently. Now many malicious actors are turning to ransomware to extort money out of victims and the threat to businesses is growing.
Ransomware victims are told that their systems and files have been locked and the only way of unlocking the encryption is to pay a ransom, usually in Bitcoin. Typically, the cost of unlocking a computer is between $200 and $400, although the attackers can set any price. When multiple computers are infected, the ransom demand is multiplied by the number of devices.
Ransomware attackers use two main vectors: Phishing emails and infected websites. Phishing emails are usually, but not always, send randomly. The emails urge the recipients to open a malicious attachment or to click a link to a malicious website. When users visit these websites, ransomware is downloaded automatically onto their devices.
Website visitors are also at risk from drive-by downloads if they visit a malicious webpage. This could be a site specifically set up by the attacker, or even a legitimate site that has been compromised.
However, other methods of ransomware delivery have also been reported. Attackers have gained access to vulnerable web servers by exploiting vulnerabilities and have infiltrated networks and installed ransomware. Some reports have been received by Homeland Security of infections via social media websites and instant messaging applications.
Since attacks can prove highly profitable, ransomware has been proliferating. There has been an explosion in ransomware variants in recent years and attackers are developing ever more sophisticated variants that are more destructive and harder to identify. The latest variants such as Samas and Locky are capable of spreading laterally and infecting multiple networked computers and servers. Files can also be locked on removable drives, and Windows shadow copies and backup files encrypted or deleted to prevent data restoration.
Security companies have developed fixes for some ransomware variants, although victims are often faced with data loss if viable backups of data do not exist. Paying a ransom demand is no guarantee that a viable decryption key will be provided.
To protect against ransomware attacks, US-CERT recommends:
- Making sure all data is backed up regularly
- Performing tests of backed up data to ensure recovery is possible
- Ensuring data backup drives are air-gapped when backups are not being performed
- Whitelisting of applications to ensure malicious programs are prevented from running
- Ensuring anti-virus and anti-malware solutions are installed and definitions are kept up to date
- Applying software patches promptly
- Restricting network privileges and user permissions as far as is possible
- Blocking macros from running automatically and as far as is possible, implementing organization-wide blocks on macros
- Conducting staff training to increase awareness of the threat and how to identify phishing emails
- Never opening attachments from unknown individuals
- Blocking emails from suspicious sources using spam filters
- Never visiting links contained in emails from unknown recipients