Archives for February 2015

Michael Wright

There is a wave of collection agencies and law firms that recently became victims of ransomware, and the numbers are only growing. Consumers and companies of all types are vulnerable. Last night, NBC Nightly News even ran a segment on the issue.

The ARM industry needs to know what ransomware is and how to effectively protect vulnerable systems.

What is Ransomware?

Ransomware generally comes in two categories. Either it holds your data ransom by preventing your access to your files, documents, photos, and other personal information on your computer, or it holds your entire computer system ransom by preventing you from even using your computer. In either case, a ransom must be paid to the cybercriminal before you will be allowed to access your data or system.

Although ransomware has been around since 1989, it’s recently become a lucrative a cash cow for cybercriminals. Because its primary goal is to generate revenue for cybercriminals, ransomware often makes use of sophisticated (and very effective!) techniques to exploit vulnerable systems. Cryptowall 2.0 is the current Cadillac of the ransomware world. It makes use of a slew of techniques (known in the InfoSec industry as “attack vectors”) to take over computer systems – though most commonly via the following:

• Malicious e-mail attachments
• Malicious web sites (or legitimate web sites that have been hacked to secretly load malicious code onto unsuspecting visitors)
• Malvertising (malicious advertisements on legitimate web sites)

Why should you care?

Ransomware like Cryptowall encrypts files on your computer and also encrypts files that you have access to. This may include files on your network drives, including your Quickbooks file, financial spreadsheets, and word documents. Once those files are encrypted, you have only two options:

1. Pay the ransom (and hope that access to your files will actually be restored).
2. Restore your files from the most recent backup (when is the last time you tested your backups for all of your important files?).

Regardless of which option you go with, you will have to deal with the aftermath of a data breach, if any files containing consumer data may have been accessed by the hackers – potentially including data breach notifications, costly computer forensics consultants, and fines from anyone from a credit card company (if payment card data was breached) to the U.S. Department of Health & Human Services (if medical data was breached).

My company has a firewall. We use anti-virus software. They protect my business against these miscreants. Right?!?

In many cases, no, it doesn’t. Most firewalls do not protect against malicious e-mail attachments or malicious web sites. Your computer may have anti-virus software installed, but as The Wall Street Journal reported in mid-2014, anti-virus software “is dead” and “now catches just 45% of cyberattacks.” Information security professionals have known for years how trivial it has become to evade anti-virus software in targeted attacks (one of the hallmarks of the “advanced persistent threats” that people love to talk about nowadays is the ability to escape detection for an extended period of time).

Ransomware is typically loaded onto a system via what is known as “client-side attacks.” In a nutshell, this just means that the hackers are able to break into your computer system by exploiting vulnerabilities on your personal computer during normal activities that your firewall is normally configured to permit, such as web browsing.

A common scenario is as follows:

While at the office on your workstation, you visit a popular web site (say, a Super Bowl-related web site). The website (or an advertisement on the web site) have been hacked with a tool that will attempt to exploit software on your workstation that has not been recently patched. This could be Adobe Acrobat Reader, Java, or even the Windows operating system. If successful, the malicious code now has access to your computer and data files. It can do anything from install a keylogger to gain access to your passwords, to encrypting all of the files that you have access to and forcing you to pay that ransom (or restore from backups… assuming the files on your computer are actually backed up).

In 2007, this actually happened to the web site of Dolphin Stadium (which hosted Super Bowl XLI)!

What can I do to protect against it?

There are a number of things that can be done to protect your business from these threats.

First, you can reduce the likelihood of these threats infecting your business. The philosophy that information security professionals recommend is known as “Defense-in-Depth.” None of these recommendations will completely stop malware in its tracks, but the combination of all of them is often enough to do the trick. At the bottom of the list is a checklist you can provide to your IT department to ensure that your business is protecting itself from the threat of ransomware and other malware (be warned: the checklist gets a little technical).

Turn on all of the extra capabilities on your anti-virus software.

Although its true usefulness is limited, an up-to-date and active anti-virus software is still a basic necessity. Most anti-virus suites contain additional features that provide increased protection (sometimes at the risk of quarantining potentially benign files and programs). These features are often “opt-in” and are disabled by default – but if enabled can potentially stop threats that have no known “signature.”

Tighten your firewall configurations.

It is likely that your firewall prevents unauthorized traffic inbound from the Internet. However, it is equally likely that your firewall is not preventing potentially unauthorized outbound traffic to the Internet. Ransomware typically depends on communicating with Command-and-Control servers to encrypt and potentially upload your data to their servers, and many business IT departments leave their firewalls in the default “allow all outbound traffic” configuration, so as to not potentially negatively impact any business processes. Firewalls that block all outbound traffic except for those protocols specifically required for business may prevent infected systems from phoning home.

Most modern firewalls include what is known as Intrusion Prevention Systems (IPS for short). Basically an anti-virus for firewalls, this software functions by inspecting network traffic for known threats. They are usually licensed for anywhere from one to three years – and must be renewed to update their signatures. Many organizations miss this simple step and open themselves up to ransomware and other malware that might otherwise be detected and blocked at the network’s perimeter.

Limit system administrative and data access.

Do you have the ability to install software on your own computer without having to use a separate user account or password? If so, then when you come across a piece of ransomware, it will also have that same level of access! A company that limits the access of its end users will experience far fewer successful malware infections, because the malware may not be able to install itself in a limited access environment.

On a related note, how many employees have access to your network shares? Do they have read-only, or write access? If any one of those employees are hit with ransomware, your entire network share may be encrypted and ransomed. It may be a headache for the IT department, but organizations with network shares properly locked down to individuals with a job-related need may experience a much more limited infection should ransomware gain a foothold on the network.

Patch those laptops and workstations.

Most businesses have a solid process to perform Windows Updates on its servers and workstations. But it is common to have no process in place to patch other software, such as Adobe Acrobat Reader, Flash Player, and Java – all favorite targets by cybercriminals. Laptops used by sales people and executive management are traditionally notoriously difficult for IT departments to effectively patch and otherwise manage, but these systems often have either client or consumer data on them, or access critical business files (both prime targets for ransomware).

Test your backups.

If ransomware gets past all of your defenses and encrypts your data, the best option is often to clean up the infection and then restore your data from backups. Most businesses back up their servers and network shares on a regular basis, but many do not back up end user workstations and laptops. Annual testing your disaster recovery plans using realistic scenarios (such as a Cryptowall 2.0 infection) goes a long way to being prepared for responding to an infection.

Top 10 Checklist for Protection from Ransomware:

☐ Anti-virus software is deployed to all workstations and servers

☐ Anti-virus software is configured for real-time protection

☐ The “bells and whistles” are all enabled (e.g., HIPS, application control, heuristics, e-mail scanning, reputation-based protection, etc.)

☐ Someone is responsible for reviewing anti-virus alerts and responding to them

☐ The firewall is configured to block all outbound ports & protocols, except for those specifically required for business

☐ The IPS signatures are up-to-date and there is an active maintenance agreement in place to maintain signature updates

☐ End users do not have administrative access to their workstations or laptops

☐ Network shares are locked down to role-based access and individuals with a job-related need

☐ There is a process in place to ensure (and verify) that all software and operating systems are patched, including mobile code such as Flash, Java, and Adobe Acrobat Reader

☐ Backups of critical business files are tested on a regular basis

As Chief Security Officer, Michael Wright manages TECH LOCK’s Security & Compliance practice with a decade of experience in information security management, systems engineering and architecture, storage engineering, network administration, and security engineering and architecture. At TECH LOCK, Michael leads a team of talented staff specializing in penetration testing, vulnerability assessments, assessing organizations against compliance standards such as PCI DSS, FISMA, HIPAA, HITRUST, ISO 27000-series, and more.

This information is not intended to be legal advice or security consulting services and may not be used as legal advice or data security consulting. Legal advice and Data Security Consulting must be tailored to the specific circumstances of each case or company.

Every effort has been made to assure this information is up-to-date. It is not intended to be a full and exhaustive explanation of the law in any area or a full exhaustive preventive checklist.

Any opinions expressed are the opinions of the speaker and not their organization.