Old wine, new bags

For years, viruses spread through emails and Web sites have again become a major headache for IT professionals. While the threat was a thing of the past with simple measures until a few years back, it is now back at the top of the priority list with major attacks having huge impact worldwide. With a growing number of cases, increasing frequency and with the greater focus on SMBs, the threat of Crypto Viruses is real and deserves maximum attention.

For the past 2 years, the IT systems engineers of Mica IT had to intervene 10 times for companies that were heavily infected with this so-called 'Ransomware'. This has always been brought to a good end but the scare is well in everyone's mind and this deserves more attention from all IT professionals.

Crypto-wattes....?

WannaCry, CryptoLockers, Cryptoviruses, Reveton, RSA4096, they are all examples of a virus family called Ransomware.

What they do? They rapidly and imperceptibly encrypt all files important to people. Photos, Word files, accounting and those beautiful Excel pivot tables that you just spent hours working on? Encrypted. They are locked and provided with instructions on how to transfer "ransom" in order to be unlocked.

This "ransom" is demanded in the form of BitCoins a digital currency that has gained considerable popularity in recent years and is virtually anonymous, so the hostage taker remains unknown. The transaction of this ransom goes through the purchase of BitCoins In exchange for your hard-earned Euros, of course.

After the BitCoins are deposited in a digital wallet, they must be transferred to the "hostage taker. In response, one then receives the so-called decryption key and a program with which to decrypt the files.

In 2016, the average demand was 7 BTC, with the exchange rate at the time of writing €2,940 (€7,500+ 05-2017) the current WannaCry attack demands about €250 per server or workstation and many hours of valuable time from a company and possibly the man-hour cost of the IT professional hired to assist.

Delays and huge costs are thus the woes that accompany an infection.

By IT professionals, the threat of this Ransomware software is considered one of the biggest threats of the past 10 years. (Normal) viruses and spam have actually been under control for years provided a company takes adequate measures but this problem is far from being under control. One speaks of a "game changer.

Wolf in sheep's clothing

Ransomware is being revamped at a tremendous rate to stay one step ahead of anti-virus makers all the time, so virus scanners usually don't even report that anything weird is going on. There are a few ways this "wolf" sneaks in.

\ransomware

Almost all infections start when an e-mail arrives in one of an organization's mailboxes. Unlike years past, in neat Dutch sentences and often with an obvious message that makes it hit in a moment of inattention.

One method is, for example, an email, so called from PostNL, saying that for the "dear sir or madam" and package is on its way and if quickly clicked on the link below, the route via a tracking code becomes visible. Hard to resist right?

Another way is an attachment that at first glance appears to be a neat little .PDF document. After all, an email from KPN containing this month's invoice is no exception, and since many mail clients only show part of the attachment, masking a virus is a breeze.

Such attachments are sent with a strange name with lots of spaces in between, for example, "Your invoice 134123.pdf .exe" where it appears to be a .PDF file but in reality it is an .EXE file. After clicking, the infection is a fact.

After an infection, a user does not notice much of the problem that has occurred. This will only happen when someone tries to open the .DOCX file and discovers to his or her horror that the file appears to be broken. In the folder containing this original file, a .TXT file has also been created containing instructions and sometimes even links to YouTube videos(!) on how to transfer 7 BTC to the crooks' guild.

"Oh well, only those weird Windows users suffer from that"

Well, no... With the growing use of OS X, Apple's operating system, and Linux, these users have also become targets of Ransomware. One of the most telling and well-known examples is KeRanger, which was distributed through an official bittorrent download client;

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

http://betanews.com/2015/11/09/linux-users-targeted-by-new-linux-encoder-1-encryption-ransomware/

 
\ransomware

Because Ransomware is very lucrative no one appears to be safe. Not only Windows, OS X and Linux distributions are vulnerable but cell phones are also increasingly becoming targets of this dirty method of extortion.

So as a user, stay aware of these attempts and delete all emails that do not appear familiar. Immediately and without hesitation.

What can I do (or have done)?

The creators of viruses and spam are always in a cat and mouse game with the creators of software that fight such "junk. A new virus comes along and it takes several days for the cure to be created and distributed. 100% safe is really only an IT environment if you pull the plug, completely exclusively is impossible.

But erecting as many barriers as possible is always wise, of course, and even if one were to be torn down, there is always limiting the impact on an IT network.

With these 7 points, an IT professional limits the risk of infection, spread and impact;

  • Train employees. Awareness is key!
  • Keep warning people not to fall for phishing emails. If they don't know it, delete it and report any mistake.
  • Make backups!
  • No really, make very good backups on qualified media kept offline. Make these backups daily and keep them for at least 1 week. Preferably use Cloud Backup solutions because they provide the most certainty.
  • Good anti-virus and anti-spam gateways for the mail server(s)
  • Catch junk already at the door, let it get to people as little as possible because the risk is even higher there.
  • Patch and update all programs and operating systems
  • Implement good policies to keep all operating systems up-to-date and secure. Don't run into problems that have been known for months.
  • Limit people's write permissions
  • Do not give people more permissions on the network than necessary. Should a machine be infected it grabs around wildly but only on files that have write permissions.
  • Filter and ban all .EXE files on the mail server
  • Regardless of legitimacy, delete all .EXE files mailed to your organization.
  • Disable running files from the 'AppData' or 'LocalAppData' folders.
  • Not all but many CryptoLockers run from these directories. Windows ActiveDirectory can distribute these settings to users and workstations

UPDATE: 08-2019

The original date of this blog post is already from 2016. However, the problem described has become no less relevant just under 3 years later.

Just recently, the ICT infrastructure of the House of Representatives was affected by ransomware and it became clear last month that NAS systems have now become explicit targets of software that seeks to encrypt files.

Discuss this topic with your IT administrator. Perhaps also in conjunction with general security aspects of your IT environment but certainly whether you are adequately secured against these crypto threats.