Header Ads

Ransomware: Threats, Facts and Countermeasures

May 12, 2016 1

Ransomware: Threats, Facts and Countermeasures


Ransomware




Ransomware is a type of malware that has become a significant threat to U.S. businesses and individuals during the past three years. Most of the current ransomware variants encrypt files on the infected system/network is also known as  crypto ransomware. few variants are known to erase files or block access to the system using other methods is also known as locker ransomware. Once access to the system is blocked, the ransomware demands a ransom in order to unlock the files, frequently $200 - $3,000 in bitcoins, though other currencies and gift cards are occasionally reported.

What is Bitcoin?

Bitcoin is a new currency that was created in 2009 by an unknown person using the alias Satoshi Nakamoto. Transactions are made with no middle men – meaning, no banks! There are no transaction fees and no need to give your real name. More merchants are beginning to accept them: You can buy webhosting services, pizza or even manicures.

Why Bitcoins?

Bitcoins can be used to buy merchandise anonymously. In addition, international payments are easy and cheap because bitcoins are not tied to any country or subject to regulation. Small businesses may like them because there are no credit card fees. Some people just buy bitcoins as an investment, hoping that they’ll go up in value.

Ransomware variants almost always opportunistically target victims, infecting an array of devices from computers to smartphones.
Victims are at risk of losing their files, but may also experience financial loss due to paying the ransom, lost productivity, IT costs, legal fees, network modifications, and/or the purchase of credit monitoring services for employees/customers.


What is Infection Vectors ?

The majority of ransomware is propagated through user-initiated actions such as clicking on a malicious link in a spam e-mail or visiting a malicious or compromised website. In other instances, malware is disseminated through malvertising and drive-by downloads, which do not require user engagement for the infection to be successful.
While almost all ransomware infections are opportunistic, disseminated through indiscriminate infection vectors such as those discussed above, in a few very rare instances cyber threat actors specifically target a victim. This may occur after the actors realize that a sensitive entity has been infected or because of specific infection attempts. The Federal Bureau of Investigation (FBI) refers to these instances as extortion, rather than ransomware, as there is almost always a higher ransom amount that coincides with the strategic targeting. This was the case in spring 2016, when several hospitals infected with strategically targeted ransomware made the news.

What is Additional Capabilities of Ransomware

In the past year, ransomware variants features have expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. One variant deletes files regardless of whether or not a payment was made. Another variant includes the capability to lock cloud-based backups when systems continuously back up in real-time (a.k.a. during persistent synchronization). Other variants target smartphones and Internet of Things (IoT) devices.
Although not as common, some variants claim to be from a law enforcement agency and that the user owes a “fee” or “fine” for conducting illegal activities, such as viewing pornography. In an effort to appear more legitimate these variants can use techniques to identify the victim’s rough geographic location in order to use the name of a specific law enforcement agency. No U.S. law enforcement agency will ever remotely lock or disable a computer and demand a fine to unlock it.

              How to Mitigate the Risk of Ransomware Infections

These recommendations are not comprehensive but provide general best practices.

  • Securing Networks and Systems


  • Have an incident response plan that includes what to do during a ransomware event.


  • Backups are critical. Use a backup system that allows multiple iterations of the backups to be saved, in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is operational.



  • Keep all systems patched, including all hardware, including mobile devices, operating systems, software, and applications, including cloud locations and content management systems (CMS), patched and up-to-date. Use a centralized patch management system if possible. Implement application white-listing and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.


  • Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.


  • Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs enabled to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.


  • Restrict Internet access. Use a proxy server for Internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.


  • Apply the principles of least privilege and network segmentation. Categorize and separate data based on organizational value and where possible, implement virtual environments and the physical and logical separation of networks and data. Apply the principle of least privilege.


  • Vet and monitor third parties that have remote access to the organization’s network and/or your connections to third parties, to ensure they are diligent with cybersecurity best practices.


  • Participate in cybersecurity information sharing programs and organizations, such as MS-ISAC and InfraGard.


  • Securing the End UserProvide 



  • social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.


  • Remind users to close their browser when not in use.


  • Have a reporting plan that ensures staff knows where and how to report suspicious activity.


  • Responding to a Compromise/Attack


  • Immediately disconnect the infected system from the network to prevent infection propagation.


  • Determine the affected data as some sensitive data, such as electronic protected health information (ePHI) may require additional reporting and/or mitigation measures.


  • Determine if a decryptor is available. Online resources such as No More Ransom!can help.


  • Restore files from regularly maintained backups.


  • Report the infection. It is highly recommended that SLTT government agencies report ransomware incidents to MS-ISAC. Other sectors and home users may report to infections to local Federal Bureauo
Note: Information showing on this blog is only use for educational purpose.


I hope it will be helpful for you 
Thank you.

                                                                                                   by HaCkeROne
Tags:

1 comment:

  1. LammTechAugust 23, 2018 at 5:35 AM

    Many variations of malware that infect computer systems is typically ransomware. Network security is must to keep your sensitive information secured. Thank you.

    ReplyDelete

Subscribe to: Post Comments ( Atom )

Recent post

Reflected XSS

 Reflected XSS   Product : Open-AudIT v4.2.0 for Windows   POC:   Open http://localhost/open-audit/index.php/logon   login ...

Powered by Blogger.