From Wikipedia, the free encyclopedia
Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.
Recently, someone asked me if this was a real thing. My response was, “it’s absolutely a real thing!” What bothered me about this question is not that this person was seemingly unaware, but that they were not sufficiently educated about this very real problem facing Internet Users. That education ultimately falls to Network Administrators and Service providers to make sure that the people accessing the networks and machines connected to those networks are aware and have at least a basic understanding of the threats. The educated user is the first and most powerful line of defense for computers connected to any network. Whether that network is a business network or a home network.
Obviously, the second most important item in this chain or protection is having and using effective tools, such as anti-virus/anti-malware software to protect against such threats. Believe it or not, not all Anti-virus programs are created equal so, not all anti-virus programs are capable of protecting against this particular type of threat. This falls under the heading of you get what you pay for. At this point you’re wondering if your AV (anti-virus) program is up to the task. That’s good! That is definitely a question you should be asking yourself. The next person you should ask is the one charged to take care of your network and the computers/servers connected to that network. But I’m getting side-tracked. The point of this message is to make you aware that it’s out there, it’s real, and the most important thing: in almost all instances it requires human intervention – the user – to get infected.
One of the first infection methods I saw was one that was delivered in an MS Office document embedded with a Macro that dropped the malware payload onto the users’ computer as soon as it was opened which then propagated outward from there to the network. (Many businesses receive resumes in the form of Word files.) It wasn’t long after the document was opened that I got a phone call about their computer acting strangely. Less than an hour later it had spread to half the file shares this user was connected to. What caused bothered the user was that it was a document the user was expecting from a trusted source. In this instance two bad things happened: Macro enabled MS Office files from a trusted source was an acceptable method of receiving information, and the AV program installed on that workstation was not up to the task and missed the threat. Either because it didn’t have the necessary malware signatures to identify the threat, or it simply wasn’t able to do so. A third possibility is that the user was made aware by the AV program, but dismissed it because it came from a trusted source. After the fact and after everything was cleaned up my first recommendation was to never accept MS Word files as attachments, but rather demand that if a document must be sent it should be sent as a PDF. While they’re not invulnerable, they’re much harder to corrupt and therefore much safer.
The second most popular attack vector is directly from the internet. An internet site that has been compromised can quite easily push the payload to the target easily by using scripts that run invisible in the background beyond the site of the visitor. Making it that much more critical that the AV program installed to protect the computer and the network from such attacks. But, more importantly it is even more critical that the user be aware and ever suspicious when surfing the internet that threats are out there and can potentially turn up just about anywhere.
Yesterday, a new ransomware strain, BadRabbit, began spreading. This time, cybercriminals used popular Russian news sites to spread the ransomware. Despite recycling some of NotPetya’s code, BadRabbit did not spread as pervasively as WannaCry or NotPetya. It did, however, manage to infect the Ministry of Infrastructure of Ukraine, Odessa’s airport, Kiev’s subway and two Russian media groups. (Source: Avast Blog – https://blog.avast.com/its-rabbit-season-badrabbit-ransomware-infects-airports-and-subways – Post Date: 25 October 2017)
If you’re sufficiently worried or just a little bit scared, that’s ok. The most important thing to take away from this is to remain vigilant and if something seems off about a website then it very well might be.
- Make policy in your office or for yourself not to accept Word documents as email attachments especially if you get a message from someone you rarely hear from or don’t know.
- If you’re a home user, make certain that your anti-virus is always kept up to date and that it can deal with this type of malware. If you’re not sure find out. Check the AV vendor’s website, or even send them a message asking them directly. Or call and ask me even if you’re not currently a client.
There are three AV vendors that I feel very good about that I have direct experience with:
- Trend Micro
- Avast Business Cloudcare (Formerly AVG Cloudcare)
Any of you that know me, know that I like to do security in layers starting at the perimeter – the firewall – and work my way inward towards the server and workstations. But that’s another post which I will certainly get into.