Ran­somware – The Big­gest Se­cu­rity Threat in 2016 and How to Pre­vent It

DQ Channels - - Channel Pulse - SAN­JAY KATKAR, MD & CTO, Quick Heal Tech­nolo­gies Lim­ited

While the list of se­cu­rity threat pre­dic­tions for 2016 is long, the one that con­cerns home users the most...

While the list of se­cu­rity threat pre­dic­tions for 2016 is long, the one that con­cerns home users the most is linked to Ran­somware – a ma­li­cious pro­gram that ei­ther locks the in­fected sys­tem or en­crypts its data. Once it has done that, it asks for a ran­som to let go off the com­puter or de­crypt the data.

SOME QUICK STATS ABOUT THE RAN­SOMWARE’S MEN­ACE IN 2015

A new vari­ant of the Ran­somware fam­ily – Tes­lacrypt, was seen in early 2015. It specif­i­cally tar­gets com­put­ers with saved games files. Read more about Tes­lacrypt here.

A mas­sive surge was de­tected in the CTB Ran­somware – a rel­a­tively new vari­ant.

In­dia seemed to have been hit with the high­est num­ber of Ran­somware at­tacks this year; ac­count­ing to 16000 in­fec­tions.

The FBI re­ported a loss of $18 mil­lion be­cause of Ran­somware at­tacks world­wide.

Ran­somware in­fec­tions are deemed nasty to such a level that even the FBI stated that they of­ten ad­vise peo­ple to pay the ran­som. Joseph Bon­avolonta, As­sis­tant Spe­cial Agent in Charge of the Cy­ber and Coun­ter­in­tel­li­gence Pro­gram in the FBI’s Bos­ton of­fice quoted “The Ran­somware is that good… To be hon­est, we of­ten ad­vise peo­ple just to pay the ran­som.”

SO, WHAT’S THE PRE­DIC­TION FOR RAN­SOMWARE IN 2016?

By the looks of the alarm­ing rate at which the Ran­somware fam­ily is grow­ing, it is wise to as­sume that this mal­ware is here to stay and not go­ing away any­time soon. For 2016, here’s what Ran­somware authors may be gear­ing up for:

Get­ting more per­sonal–hack­ers may threaten peo­ple of re­leas­ing en­crypted in­for­ma­tion in public. In­stances of this have al­ready oc­curred. ‘Chimera’ – a re­cently launched Ran­somware cam­paign in Ger­many, threat­ened to re­lease the vic­tims’ en­crypted files in public, if the ran­som was not paid.

Tar­get­ing Macs–with Mac be­com­ing more pop­u­lar among users, they are likely to be­come an at­trac­tive prey for Ran­somware.

Ex­tend­ing the Ran­somware cir­cle–rookie cy­ber­crim­i­nals may start of­fer­ing Ran­somware as a ser­vice, trans­form­ing it into a large-scale busi­ness-like op­er­a­tion.

Tar­get­ing An­droid–at­tempts of bring­ing Ran­somware to the mo­bile plat­form have al­ready been no­ticed in 2015; a pop­u­lar ex­am­ple is Sim­pleLocker. In the com­ing year, we can ex­pect ad­vanced and more com­plex vari­ants of the same and oth­ers alike.

Bet­ter de­liv­ery–hack­ers will use more so­phis­ti­cated mech­a­nisms to spread Ran­somware and more valu­able ways to ex­tort money from their vic­tims. 6. Other tar­gets–as more users are be­com­ing aware and get­ting ed­u­cated about how to fight Ran­somware, hack­ers will tar­get av­enues which are still se­cu­rity-de­fi­cient such as smart TVs, smart houses, smart fridges, In­ter­net-en­abled cars; in short, the In­ter­net of Things.

Life Threat­en­ing–Fright­en­ingly, Ran­somware at­tacks can turn out to be more than a dig­i­tal threat to peo­ple – it can be­come life-threat­en­ing. At­tack­ers are now sus­pected to go af­ter life­sav­ing med­i­cal de­vices. There could be a hor­rid sit­u­a­tion where a pa­tient is de­manded to pay a ran­som in or­der for their pace­maker to be re­leased from a Ran­somware’s clutches. Read more on this here.

STEPS YOU MUST TAKE

Cy­ber crim­i­nals don’t take time off from cre­at­ing and im­prov­ing upon their tac­tics and that’s why it is es­sen­tial that we don’t let our guard down against them. Here are some of the best ways you can pro­tect your de­vice from Ran­somware:

Never down­load at­tach­ments or click links in emails re­ceived from un­wanted or un­ex­pected sources, even if the source looks fa­mil­iar.

Don’t re­spond to un­wanted pop-up ads or alerts while vis­it­ing un­fa­mil­iar or even fa­mil­iar web­sites.

Ap­ply all rec­om­mended se­cu­rity up­dates to your OS, soft­ware, and In­ter­net browsers, if not al­ready.

Take reg­u­lar back­ups of all the im­por­tant files you have on your com­puter. We rec­om­mend you to be­gin the backup pro­ce­dure off­line and not when you are con­nected to the In­ter­net. Do­ing this will en­sure that you do not have to meet the Ran­somware’s de­mands.

Have se­cu­rity soft­ware in­stalled in your PC that ef­fi­ciently blocks spam and ma­li­cious emails, and au­to­mat­i­cally re­stricts ac­cess to ma­li­cious web­sites. Quick Heal An­tivirus has an in­built anti-Ran­somware de­fense that de­tects and stops Ran­somware that en­crypt data. This de­fense mech­a­nism works on a be­hav­ior-based mo­d­ule – which means, it an­a­lyzes pro­grams based on their be­hav­ior and the ac­tiv­i­ties car­ried by them on the users ma­chine. This helps Quick Heal de­tect mal­ware like Ran­somware in real-time and pre­vent pos­si­ble in­fec­tions. This anti-Ran­somware fea­ture re­mains ac­tive in the sys­tem even if the an­tivirus soft­ware it­self is turned off for some rea­son.

THE DECRYPTION TOOL

Cur­rent Sit­u­a­tion Al­though down­right evil and ma­li­cious, mal­ware authors are am­bi­tious. If you thought that the Tes­laCrypt authors stopped work­ing af­ter cre­at­ing the first ver­sion of this mal­ware, then you would be wrong. The lat­est ver­sion of this mal­ware, re­port­edly re­leased in Novem­ber 2015, is known as ‘v8’ or ‘v2.2.0’. While it is not cer­tain how many vari­ants of this mal­ware have been spawned since its in­cep­tion, the lat­est ver­sion clearly states that the hack­ers have been keep­ing them­selves busy.

The Quick Heal Threat Re­search Labs was re­cently re­ported about 60+ cases of Tes­laCrypt in­fec­tion. Ap­par­ently and for­tu­nately, the en­cryp­tion tool used by this par­tic­u­lar vari­ant is weak and can be bro­ken to re­veal the key that is re­quired for de­crypt­ing the locked data.

Be­low is a link to a free tool that can be used by those who fell vic­tim to the lat­est Tes­laCrypt in­fec­tion and their files were en­crypted. https://github.com/Googu­la­tor/Tes­laCrack

NOTE:

Tes­laCrypt 2.0 in­fec­tion can be recog­nised from the ex­ten­sion “.vvv” added to the names of the en­crypted files.

The re­cov­ery process takes a good amount of time so one needs to be pa­tient; also, this tool does not guar­an­tee the re­cov­ery of files in all cases.

HOW QUICK HEAL HELPS?

We have re­leased an up­date to Quick Heal desk­top prod­ucts that pre­vents the at­tack of Locky Ran­somware. Be­sides this, our mul­ti­lay­ered de­fense mech­a­nism helps pre­vent all types of mal­ware at­tacks in­clud­ing new Ran­somware in­fec­tions.

Email Se­cu­rity blocks emails car­ry­ing ma­li­cious links and at­tach­ments.

Web Se­cu­rity blocks web­sites con­tain­ing hid­den mal­ware and viruses, and web­sites de­signed for phish­ing at­tacks.

Ad­vanced DNAS­can stops new and un­known mal­ware that can cause the most dam­age.

Anti-Ran­somware stops Ran­somware from en­crypt­ing any data. The fea­ture works in mul­ti­ple ways to pre­vent a po­ten­tial Ran­somware at­tack.

Scans ev­ery down­loaded file whose com­po­nents could be­come a po­ten­tial Ran­somware at­tack.

An­a­lyzes how a pro­gram be­haves in real-time, so that it can be stopped be­fore it does any dam­age.

Proac­tive backup pre­vents data loss even in cases where cer­tain files might get en­crypted by a Ran­somware.

Helps user keep a track of files that have got­ten en­crypted. Alerts user im­me­di­ately to take a cor­rec­tive ac­tion. Iso­lates de­tected Ran­somware in­fec­tions; stops them from spread­ing and do­ing any dam­age.

A WORD OF AD­VICE

The steps de­scribed for us­ing this tool are not meant for novice users. So, if you are not sure about them, con­sider seek­ing as­sis­tance from a com­puter tech­ni­cian or a friendly neigh­bor who hap­pens to be a com­puter geek.

To con­clude, here are some safety mea­sures to stay away from Ran­somware at­tacks:

Never down­load at­tach­ments or click on links in emails re­ceived from un­wanted or un­ex­pected sources,

even if the source looks fa­mil­iar.

Don’t re­spond to pop-up ads or alerts while vis­it­ing un­fa­mil­iar web­sites.

Ap­ply all nec­es­sary se­cu­rity up­dates to your OS, soft­ware, and In­ter­net browsers. Al­ways keep au­to­matic up­dates ON.

Have a se­cu­rity soft­ware in­stalled in your PC that ef­fi­ciently blocks spam and ma­li­cious emails, and au­to­mat­i­cally re­stricts ac­cess to ma­li­cious web­sites.

And, the most cru­cial step–while do­ing this will not save you from a Ran­somware in­fec­tion, but will cer­tainly help you re­cover. Take reg­u­lar data back­ups. Ran­somware goes af­ter your data, and then threat­ens you to pay up in ex­change for the data. So, if you have a backup, then you are guarded against ex­tor­tion – which is, in fact, the most im­por­tant part here.

HOW TO PRE­VENT RAN­SOMWARE FROM LOCK­ING YOUR PC

The Quick Heal Threat Re­search Lab has been de­tect­ing in­creased num­bers of ran­somware in­fec­tions over the last few weeks. We have re­cently re­ported on the no­to­ri­ous Dridex ran­somware. These in­ci­dents de­pict a clear trend that mal­ware authors are steadily shift­ing to se­ri­ous money mak­ing ran­somware vari­ants.

The rise in these ran­somware vari­ant de­tec­tions can be at­trib­uted to the fol­low­ing pri­mary rea­sons:

Ran­somware has proven it­self as a highly ef­fec­tive money ex­tor­tion mech­a­nism over the last year.

Ran­somware has be­come much eas­ier to de­velop due to the avail­abil­ity of source code and the emer­gence of ‘Ran­somware-as-a-ser­vice’ prod­ucts in the black mar­ket.

Ran­somware is in­creas­ingly be­ing used along with other suc­cess­ful and pen­e­tra­tive mal­ware prop­a­ga­tion tech­niques such as spam cam­paigns, ‘Malver­tis­ing’ and ‘So­cial Engi­neer­ing’.

Ran­somware has be­come ef­fi­cient due to the pres­ence of Bit­coins, a dig­i­tal cur­rency that en­ables cy­ber­crim­i­nals to col­lect money anony­mously.

STATS FOR RAN­SOMWARE DE­TEC­TION BY QUICK HEAL

This graph shows the num­ber of ran­somware de­tec­tions by Quick Heal for the 7 weeks start­ing from Fe­bru­ary 1st, 2016. In this time pe­riod, our lab has de­tected nearly 450,000 ran­somware sam­ples, which work out to ap­prox­i­mately 9,000 ran­somware de­tec­tions ev­ery sin­gle day. These fig­ures present a con­sid­er­able rise in the ran­somware de­tec­tions that we have seen in the past, and they high­light the grow­ing threat of ran­somware to busi­nesses and in­di­vid­ual users.

HOW TO AVOID RAN­SOMWARE IN­FEC­TIONS

There are a few fool­proof pre­cau­tions that need to be un­der­taken to pre­vent ran­somware vari­ants from in­fil­trat­ing and lock­ing your ma­chine. These safety guide­lines are even more rel­e­vant for en­ter­prises and small busi­ness own­ers who are of­ten the most sought af­ter vic­tims of ran­somware authors.

1. Backup your data of­ten and in dif­fer­ent ways

When it comes to data se­cu­rity, the first step is data clas­si­fi­ca­tion. It is es­sen­tial for data own­ers to seg­re­gate their data into cru­cial, mod­er­ate or dis­pens­able cat­e­gories and then de­vise ways to se­cure their most sen­si­tive in­for­ma­tion. We rec­om­mend the 3-2-1 rule – main­tain 3 dif­fer­ent copies of data, in 2 dif­fer­ent for­mats, with 1 for­mat avail­able off­line.

2. Up­date your OS and other ap­pli­ca­tions & util­i­ties

Mal­ware de­vel­op­ers typ­i­cally ex­ploit vul­ner­a­bil­i­ties in ap­pli­ca­tions and the OS to breach sys­tem se­cu­rity. To pre­vent in­ci­dences it is highly rec­om­mended to au­to­mat­i­cally down­load OS up­dates, and ap­ply reg­u­lar se­cu­rity patches for other ap­pli­ca­tions on the sys­tem. Com­monly tar­geted ap­pli­ca­tions are Java, Adobe Acro­bat Reader, Adobe Flash Player, MS Of­fice and web browsers such as Google Chrome, Mozilla Fire­fox, In­ter­net Ex­plorer and more.

3. Be cau­tious of sus­pi­cious emails and at­tach­ments

Spam emails have be­come one of the most ef­fec­tive ways for ran­somware to en­ter vul­ner­a­ble sys­tems. Through so­cial engi­neer­ing tech­niques or by dis­guis­ing emails to ap­pear as au­then­tic ones, at­tack­ers cause vic­tims to click on fraud­u­lent links or down­load ma­li­cious at­tach­ments. When it comes to email se­cu­rity, we sug­gest the fol­low­ing se­cu­rity mea­sures: Al­ways check the email senders in­for­ma­tion Al­ways ver­ify the con­tent of the email prop­erly Never click on the links em­bed­ded within sus­pi­cious emails

Never open or ex­e­cute at­tach­ments re­ceived from un­known senders Some More Ran­somware Preven­tion Tech­niques Per­son­al­ize spam set­tings for your email in­box and your in­stalled se­cu­rity so­lu­tion.

Use the na­tive Win­dows func­tion­al­ity of ‘Show File Ex­ten­sions’. This shows the ex­ten­sions of un­known files be­fore open­ing them.

In case of breaches or in­fec­tions, im­me­di­ately dis­con­nect the In­ter­net con­nec­tion.

Keep the Win­dows Fire­wall switched on at all times and reg­u­larly mon­i­tor its set­tings.

En­able your in­stalled se­cu­rity soft­ware to scan com­pressed and archived files when they en­ter the sys­tem.

Turn off Au­toPlay for USB de­vices, so that they do not im­me­di­ately open the files within them.

Con­sider in­stalling an add-on which blocks au­to­matic pop-ups on your browser.

Re­cently, ran­somware in­fec­tions have be­gun spread­ing via JavaScript codes on web­sites as well. So there are mul­ti­ple av­enues through which ran­somware can be de­liv­ered into vul­ner­a­ble sys­tems. Quick Heal de­fends against the lat­est mal­ware sam­ples with generic and heuris­tics-based de­tec­tions that are dis­cov­ered through our global virus sig­na­ture data­base on a daily ba­sis. More­over, Quick Heal se­cu­rity prod­ucts also pro­vide mul­ti­ple lines of de­fense such as Virus Pro­tec­tion, Email Pro­tec­tion, DNAS­can and Ad­vanced Be­hav­ior De­tec­tion Sys­tem for com­plete sys­tem se­cu­rity.

Locky Ran­somware on the Lose

‘Locky’ is the lat­est ad­di­tion to the ran­somware fam­ily. It has an in­ter­est­ing name and car­ries the same nas­ti­ness. Read more from the post be­low.

WHAT IS THE LOCKY RAN­SOMWARE?

Locky is a new file-en­crypt­ing ran­somware mal­ware. It does two things: En­crypts the files it finds in the PC it in­fects. Changes the ex­ten­sion of the en­crypted files to . locky

And as most of us know, the en­crypted files can be de­crypted only with a key avail­able with the cy­ber crook and for a price.

WHO ALL ARE IN THE RED ZONE?

Locky ran­somware is known to tar­get Win­dows users.

How does it in­fect a ma­chine?

The ran­somware seems to be us­ing dif­fer­ent spam email cam­paigns to spread and in­fect its tar­get vic­tims.

In one cam­paign, it’s been no­ticed that the email seems to be from a pop­u­lar or­ga­ni­za­tion, and asks the user to down­load an in­voice at­tach­ment (MS Word doc).

The doc­u­ment con­tains text that looks in­com­pre­hen­si­ble or un­read­able. And to make the text read­able, the user needs to en­able ‘macros’.

If the user falls for this trick and en­ables the ‘macros’, a se­ries of au­to­matic pro­cesses is trig­gered which fi­nally re­sults in in­stalling the Locky Ran­somware on the ma­chine.

Once in­side the sys­tem, the ran­somware be­gins en­crypt­ing what­ever files it can find.

WHAT HAP­PENS NEXT?

Once Locky is done en­crypt­ing the files, it dis­plays a mes­sage to the user on the desk­top. The mes­sage in­forms what has hap­pened, and that de­crypt­ing the files is only pos­si­ble by pur­chas­ing a pri­vate key from the hacker; the cost could be up to `26,558/- ($400).

WHAT DO WE SUG­GEST?

Back up your im­por­tant files reg­u­larly, and have the backup en­crypted. This will make sure that the data does not mis­used by any­one.

Do not trust any email that asks you to down­load an at­tach­ment, a soft­ware, sur­vey forms or any­thing that you were not ex­pect­ing; no mat­ter how pro­fes­sional, ur­gent, or grand the email may look or sound. If you think the email is gen­uine, have it ver­i­fied with the sender over a call or per­son­ally.

Avoid us­ing your com­puter with an ‘Ad­min­is­tra­tor’ ac­count un­less nec­es­sary. Logged in as an ad­min­is­tra­tor and be­ing at­tacked by a mal­ware can cause ir­repara­ble dam­age to your PC. Al­ways log in as a stan­dard User for day-to-day us­age. Here is a post that ex­plains more about why you shouldn’t run as ad­min?

Keep your Win­dows OS and all other pro­grams/ ap­pli­ca­tions up-to-date with the lat­est se­cu­rity up­dates/patches. In most cases of ran­somware in­fec­tions, the mal­ware takes ad­van­tage of se­cu­rity vul­ner­a­bil­i­ties present in the user’s sys­tem.

HOW QUICK HEAL HELPS?

We have re­leased an up­date to Quick Heal desk­top prod­ucts that pre­vents the at­tack of Locky Ran­somware. Be­sides this, our mul­ti­lay­ered de­fense mech­a­nism helps pre­vent all types of mal­ware at­tacks in­clud­ing new ran­somware in­fec­tions.

Email Se­cu­rity blocks emails car­ry­ing ma­li­cious links and at­tach­ments.

Web Se­cu­rity blocks web­sites con­tain­ing hid­den mal­ware and viruses, and web­sites de­signed for phish­ing at­tacks.

Ad­vanced DNA-Scan stops new and un­known mal­ware that can cause the most dam­age.

Anti-Ran­somware stops ran­somware from en­crypt­ing any data. The fea­ture works in mul­ti­ple ways to pre­vent a po­ten­tial ran­somware at­tack.

Scans ev­ery down­loaded file whose com­po­nents could be­come a po­ten­tial ran­somware at­tack.

An­a­lyzes how a pro­gram be­haves in real-time, so that it can be stopped be­fore it does any dam­age.

Proac­tive backup pre­vents data loss even in cases where cer­tain files might get en­crypted by a ran­somware.

Helps user keep a track of files that have got­ten en­crypted. Alerts user im­me­di­ately to take a cor­rec­tive ac­tion. Iso­lates de­tected ran­somware in­fec­tions; stops them from spread­ing and do­ing any dam­age.

We are keep­ing a track of the Locky Ran­somware and its de­vel­op­ments. We will keep you posted in case we come across any­thing im­por­tant. Stay safe!

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.