dialog background

A quick guide to ransomware

Posted February 29, 2016
Quote

Have you heard of ransomware? Understand what it is, how it works and how it can affect your business.

By Chad Gowrea, Director - Solutions and Strategy

ransomware-featuredWHAT IS RANSOMWARE?

Ransomware, as the name suggests, is a process that runs on your environment and takes away your access from your files, asking for some kind of ransom in return for restoring access.

This is mostly achieved by a program being downloaded to your environment  (via an email attachment or clicking on a web link) which runs an encryption process that encrypts your files and gives you a method of paying the source party, normally via a digital form of currency called Bitcoins, for a decryption or unlocker tool.

HOW DOES RANSOMWARE MAKE ITS WAY INTO YOUR BUSINESS?

John Smith receives an email in his inbox from Australia Post. It has an Australia Post logo on it and everything seems legit, so why not?

He clicks on the email link, however, nothing happens (or APPEARS to happen). Oh well, John can wait until Australia Post contacts him again to deliver his parcel.

John goes to his company Shared Drive to access the documents he was working on yesterday and they are not there. In fact, none of his documents are there. Instead, they are replaced with a bunch of folders with garbled names and a simple document called “INSTRUCTIONS TO DECRIPT YOUR FILES – Click here”

He clicks on the document and it takes him to a webpage which tells him that all his files have been encrypted and he needs to pay $3000 USD in BitCoins to a specified BitCoin Wallet and he will receive a download for a Decryption program to unlock his files.

Oh no……

IS IT THE SAME AS PHISHING??

Not quite.

Phishing is a technique used by attackers to entice a user to download an attachment or click on a link in order to execute some kind of third party process in their environment.

Simple examples of phishing are emails you may receive with Australia Post headers or Australian Federal Police crests on the top, or the web popup that says “Your computer has been infected! Click here to download the cleaning tool!”

So while ransomware employs phishing emails as part of its overall process – it is not the same as phishing.

HOW DOES IT WORK?  (THE TECHY PART…)

The first major component of any ransomware attachment is the encryption program which is normally built on an encryption process called  public key cryptography.

This is the program that normally gets downloaded or runs when an unsuspecting user clicks on a link or downloads an attachment.

In short,  public key cryptography is a legitimate, well-used and very clever encryption algorithm that requires 2 keys: one  that is used to ENCYPRT the files and one that is used to decrypt the files.

The tricky part is that it is near mathematically impossible to decrypt a private key  if you only have the public key, which makes this such a dangerous threat to recovery of your files once they have been encrypted. You cannot reverse engineer the  public key contained in the original program to get your files back, so the private key is the one that the ransomware attackers want you to pay for…

The second major component is the payment side of things, the ransom payment transaction. This is normally always facilitated using a BitCoin Wallet transfer to the ransomware source party.

BitCoin is an internet currency where Bitcoins are transferred to “wallets”. As it’s decentralised, so no institution controls it,  measures can be taken to  create anonymous identities  or identities that are very hard to track down.

WHY?!?!??
In simple words, money!!!

It is estimated that each ransomware attack can generate an average of $70,000 USD before it is “caught” or “shutdown” by an operating system patching or updates to security engines.

In addition, this ransomware is largely an automated process which requires very little effort from the ransomware source parties. From the process that encrypts your files, to the website that they direct you to upload the ransom Bitcoins, it’s all automated. It’s a very easy way for any intelligent hacker to make “easy money”.

WHY DOESN’T NORMAL ANTIVIRUS AND FIREWALL STOP RANSOMWARE ATTACKS?

The main reason for this is that the primary computing operation in any ransomware attack is actually a legitimate computing process.

A lot of the basis for AV filters and malware detection engines are designed to see our processes that are doing something “wrong”, which may be impersonating a Windows system process or trying to gain unauthorised access via a network port.

However, the main problem in ransomware is that it’s the underlying MOTIVATION of the computing process that is inherently “bad”, and it’s very hard for software to catch on to the fact that a process is trying to take your money.

A simple analogy is the situation where a user may login to another users email account using their username and password with the express purpose to read and delete their email. Any antivirus solution or malware solution only sees a legitimate user with an authenticated password logging into a system and performing normal operations of reading and deleting emails . It cannot know the motivations of the source of this action.

SO WHAT CAN I DO TO PROTECT MYSELF FROM RANSOMWARE?

There are a lot of vendors working on new measures to stop encryption processes, so help is on the way. However, the best protection against ransomware is to ensure some basic rules and best practices for any IT environment are adhered to. This can keep you safe or provide your best chance of harm minimisation should you be infected by ransomware.

Employ a hierarchical permission structure for your files

Just employing simple security structure of only allowing certain users access to certain data can be very effective in controlling and even mitigating the damage caused by a ransomware attack. Because the majority of ransomware can only run as a process under the user account that it was downloaded or executed by, it means  that it can only affect the files that user has access to.

Some organisations still have a flat permissions structure for their primary company files (i.e. everyone access everything) and this can be dangerous. Every single file system available today can easily employ permissions structures to assist with this.

BACKUPS BACKUPS BACKUPS

Still the simplest and the best way to secure yourself from anything happening to your production data.

Now with physical hard drives and even cloud data capacity growing exponentially and prices dropping by the minute, it means you can keep a lot more copies of your data and backup at regular intervals.

Simple VSS (Previous Versions) on Shared Folders is a very effective way of providing useful restore points should you fall victim to a malware attack. This facility is available on any Windows operating system platform.

However, in addition to this, the most tried and tested is a secure backup repository that takes regular backups of your information to a secure or physically separate location. This measure alone can help you recover from a severe ransomware attack with minimal additional expenditure on antivirus or anti-ransomware tools.

Be alert

This is probably the most effective and easy to employ across all users: BE ALERT.

Apply the same general alertness that you do in your everyday life to your online activities. Simple example, if you were approached on the street by a stranger in plain clothes who handed you a box and said “you have won a prize – take this box and open it” any normal person would immediately be suspicious to open the box.

Same should apply to your online and email habits – If you receive an email from a third party you are unaware of don’t just open it. If you see a browser link that is suspicious and pops up on your screen, don’t just click on it!!

Take a moment and evaluate – Do I know this third party sending me this email?  Have I ever dealt with the sender of this email before?

If in doubt, ASK SOMEONE. Forward the email to your IT Service Provider or IT Manager or even the organisation the emailing party is claiming to be. This is only a few minutes of yours and their time and can save disasters. Any IT professional will have testing or the knowledge to tell if a ransomware phishing email is legitimate or not quite easily.

For further technical analysis or if you simply want to chat about your business’ IT security, contact one of our technical staff on 1300 991 351 and check how Bremmar can assist with protection or even recovery from ransomware attacks.





IT review eBook




By Chad Gowrea, Director - Solutions and Strategy

Back to articles

Previous Articles