Ransomware: 7 Defensive Strategies

Essential Data Protection Steps for Enterprises

To all the victims of the shakedown malware known as Cryptolocker, which forcibly encrypts PCs and demands a ransom to receive the unlock code: You can get your data back.

Security firms FireEye and Fox-IT announced Aug. 6 that they had cracked the Cryptolocker encryption scheme. By uploading a single encrypted file to their Decryptolocker service, which extracts the master encryption key, users will receive back a free tool to decrypt all encrypted files on their hard drive.

That's good news for Cryptolocker victims - FireEye estimates 137,000 PCs remain infected. But despite the recent high-profile disruption of the Cryptolocker campaign, many other types of ransomware remain at large. So it's essential that security managers put a plan in place to defend corporate data - residing on PCs, servers, network shares, smart phones and cloud-based services - against ransomware attacks.

"Ransomware is now one of the fastest growing classes of malicious software," says Fedor Sinitsyn, a senior malware analyst at the security firm Kaspersky Lab. "In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous."

Ransomware attacks fall into two categories: scareware and lockers. Scareware is a social-engineering attack that displays an official-looking notice of a fine, often for the PC having allegedly been used to view pornographic material. Much more insidious, however, are locking or "encryptor" attacks, which encrypt files, operating system kernels or a master boot record, then throw away the encryption key unless users or businesses quickly pay a ransom.

Here's how organizations can defend themselves against these types of attacks:

1. Don't Rely on Takedowns

Law enforcement agencies have been targeting ransomware networks and their operators, but do not expect these crackdowns to eliminate the threat. For example, one recent, high-profile law enforcement operation - involving the combined efforts of the U.S. Federal Bureau of Investigation, Europol and NCA - managed to disrupt the Gameover Zeus Trojan and Cryptolocker ransomware. The two pieces of malware were being used as a one-two punch by the same gang to first steal financial information from victims' PCs, and then to encrypt their contents and demand a payoff, according to the U.S. Department of Justice. Over a two-month period, Cryptolocker netted $27 million in ransom payments.

But the Cryptolocker disruption campaign demonstrates the limits of such operations. Notably, the malware mastermind behind the operations, named in court documents as Russian Federation resident Evgeniy Bogachev, remains at large, and with a little time and effort, he could easily restart operations. In fact, some security experts see signs that the attackers have already rebooted their operations (see Gameover Zeus Trojan Returns). As of July 31, Aviv Raff, CTO at cloud-based security firm Seculert reports, a new variant of Gameover Zeus had managed to infect at least 10,000 devices.

2. Employ Anti-Malware Tools

Ransomware, as the name implies, is a form of malware, and thus can be blocked on PCs by any anti-virus or anti-malware engine that correctly signature-matches the malicious code. But many related attacks - often launched via phishing e-mails, fake downloads, and malicious URLs - originate with crimeware toolkits, which can exploit any one of a number of vulnerabilities to install malware. Furthermore, by the time any ransomware is detected, an infected PC may already have played host to malware designed to steal financial details, launch distributed denial-of-service attacks or relay spam.

For example, ransomware known as "Critoni," "CTB-Locker" as well as "Onion," which was discovered in June by the malware researcher Kafeine, is being distributed by the Andromeda bot, which first infects PCs with an e-mail worm called Joleee that's designed to send spam e-mails and download further attack code. In recent attacks, one of the files it's downloaded has been the Critoni ransomware.

Similarly, Cryptolocker was being pushed to PCs that were first infected by Gameover Zeus. First, attackers used Zeus to steal financial information from the PC. Later, they encrypted infected hard drives and held them to ransom, thus increasing their profits.

3. Safeguard Android Devices

Beyond PCs, ransomware attackers have also been targeting Android devices. To defend against these types of attacks, ensure employees with Android devices are using anti-malware tools. Many such tools now also include cloud-based backup capabilities, so infected devices can be wiped and restored, which many security experts say is the only reliable way of eliminating infections.

What type of ransomware has been targeting Android? The Svpeng Trojan, for example, is designed to first steal credentials from mobile banking apps, and then to lock the mobile device and demand a ransom. Another piece of ransomware, discovered by Kafeine in May and dubbed Koler, locks the screens of infected Android devices, then demands between $100 and $300 to unlock them.

4. Watch Servers

Beyond PCs and smartphones, a growing number of these attacks target servers, says Carl Herberger, vice president of security solutions at Radware. Some of his firm's customers, in fact, have been targeted by Windows server ransomware, and he says small and medium-sized firms are particularly at risk.

Carl Herberger describes ransomware attacks against servers.

"These are law firms that have had their servers actually totally locked up by ransomware like Cryptolocker, and the entire business was down," Herberger says. "You can imagine a law firm, their business is really file-level transactions to and from servers. ... You lock down those servers, you've locked down their business."

5. Back Up Everything

But any type of Internet-connected device that stores data is potentially at risk from locking attacks. For example, on Aug. 3, the user of a DiskStation network-attached storage appliance from Synology reported suffering a "SynoLocker" ransomware attack that left all contents on the device encrypted, and the administrator GUI inaccessible. "When I open the main page on the webserver, I get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked," the user says in a Synology community forum post. According to a ransom demand posted by another DiskStation-using victim, attackers are demanding a payment of 0.6 bitcoins (about $350) and promise the ransom demand will double if not received in one week.

Synology says it's investigating the attacks, and notes the ransomware appears to be targeting a flaw in some versions of the Synology DiskStation Manager operating system, which the vendor patched in December 2013. So Synology recommends anyone using a vulnerable version of DSM update it immediately.

6. Maintain Offsite Backups

One of the best ways to battle ransomware that locks down servers or other systems is to maintain offsite backups. "Encrypting data is the equivalent of destroying it; the protection against the destruction of data is to make copies," says security consultant William Hugh Murray.

Murray acknowledges that most enterprises already back up corporate data to an offsite location. But he warns that too often, these backups can be directly accessed from the system where the data originated. Many cloud-based services, for example Dropbox, allow access to storage directly from a user's file system.

Instead, Murray says offsite or cloud-based backups must not only be stored offline, but also made to be not directly accessible from the originating system. "If the file system can access the offsite or cloud-based backup, so too can ransomware," Murray says.

7. Don't Expect Boy Scouts

Don't expect to recover encrypted data without paying a ransom, because rapidly advancing ransomware is making reverse-engineering the attacks much more difficult. With Critoni, attackers are even obscuring their command-and-control activities by tapping The Onion Network, a.k.a. Tor. The developers have also used an unusual cryptographic scheme, which "makes file decryption impossible, even if traffic is intercepted between the Trojan and the server," says Sinitsyn at Kaspersky Lab.

But paying a ransom demand and getting in return a working decryption key relies on trusting one's attackers, says Eduardo Altares, a research engineer at security vendor Trend Micro, in a blog post. "While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files."

Indeed, ransomware payoffs are a chance to test first hand whether there's honor among thieves, says Brian Foster, CTO of threat-detection firm Damballa. "Of course you're not talking about Boy Scouts here."

That's just one more reason it pays to prepare ransomware defenses in advance of being attacked.