The contemporary security industry beholds immense gloom and doom led by the Ransomware plague. Nevertheless, occasional success stories have managed to inspire industry stake holders and restore their faith that this World Wide Web epidemic can be triumphed.
Without deviating much from the elementary form of Ransomware, the malicious software can still be defined as a software cyber criminals use to hold a victim’s computer or computer files for ransom, demanding for payments to get them back. Sadly, ransomware is becoming an increasingly popular way for malware authors to extort money from companies and consumers alike. There are several forms of ransomware that can get into a person’s machine, but as always, those techniques either boil down to social engineering tactics or using software vulnerabilities to silently install on a victim’s machine.
In the continuously progressing world of technology, with several variants of cyber-attacks, which leaves many wondering why the big fuss over this one particularly ransomware family. It is mostly because Cryptolocker’s authors have been both nimble and persistent. There has been a concerted effort to pump out new variants, keeping up with changes in protection technology, and targeting different groups over time. Managing to penetrate through various forms of security defenses, crypto based ransomware are observed reinventing themselves. New variants are tested against security vendors in order to avoid detection. While some become less active at times such as Cryptolocker or CTB-Locker, others gain ground like Teslacrypt or CryptoWall. Ensured by the fact that new variants are seen resurfacing every now and then, experts advocate more vigilance and proactive defense tactics.
A proactive form of defense for cyber security entails several layers that enlist some very technical to basic steps to secure the internet and its content. One of the most basic steps that can defeat ransomware is maintaining data backup on a regular basis. A user is likely to lose any document saved in the system after being attacked by ransomware. However, if the user has an updated backup, he or she can easily clean the machine up and restore the lost documents from the backup and rest easy. It is to be noted that Cryptolocker can also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores that a user has assigned a drive letter. Therefore, the user needs a regular backup regimen, to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.
Coating the first level of defense is re-enabling the ability to see the full file extension, which makes it easier to spot suspicious files. Cryptolockers are often observed attacking systems in a file that is named with extension ‘PDF.EXE’ thriving on Window’s default behavior of hiding known file extensions. Consequently, being aware of the full file-extension can aid in better damage control strategies.
Furthering the layering strategy of cyber security defense tactics, one can also filter EXEs in emails. If a user has a gateway mail scanner with the ability to filter files by extension, then the user may wish to deny mails sent with “.EXE” files, or to deny mails sent with files that have two file extensions, the last one being executable i.e, EXE. However if a user reasonably has to exchange EXE files and are denying emails with EXE files, they can do so with ZIP files, which could be password protected or through cloud services.
A proactive cyber defense could also mean disabling files running from App Data or Local app data folders. A user can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If a user has legitimate software that he or she knows is set to run not from the usual Program Files area but the App Data area, they will need to exclude it from this rule. Similarly, if a user does not require RDP, he or she can put it out of action only to protect their machine from Filecoder and other RDP exploits. It is mainly because malware like Cryptolocker or Filecoder often access target machines using Remote Desktop Protocol (RDP).
In conclusion, it is to be noted that the ransomware can be frightening, but there are many problems that can cause just as much destruction. Therefore, protecting oneself against data loss with regular backups is the best practice along with the above discussed proactive cyber defense tactics. Implementing these layering strategies could enable users or probable victims to get back to their virtual world as soon as possible.
Nilesh is the Country Manager- (India and SAARC), Trend Micro
_20240911192319_original_image_15.webp)
