Tech Fo­cus

5 ways to de­fend against ran­somware threats


Cryp­toLocker, a new form of mal­ware, is threat­en­ing businesses and in­di­vid­u­als of en­crypt­ing their files and de­mand­ing pay­ment to re­gain ac­cess


ryp­toLocker is mak­ing head­lines for en­crypt­ing data and hold­ing it to ran­som, but leav­ing some vic­tims in the lurch de­spite pay­ing out to re­gain ac­cess to their files. It uses strong en­cryp­tion, mak­ing it next to im­pos­si­ble to crack.

So­lu­tion providers said that they are ad­vis­ing clients to first fo­cus on ba­sic se­cu­rity mea­sures and then of­fer­ing to as­sess the ad­e­quacy and con­fig­u­ra­tion of ex­ist­ing se­cu­rity sys­tems. Ad­dress­ing ways to re­duce the risk of a crip­pling Cryp­toLocker in­fec­tion can thwart other mal­ware threats like it, they say.

The cy­ber­crim­i­nals be­hind the ex­tor­tion threat, which spreads through email phish­ing at­tacks, re­cently in­creased the fee to un­lock the data the ran­somware en­crypts from ap­prox­i­mately $200 worth of Bit­coins, a dig­i­tal cur­rency, to about $2,000 worth of Bit­coins, ac­cord­ing to Jerome Se­gura, Re­seacher, Mal­ware­bytes, who has been mon­i­tor­ing the threat. Here are five se­cu­rity mea­sures that could be taken to re­duce the risk of an in­fec­tion. Cloud-based backup is fine, but se­cu­rity ex­perts warn that if your cloud backup is set to au­to­mat­i­cally sync, the files en­crypted by Cryp­toLocker will re­place the files synced to the backup ser­vice. Businesses and in­di­vid­u­als who fol­low the best-prac­tice 3-2-1-backup rule will be in great shape to re­cover from a Cryp­toLocker in­fec­tion. Keep three copies of any im­por­tant file; backup im­por­tant files to two dif­fer­ent types of me­dia such as a DVD or hard drive; and keep im­por­tant files in an off-site lo­ca­tion.

Backup alone is no panacea, warns Se­gura. Re­cov­ery from a Cryp­toLocker in­fec­tion can take sev­eral hours depend­ing on the amount of data that needs to be re­stored, and down­time can be costly. In­di­vid­u­als who have paid out the ran­som have found that the de­cryp­tion still takes hours and there is no guar­an­tee that mal­ware still isn’t ly­ing dor­mant on the re­cov­ered sys­tem.

Cy­ber­crim­i­nals have re­cently in­creased the fee to un­lock the data en­crypted by the ran­somware from $200 worth of Bit­coins to about $2,000 worth of Bit­coins

Up­dated an­tivirus soft­ware

Ac­cord­ing to VirusTo­tal, a web­site that checks mal­ware against dozens of an­tivirus en­gines, most an­tivirus soft­ware can de­tect Cryp­toLocker mal­ware. Cryp­toLocker spreads via ma­li­cious file at­tach­ments and can also be de­tected by an­ti­spam ap­pli­ances and most fil­ter­ing soft­ware.

Be­ware of re­ly­ing solely on an­tivirus soft­ware for pro­tec­tion, says Se­gura. If an­tivirus de­tects an in­fec­tion af­ter files are en­crypted, re­mov­ing the threat can make de­cryp­tion dif­fi­cult, he said. Some people have sought to re-in­fect their sys­tems in or­der to pay out the ran­som to cy­ber­crim­i­nals.

To ad­dress sys­tems that have had the mal­ware re­moved, the cy­ber­crim­i­nals be­hind the scam have set up a Cryp­toLocker De­cryp­tion Ser­vice. The ser­vice, which is cloaked from in­ves­ti­ga­tors be­hind the Tor anonymity net­work, can pro­duce a de­cryp­tion key to vic­tims who upload an en­crypted file. The ser­vice is ex­pen­sive at 10 Bit­coins, or ap­prox­i­mately $2,300.

Whitelist­ing tech­nol­ogy

Businesses that want to en­sure that Cryp­toLocker and other mal­ware threats fail to ex­e­cute can roll out whitelist­ing soft­ware. Se­cu­rity ex­perts warn that the tech­nol­ogy, which main­tains a list of known good soft­ware, can be bur­den­some to IT ad­min­is­tra­tors and have a neg­a­tive im­pact on end users. Some whitelist­ing

tech­nolo­gies are not as ro­bust.

An­other way to re­duce the risk of mal­ware in­fec­tion is by ap­ply­ing group poli­cies to pre­vent people from open­ing ex­e­cutable files. Most people that open file at­tach­ments are not go­ing to ex­tract the file first and open it; they will dou­ble-click on a zip file, which can be blocked from ex­e­cut­ing through group pol­icy.

In­tru­sion preven­tion sys­tems

In­tru­sion preven­tion sys­tems can block the com­mu­ni­ca­tions pro­to­col sent from the Cryp­toLocker in­fected sys­tem to the re­mote com­mand-and-con­trol server where the mal­ware re­trieves the key to en­crypt the files. Block­ing the com­mu­ni­ca­tions can pre­vent the en­cryp­tion from tak­ing place. Se­cu­rity firms have fig­ured out the Cryp­toLocker al­go­rithm that pro­duces about 1,000 unique do­main names ev­ery day, says Se­gura.

By mon­i­tor­ing the do­mains to de­ter­mine the IP ad­dresses at­tempt­ing to con­nect to them, se­cu­rity re­searchers have de­ter­mined that the US and UK are the most af­fected coun­tries fol­lowed by In­dia, Canada and Aus­tralia. Re­searchers at Kasper­sky Lab said the threat gives in­fected sys­tems three days to pay for the key to un­lock the en­crypted files. Both next-gen­er­a­tion fire­wall ap­pli­ances and in­tru­sion preven­tion sys­tems

Businesses who fol­low the 3-2-1-backup rule will be able to re­cover. Keep 3 copies of im­por­tant file; backup them to two dif­fer­ent types, and keep a copy in an off-site lo­ca­tion

have the abil­ity to pro­vide this kind of pro­tec­tion, say so­lu­tion providers.

User ed­u­ca­tion

Tech­nol­ogy alone is not go­ing to solve the long­stand­ing prob­lem of so­cial en­gi­neer­ing tech­niques cou­pled with ma­li­cious file at­tach­ments. Se­cu­rity firms need to build up a se­cu­rity-aware cul­ture to help rec­og­nize phish­ing emails.

Email at­tach­ments as­so­ci­ated with the Cryp­toLocker threat are ac­com­pa­nied with Fake Ama­zon in­voice email mes­sages, phony DHL ex­press de­liv­ery slips and other com­mon phish­ing emails that are known to cir­cu­late with other mal­ware cam­paigns, says Se­gura. The at­tack­ers have not re­gion­al­ized or tar­geted the cam­paign at any spe­cific group of in­di­vid­u­als, keep­ing the cam­paign broad in scope, which po­ten­tially makes it eas­ier to iden­tify.

The screen pop-up on the PC in­fected by Cryp­toLocker

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.