Expect Micro Ransomware: Extortion One Document At A Time

I have been following the development of ransomware closely since September 2013 when the ransomware plague was unleashed on the internet in the form of CryptoLocker and its copycats.

At the time of this writing, there are now well over a hundred different strains and the end is not in sight. On the contrary, ransomware has proven to be a highly successful criminal business model and many aspiring cybercriminals big and small are now trying to muscle into this racket.

Up to now, they are treating a box as a single unit of "to be encrypted" files. Some strains focus on a specific set of file extensions, some others take the approach of encrypting all files and exclude Windows files to keep the OS running -- with varying success. Up to now, existing antivirus products have not been very successful combating this new type of malware.

Pay Ransom One Document At A Time

These mostly Eastern European cyber mafias are in furious competition, they invest a lot of money in "new feature" development. Good examples are recent strains that function as a worm, strains that obtain admin privileges, a strain that adds a DDoS bot to the machine, and others that literally pull some encrypted files off the victim machine up into their control and command server which brings us into data breach territory.

It is literally only a matter of time before one of these guys gets smart and starts analyzing the files on disk or file server to see which are recent and/or shared, or sit in a directory that indicates high value like accounting, design or software development. 

Looking at today's sophisticated level of ransomware code, it is not all that much work to add a bit more logic and infrastructure so they can extort micropayments on a per-file basis, and unfortunately Bitcoin is ideal for that. This allows them to extort more money on a per-machine basis. 

Anti-Ransomware In The Real World

Lenny Zeltser recently posted his views on this problem, and said: "Any methods for detecting and impeding ransomware cannot be foolproof, as is the case with any anti-malware technology. My expectation is that commercial anti-malware vendors are creating or have already developed more sophisticated methods for dealing with ransomware[...] Those who remember the early days of spyware might recall standalone anti-spyware tools that were later merged into mainstream antivirus products. Similarly, anti-ransomware capabilities are becoming an essential feature of modern Internet security suites and anti-malware products." True, but we are not there yet. What to do in the meantime?

Should You Start Stockpiling Bitcoin?

A lot of companies in the UK have started doing that. However, there is something else you can do about this right now. Step your users through effective security awareness training, and you are not going to need a Bitcoin stockpile. Here is what one of our customers sent us:

"Our County will be participating in a General Session. Our focus is “Cybersecurity on a Shoestring Budget”. We are highlighting some of the “quick wins” that we have implemented that have brought us the most “bang for our buck”.  Definitely one of the highest risks to our security posture is at the user level. It always boils down to that. KnowBe4 has substantially helped with that—the training campaigns are bringing us more and more returns. We get feedback from users all the time that the red flags that they learned about in the training videos helped them to recognize that an email that they received was suspicious." 

Here Are 8 Things You Can Do To Protect Against This Plague (apart from having weapons-grade backup)

1. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
2. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly
3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps
4. Make sure your endpoints and web-gateway have next-gen, frequently updated  (a few hours or shorter) security layers
5. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
6. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
7. Check your firewall configuration and make sure no criminal network traffic is allowed out
8. Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email

Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must. 

KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open the attachments and then enable macros! It also allows you to send spoofed email that seems to come from the CEO and tries to get employees to wire money out. 

See it for yourself and get a live, one-on-one demo.

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat-request-a-demo