WASHINGTON–Computer security expert Brian Krebs is warning that ransomware attacks, especially against financial services firms, are going to become even nastier and specific.
In a ransomware attack, hackers lock users out of their own systems until a ransom is paid.
“What we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth,” Krebs wrote on his blog, KrebsOnSecurity.com.
Krebs pointed to an alert published by the FBI that is warning of recent ransomware variants that have targeted and compromised vulnerable business servers (rather than individual users) to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network.
“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warning, as reproduced by Krebs, states. “Additionally, recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”
Krebs said the FBI went on to note the recent technique of targeting host servers and systems “could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”
In his blog posting Krebs pointed out that today there are dozens of ransomware strains, most of which are sold on underground forums as crimeware packages — with new families emerging regularly. “These kits typically include a point-and-click software interface for selecting various options that the ransom installer may employ, as well as instructions that tell the malware where to direct the victim to pay the ransom,” he wrote. “Some kits even bundle the HTML code needed to set up the website that users will need to visit to pay and recover their files.”
There is another “coming shift” in ransomware, according to Krebs: more targeted ransom attacks. “For the time being, most ransomware incursions are instead the result of opportunistic malware infections. The first common distribution method is spamming the ransomware installer out to millions of email addresses, disguising it as a legitimate file such as an invoice,” he wrote. “More well-heeled attackers may instead or also choose to spread ransomware using ‘exploit kits,’ a separate crimeware-as-a-service product that is stitched into hacked or malicious websites and lying in wait for someone to visit with a browser that is not up to date with the latest security patches (either for the browser itself or for a myriad of browser plugins like Adobe Flash or Adobe Reader).”
Krebs quoted one analyst as saying that it is likely to change as the result of individual hackers who can’t afford to spend thousands of dollars a month renting exploit kits.
“These guys are going to start more aggressively targeting really data intensive organizations like medical practices and law and architectural firms.” the analyst said.
Krebs noted the FBI has the following tips for companies to protect themselves from ransomware attacks:
- Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
- Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
- Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, web browsers, etc.
- Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
- Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
- Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.
Additional considerations for businesses include the following:
- Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
- Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
- Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
- Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
- Use virtualized environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.
- Require user interaction for end user applications communicating with websites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized website.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.