SIRKit Advisory: Ransomware and modern threats

Posted on May 20, 2016

Criminals have historically held up banks and convenience stores in order to get easy and fast money. But in the digital age, criminals don’t need guns or a getaway car to take your cash.

In recent years, there have been a growing number of cases of something called “ransom-ware”. This is exactly what it sounds like: software designed to hold your digital files – your entire business – for ransom. The very first case was in 2013 with an infection known as CryptoLocker.

This is how it works:

You receive an email with a generic looking attachment or URL that provides you a file such as “resume.zip”. When you open the file, nothing appears to happen. So you close it and go about your day. Unfortunately, by opening that file, you have infected your computer and malicious processes are now running silently in the background.

The infection will immediately start locking or “encrypting” your most important files – typically documents, pictures, spreadsheets, videos. The process performing the malicious encryption will stay hidden while making the changes. The process can take days, especially with large numbers of files or if the computer has access to a corporate file server.

Seemingly out of the blue, you may receive a pop up or find informational files telling you that your data has been locked. In the message the criminals will ask for payment in the order of hundreds, thousands, or even millions of dollars in extreme cases. What are you paying for? The digital key that allows you to unlock all of your files. The longer you wait before paying, the more money they will charge for the key. If they don’t receive payment within their timeline they will delete your key at which point your files will be locked forever.

Can we just pick the lock? No. This sort of lock involves a math problem with a solution that would take the remainder of human history to solve, if you’re lucky. So you only have two options in this scenario: pay up and try to unlock your data, or restore all of your files from a backup copy.

Many criminals have copied this pioneering CryptoLocker scheme and have come up with increasingly creative ways to infect computers. And for those of you on Apple systems, you aren’t safe either. Businesses have been directly targeted by criminals in large and organized attacks. Police departments and government institutions are among those who have been forced to pay, and in March of 2016 a US hospital paid a $17,000 ransom to get their systems working again.

It’s not all doom and gloom. It is possible to protect yourself from infection.

Let’s start with the most important point: backups can save your business. Losing a day of productivity while your entire company is restored from a backup is far better than permanently losing your files. Ensuring regular and thorough onsite and offsite backups are performed is critical to protecting your livelihood.

As for the infection itself, a lot of it comes down to training and awareness. These viruses masquerade in emails as resumes and invoices. Sometimes they pretend to be PDF or ZIP files, while newer and more advanced infections send legitimate Microsoft Word documents such as .DOCM which can use programming features built-in to Office to get you infected.

The simplest rule of thumb here is to not open attachments and do not click on URLs you aren’t expecting. Letting your curiosity get the better of you can be costly. If you don’t know the sender odds are they shouldn’t be sending you attachments. If you do know the sender, make sure you can recognize whatever attachment they are sending you before you open it. Criminals can mask email addresses to appear as the colleague right next door.

There are of course computer administrative controls to increase protection and to help take some of the burden off of your users, although these really only exist to try to catch or prevent the mistakes users occasionally make. Some examples:

• Admin-level computer access should be removed from any user who does not require it
• Emails can be scanned and blocked if they contain certain kinds of attachments
• Your firewall can check incoming downloads and URLs before they are allowed to be opened, by way of web-filtering and sandboxing
• Network folders should be restricted to restrict an infection from hitting everything
• Enhanced Macro and programming functions in Word, Excel, and all Microsoft products should be disabled by default

More drastic measures can also be taken to make your computers as inhospitable a place for these viruses to live as possible. An ounce of prevention is worth a pound of cure. Preventing this sort of infection from getting in could literally save your business.

Please contact our helpdesk (support@sirkit.ca) if you would like more information.
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.