Combating Ransomware With Effective Measures
Ransomware in the IT world can be referred to as virtual kidnapping of data in exchange for a reward. It’s a malware which restricts users from accessing their own data on a corrupted system and would demand a ransom to revoke the access. The recent slew of coordinated ransomware attacks known as WannaCry or WannaCrypt, on various sectors in European countries, have proved to be an effective wake up call for businesses around the world. WannaCry is Encrypting Ransomware or a Crypto Locker type of ransomware that is programmed to attack Microsoft Windows software. The attack infected more than 230,000 computers in 150 countries, including India, demanding ransom payments in bitcoin in 28 languages.
Understanding the landscape of ransomware
Some variants of ransomware encrypt data in such a way that it is impossible to decrypt unless the user has an encryption key. These are called ‘Encrypting ransomware’ that incorporate advanced encryption methods. Another type of ransomware that is frequently circulated is ‘Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. CryptoLocker, like WannaCry, is a malware when injected into a host system, scans the hard drive of the victim and targets specific file extensions and encrypts them. The encryption is executed using a 2048-bit RSA key pair, with the private key uploaded to command and control server. Some other types of ransomwares are Leakware, mobile ransomware, Reveton, CryptoLocker.F & TorrentLocker and CryptoWall. These malwares can attack through impersonation or leaking data if ransom is not paid within the imposed timeline.
Infiltration of ransomware
Typically, entry of ransomware is through Trojans. These Trojans are malware hidden in legitimate looking files or attachments, which users access on their system. It could be an attachment from an email received in the name of a known user, a trick that involves creating a fake e-mail ID disguised as a known user. Often ransomware also use the route of network to enter the system, taking advantage of network loopholes or vulnerabilities. Once the malware gains access to the system, depending on variants, it might encrypt files, or display hoax messages demanding payment or may just lock the system. To protect themselves from being traced once the crime is committed, hackers are likely to use payment methods like Bitcoin (digital currency), wire transfers to bank accounts with fake names, or online payment vouchers like Ukash.
Surprisingly, the average ransomware amount demand has also seen a spike from $300 to $700 in the last year. There is an increase in ransomware variants and almost all platforms / OS have been compromised now.
Protection from ransomware:
Regular Data backup: This helps restore the last saved data and minimise data loss. Ransomware also attacks servers; hence it is important to have back up on a disconnected hard drive or external device on pre-defined regular basis.
Prevention: To prevent infiltration of malware, having password protected tools to identify and filter certain file extensions like “.exe” or “. Zip”, are essential. Emails that appear suspicious should also be filtered at exchange level. There are also some tools that detect the entry of such malwares with features of zero days’ protection which work on threat emulation and threat extraction techniques. Users and businesses also need to ensure that hidden file extension is displayed, since it becomes easier to filter them.
User awareness: Awareness among users needs to be created to avoid opening unsolicited attachment. Malwares are typically designed to mimic identities of people that users interact with on a regular basis either on a personal or professional level.
Rules in IPS: It’s necessary to create rules in the Intrusion Prevention Software (IPS) to discard or disallow the opening of files with extension “.exe” from local App data folders or Appdata.
Regular patch and upgrades: To prevent leaks or vulnerabilities in software, regularly update the software versions and apply patches released by vendor. These patches and version are often released to wrestle with known or newly discovered exploits and can prevent known signatures of these malwares, Trojans or ransomwares to enter the system.
It is inevitable to use the technology in day to day life, but it is equally important to be alert and proactive to deal with malware in technology to safeguard data and systems. Services like penetration testing and vulnerability testing are one of the most important facet of cyber security services to enable customers for early detection of vulnerabilities in network and web/mobile applications and be ready to take proactive and preventive measures to impede cyber-attacks before system is invaded.
The author is Head IT Infrastructure – APAC, TÜV SÜD, leading testing, inspection, certification and training service provider. Views are personal.
_20240911192319_original_image_15.webp)
