TASB Risk Management Fund

Security Alert: Ransomware Attacks on the Rise

June 14, 2016 Cristina R. Blanton

FBI warning

The FBI recently published a Flash alert regarding new, more dangerous ransomware attacks. Previous ransomware attacks have relied on a user's clicking on a phishing e-mail or infected website or downloading malicious software. The ransomware would infect individual machines and shared resources to which the user had access. Traditionally, such attacks were popular among healthcare businesses; however, the attacks have been found in financial institutions, and education institutions as of late.

Experts from the Beazley Breach Response team describe the new ransomware attacks:

In this new form of attack, criminals employ penetration testing tools to target entire networks using a strain of ransomware known as MSIL/Samas.A or SamSam. The criminals scan for vulnerabilities in JBoss application servers, Java-based web servers, with the publicly available tool JexBoss. If they find a vulnerability, they download an exploit to infect the server. With this foothold established, they look for attached hosts, move laterally through the network, and encrypt those systems. Additional functionality looks for backup files, stops backup processes, and deletes the backup files. – Beazley Security Alert, April 1, 2016.

What is ransomware?

Ransomware is a form of malware or malicious software. It seeks out files on your computer and locks them to make them inaccessible to you. Cybercriminals demand money — a ransom — to unlock your files. Some kinds of ransomware do that by encrypting the files. When you try to open the encrypted files, a warning pops up, demanding a ransom in return for a decryption code or key.

Most often, the files targeted by ransomware are photos, videos and business records like spreadsheets, documents and presentations — anything likely to be valuable to a person, family or business.

Addressing an attack 

A computer is typically infected with malware such as ransomware when you open an attachment to an e-mail or download software or apps. Such e-mails and software can appear legitimate enough to fool many users. A ransomware attack must be addressed quickly and diligently to prevent further spread of the attack to additional critical servers of the education institution.

You can’t remove the malware without destroying the infected files. If you have those files externally backed up, you or a computer technician can remove the files and the malware, and reinstall uninfected files from the backup. Of course, you shouldn't connect your external backup to your computer until the malware has been removed, or it could become infected too.

Below are some additional best practices from industry experts on responding to a ransomware attack:

  • Infected machines should be disconnected from the network (wired and wireless) as soon as possible.

  • Evaluate extent of infection, attempt to identify the type of ransomware variant, and determine whether the infected machine was connected to shared or unshared network drives, external hard drives, USBs, or cloud-based storage. You may also want to check for a registry or file listing created by the ransomware.
  • Clean the ransomware from impacted systems (a variety of free and paid disinfection tools exist for this purpose) and reinstall the operating system. Do your own due diligence on the tools you use. Some recommendations for these tools are: BitDefender, Kaspersky Labs, Norton/Symantec, and Trend Micro.
  • Proceed to restore from a reliable back-up. A well thought out back-up and restoration plan is one of the most important countermeasures against ransomware.

Should we pay the ransom?

There is no one-size-fits-all answer to this question. Some affected organizations do make the business decision to pay the ransom, but many factors go into such a decision. One main factor is the availability of a readily available backup that has not been infected. In addition to industry expert’s thoughts on the issue, it is important that the affected organization seek guidance from their local counsel as well.

Below are some pros and cons from industry experts on determining whether to pay the ransom:

  • You may become a bigger target. As the saying goes: Do not feed the trolls – otherwise, they'll keep making provocative statements to get a reaction. Ransomware is a little like that. Paying ransom simply encourages the attackers. Criminals talk; they will tell others who paid the ransom and who didn’t. Another danger looms: The same attackers can come back. Since you paid once, why not again?
  •  You can't trust criminals. Relying on criminals to keep their word is a risky endeavor. It seems like a simple exchange – money for a decryption key – but there's no way to tell the ransomware gang can be trusted to hold up their half of the bargain. Many victims have paid the ransom and failed to regain access to files. This cuts both ways: Why pay up if you don't expect to get your data back? Reputation matters, even in the criminal world.
  • Your next ransom will be higher. Extortionists typically don't ask for exorbitant amounts; the average ransom ranges between $300 to $1,000. But as more organizations succumb, criminals feel increasingly confident enough to raise prices. It’s hard to put a market price on data if the victims really, really need to get their files back.
  • You encourage the criminals. Take the long-term view. Paying ransom restores the data for the organization, but that money will undoubtedly fund additional criminal activity. Attackers have more money to spend on developing more advanced versions of ransomware and more sophisticated delivery mechanisms. Many cyber-crime gangs operate like legitimate companies, with multiple revenue streams and different product lines. The money from ransomware schemes can be used to fund other attack campaigns.
  • Many wind up paying because they need their files back. When ransomware hits all the case files at a police department, for example, there's no time to wait for someone to try to break the encryption and recover the files. When active investigations are pending, restoring from backups may take too long. Set aside the should-haves and could-haves – if the organization did not have a sufficiently robust backup strategy in place to restore the files (or the backups got corrupted, too), preaching about the importance of prevention is extremely unhelpful.
  • Many victims may also decide to pay out of fear that if they don’t, the attacker will cause more damage in retaliation. 

Practice Prevention

If you pay the ransom, the cybercriminal provides a decryption code, which triggers the decryption process. That can take days or weeks. Once files are decrypted, you'll be able to access them again. After an entity has recovered from a ransomware attack, the entity will begin the process of recovering files, building back networks, and most importantly, learning from the experience.

Below are some helpful prevention tips to help stop an attack before it happens:

  • As with anything else, ensure you have virus protection and that it is up to date. Missing even one daily update can make you vulnerable because the type of malware keeps changing. Don’t open attachments or download software (often free programs or games to your computer or phone) that you can’t be sure are safe. It's also a good idea to back up all your files on a hard drive that is not connected to your computer so that you have a clean and accessible copy of your files if your computer does become infected.
  •  Regularly train employees to avoid phishing attempts. Periodically test employees through phishing campaigns, monitor the effect on response rates, and consider a formal sanctions policy (after consultation with HR and your legal counsel) for repeat offenders.
  • Make sure you have logging turned on with all your systems. Turn on logging for SQL systems, firewalls, desktop support and the intrusion prevention system. Having good logs will be critical for the investigation of any potential attack. Hackers can disable logs, but if all the logs are enabled it’s unlikely that they will disable all your logs.
  •  Always have redundant backups. The rule of thumb is to have three backups, one at your data center, one at another location, and one in the cloud offsite. However you decide to arrange backups, have the backup drives only connect to the network when you are running the backups. While there’s a chance the system can get corrupted, the goal is to reduce your exposure to potential attacks.
  •  Remember that critical data storage typically needs to be recovered within an hour – 24 hours at the most – in the case of catastrophic compromise and restoration from off-site backups. Much like running building evacuation fire drills, IT departments need to practice recovering their data so they can be efficient and meet business service-level agreements.
  •  Make sure you protect your most valuable assets. Encryption is one solution, but remember that if the hackers gain access to your decryption keys, it’s game over. A best practice is not to store the decryption keys on the encrypted database. For example, if all your customer databases are encrypted, don’t store the decryption keys on that database.
  • Enable automated patches for your operating system and web browser. Robust network segmentation can often reduce the impact of ransomware.

Please Note: This material is provided as an awareness to TASB Risk Management Fund Members of a concerning issue affecting education institutions. This publication should not be interpreted as an affirmation of coverage for ransomware attacks. All coverage questions and determinations will be made on a case-by-case basis dependent on the facts.

Below are some additional resources on ransomware attacks: 

Tagged: "cyber security", cybersecurity, "Privacy and Information Security", ransomware