RansomeWare, oh the joys it brings.

RansomeWare has been on an upward trend, notably so in Quarter 3 and 4 of 2016. The main targets shifted from phishing links with a drop of 50% (Source: Proofpoint) to RDP. According to Webroot, two thirds (66%) of Ransomeware Infections in Q1 2017 where delivered by RDP.

For those who are unfamiliar with the term, Ransomeware can be summarised as:

Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid.

Source: RansomeWare – Wikipedia

However, RansomeWare is categorised  as a form of cryptoviral extortion; it is an act of CryptovirologyMoti Young published his findings of cryptoviral extortion (Cited entries can be read here) where the process was further discussed in 3 key phases:

  1. [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
  2. [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
  3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext to the attacker (the asymmetric ciphertext).

 

Looking at the latest WannaCry breakout, the process can be defined as the following 5 steps:

Trend Micro – WannaCry Blog Post

The process adopted here follows the ruleset of Moti’s assumption, whilst also leveraging SMB faults to spread through networks.

Further investigation on this fault will be documented at a later stage.

On a side note, WannaKey? This tool may help recover WannaCry files.

The Effects on Business

EaseUs conducted a report on the leading causes of RansomeWare infections on both home and work users, and there are a number of figures I’d like to point out:

  • 1% was “Lack Of Security” –  I would like to read into this and get a better understanding of their view of this;
  • 46% Spam/Phishing Emails – a large proportion (call it “an attack vector”) of infections came from the same mode of communication and;
  • 36% was caused from Lack of Employee Training

Source: EaseUS

All findings will differ from report to report (as their user-pool will vary), however another report from reputable sources indicate that the IT Department/IT “Pros” (as they are labelled) indicate they believe their own users account for 30% of all risks to a business; that’s only 5% less than the current RansomeWare figures:

 

poa

What’s the bottom line in all this, Michael?

Well, we could tell you that the price per crypto attack rose substantially in 2016 (366% in some cases) due to the vulnerabilities, as cited in Symantec‘s report:

The average cost of Ransomware rose from $373 in 2014, $294 in 2015 to $1,077 in 2016.

For home users and companies who risked paying to recover their files, there was a high percentage chance their data would not be returned to them, according to Kaspersky:

20% (1 in 5) business that paid the ransom never recovered their files.

Lastly, for users and companies who where hit by crypto, Infomedia concluded  the average wait time to retrieve backups were more than 1 business day:

72% of infected businesses lost data for greater than 2 days.

What are we meant to do!?

I am no security expert, but I can suggest a few methods to help mitigate (not eliminate) the treats of Cryptovirology Attacks.

Ensure you are running a current Anti-Virus (Preferred solutions include additional components such as FireWall and Real-Time Scanning)

Shop around for anti-virus solutions. There is no out-of-the-box foolproof solution to protect you from all threats, however AVG, Avast! and Kasperky scored the highest for the Real-World Tests performed below:

Ensure you have an effective (and frequent) backup solution for all your personal data

I cannot stress this enough. Effective backups are important. There are a number of freeware options out there that do the trick; Cobian, dSyncronize and RoboCopy will all work; although the websites seem real bad…

We will touch more on backups on another post.

Restrict your user account to be a standard user and not an administrator

Perform all your administrative functions on another account, that does not need to use USB drives or peruse the internet. Have the installers downloaded (and scanned for malware) and ready to run as an admin (Heck, use the Runas command on the other account if you want).

Restricting the account that you surf the net with and download things with will limit what malware can do, if it runs under your account.

Ensure Windows Updates are current

Woulda’ saved WannaCry. Okay, I joke; but security patches from Windows are a necessity…due to them shipping an Operating System riddled with back doors. Pretty self explanatory.

Be vigilant when clicking on advertisements, or applications downloaded from websites

Avoid chat websites and torrent websites at all costs. Those things are riddled with malware and other nasty critters.

Convert to a Linux Environment and live happily ever after 

Not so much a joke now; Linux is mainstream! Well, sort of. If you’re a basic PC users, that is YouTube and Browser orientated, there is no reason why a secure Linux distribution would not work for you. Think about this the next time your PC gets infected with a nasty bug.

As always, please contact the Author if you find any incorrect information, or if you have topics you’d like covered:

 

4 Comments

  1. Pingback: Backups and Me Don’t Mesh. Here’s why. | Nanky

  2. I probably don’t have the best specs but my game usually lags like hell on the campain map like 8 fps tops, while in battle it usually runs higher. But I still encounter crashes of the game for no reason, while other games runs really smooth.

    Like

  3. Pingback: EncFS; easy, fast and reliable? |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s