Wednesday, April 26, 2017

Ransomware 101

As a computer technician, ransomware is one thing that I get asked about often, and encounter occasionally. It's probably one of the biggest threats to user data today, as it can effect all sorts of devices, including IoT devices and smartphones. Not only is it a nuisance, it's downright destructive to user data.

The ransomware trend started because of a big shift in the goals of cybercrime. When viruses and malware first started, they were for recognition and causing destruction. Nowadays malware producers and their products live to make financial gains from their victims directly. This can either be by obtaining information to drain victims bank accounts, or locking them out of their computer and/or their files and waiting for them to pay the ransom (hence ransomware).

Since ransomware is somewhat targeted, here are some attack surfaces that the ransomware typically takes:


  1. Email Attachments: This is by far the most popular. The majority of the time I see a ransomware victim, they've received an email from what seems to be a shipping label from a reputable shipping company, but it is a spoofed email. A trained eye can easily tell because shipping labels usually come in PDF format (with a ".pdf" at the end of a file). The malware payload typically comes in a ZIP, EXE, or JS format (".zip," ".exe," ".js" in order)
  2. Social Media requests and files: This attack typically starts with someone sending a request to an employee within a target company, and asking them to proofread a file. The file may have an alternate datastream and a macro to execute it.
  3. Advertising Networks: Some strains of ransomware have been spread on various advertising networks. Some advertising networks don't filter advertisers as well as they should, so advertising has become a big driver for all sorts of cybercrime lately.
Those are the primary attack surfaces that ransomware, and other forms of malware seems to take to spread their joy. Now once someone gets infected with ransomware, what's at stake:
  • Files on their computer -- Files on the specific computer the user is on that they have write permissions to are the primary focus because typically they're not backed up.
  • Network shares -- Some strains of ransomware search the network for server shares that the infected user has write access to and encrypts those files as well. It doesn't seem to matter whether or not the share is actually mapped. They can also encrypt network shares that are not password protected.
  • Unsecure webserver/FTP server -- This is a potential one even though I haven't heard of any looking for unsecure FTP servers, but it's always a possibility that the cybercrime organizations may figure out how and when to do this.
The question remains, how can you protect yourself? There's a few steps you can take to protect yourself from ransomware and other malware, as I'll list below:
  1. Run a reputable antimalware product that has a good behavior based detection system on top of typical signature based detection. Also make sure that it stays updated and don't let your subscription lapse.
  2. There's no such thing as "too much backup." Backing up your files to offline media (unplugged when backup isn't running), a dedicated server (with snapshots), and/or the cloud; can protect your files not only from malware, but other situations such as a hard drive crash.
  3. Be very skeptical of everything online and in emails. Look to any hint that something maybe fake or too good to be true.

No comments:

Post a Comment