Following up on my recent post, Ransomware Week, I wanted to talk about the general attitude towards ransomware and the things that lead to infection and prevent you from it. Cyber crime comes in so many different forms but I would argue that ransomware falls into something of it's own because of not just the damaging effects but also the incredibly personal nature of the attack.
Introduction
To me, as a security researcher, there isn't much worse than dealing with a case of ransomware. When working with it in the field, I'm either interacting with a company with many gigabytes / terabytes of really important data or an individual with highly personal info; that makes the effects of the damage difficult to mitigate, control and explain to the victim. With companies, it can be a little hit or miss as to whether there are any data backups but even when they are, restoring everything takes a great deal of work and a ton of time. On the other hand, I often find that individuals very rarely have data backed up and simply cannot recover a majority of it - although this is starting to change as cloud services become more popular.
Our Attitudes
First and foremost, my biggest advice is to not pay any ransom demand - regardless of how scary or intimidating the warnings are. This can be difficult to explain, particularly when the individual or company doesn't have a backup - they are often eager to pay up to restore their data regardless of the risks involved.
Before we go much further, we need to consider and think about how an infection arose in the first place. We know that this type of activity relies on vulnerabilities whether they are technical, social or a combination; the point is that there was a way in that hadn't been 'patched' which can only be addressed by change - whether this be reliable firewall rules and monitoring or even staff training. By immediately paying, you are not only not addressing the root problem but advertising yourself as a candidate for more advanced targeted attacks (I've seen this happen on more than one occasion).
Ultimately, the underlying fact of the matter is that there is 0% guarantee that you will recover your data by paying but a 100% guarantee that you are directly contributing to cyber crime.
* I have done some research into the statistics of data recovery after payment although there is very little of reliability out there. I suspect in part due to the unknown number of people who both obtain ransomware infections but those that also pay the demand. I did however come across an interesting set of easy to read statistics at https://blog.barkly.com/ransomware-statistics-2016 *
How it Happens
I'd like to remind you that I'm basing a great deal of this on my experience (with small companies and individuals) and my own research and it's only my conclusion and thoughts - that being said I still think I'm right :)
In my experience, almost all ransomware infection start with somebody clicking on / installing something they shouldn't - as in it's not something that was launched external to the network or system but by somebody using it. That being said, in almost all of these cases, an underlying vulnerability existed in the first place allowing malicious code to run. The two most common I keep seeing is infected PDF files and MS Word documents - despite the warnings that exist in newer versions of Word! In addition, in a select number of instances, I have seen this occur due to an initial and separate exploitation.
From this, it's fairly obvious to see two major factors at play. The first is actually a simple one to resolve in an overwhelming majority of cases and that's simply click yes to "install this update?". With PDF based infections, it's a case of using outdated software, usually on an older Windows based operating system. Everybody understands the complications in larger upgrades in the OS but there is a reason for it. The second issue is a harder one to solve and is down to people themselves. Companies need to provide training so users of the systems and networks understand the risks involved and how these attacks typically start.
Preventing infection
If it was as easy as installing this quick fix then I wouldn't be writing a post on the prevalence and severity of ransomware attacks. I always find it difficult to answer the question on how to prevent it when asked because there are so many things to think about and cover.
I've compiled my personal list of "top tips" on trying to prevent ransomware but this certainly isn't a comprehensive do this and you won't get infected.
- Keep things updated! - Almost all software installed will most likely automatically notify you of updates but will require you to 'authorise' them (usually by clicking install). This is such an important factor in preventing the initial spread if you do receive and open an infected file. If you're unsure, just take a look in the help menu of each program you frequently use and you'll most likely find some info about updating.
- Update anti virus (and related software) on a daily basis - I will list this separately as new variants can appear incredibly quickly and very frequently, the only way of discovering these before the damage is done is by keeping the stuff that prevents it as up to date as often as possible.
- As an individual, never run a macro in any Microsoft product as a matter of principle - we've all had those "obviously not from nan" emails from somebody or another. With the amount of personal data available about almost anybody and without much effort, it's not actually very difficult to create quite a deceiving email from somebody you are likely to trust; be safe than sorry and don't run macro's.
- As a company, only allow macros to run that are expressly permitted by management - Ideally, you should have these publicly stored / accessed instead of emailed around. Simply notify relevant people about the existence of a document with a required macro on a shared location. That way, if somebody receives a malicious email, damage is not only averted but it becomes obvious an attempt was made.
- BACKUP YOUR DATA! - If it means something to you or your company then it's worth having a copy or two. Do make sure though that whatever backup method you use, it is not "always on" and availbe to the systems it is backing up. I've come across a situation like this and the chap found his backups held for ransom too.
- Use cloud services* - I say this with caution as some ransomware infections will quite happily encrypt the contents of accessible cloud storage. However, a number of providers do have methods which allow you to roll back or restore your data from a previous time - pay close attention to the features provided by the service(s) you use if used for prevention.
- Be incredibly cautious of email's as they can easily be forged - Email's can be made to look overwhelmingly convincing even when sending internally within a company. Another vector comes from social media; it can be fairly trivial to mimic the account of a friend or simply use a dummy account that relies of people blindly accepting friend requests; combined with a little social engineering some techniques can be quite convincing.
- Remember that the majority of popular devices can become vulnerable - With more services and devices aiming to offer features that cross platforms and hardware, the possibility of a service or program based exploit occurring that then spreads increases significantly.
In my next post I'll talk about how it tends to spread once the initial infection has taken place and some of things that can be done to mitigate and controll the damage.