Beware of Ransomware

Beware of ransomware :

Security experts are bracing for more fallout from Friday’s worldwide Wanna Cry ransomware attack, which has so far affected more than 150 countries and major businesses and organizations, including FedEx, Renault and Britain’s National Health Service. But if you’re just hearing about this attack – or waking up to an unresponsive computer of your own – here’s what you need to understand about what law enforcement officials have called the biggest such attack in history.

What is ransomware?

Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files, and the only way to regain access to the files is to pay a ransom.

There are two types of ransomware in circulation:

Encryptors, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CrypoLocker, Locky, CryptoWall and more.
Lockers, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.

Some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families.

Crypto-ransomware, as encryptors are usually known, are the most widespread ones, and also the subject of this article. The cyber security community agrees that this is the most prominent and worrisome cyber threat of the moment.

Ransomware has some key characteristics that set it apart from other malware:

It feature unbreakable encryption, which means that you can’t decrypt the files on your own (there are various decryption tools released by cyber security researchers – more on that later);
It has the ability to encrypt all kinds of files, from documents to pictures, videos, audio files and other things you may have on your PC;
It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom;
It will add a different extension to your files, to sometimes signal a specific type of ransomware strain;
It will display an image or a message that lets you know your data has been encrypted and that you have to pay a specific sum of money to get it back;
It requests payment in Bitcoins because this crypto-currency cannot be tracked by cyber security researchers or law enforcements agencies;
Usually, the ransom payments have a time-limit, to add another level of psychological constraint to this extortion scheme. Going over the deadline typically means that the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
It uses a complex set of evasion techniques to go undetected by traditional antivirus (more on this in the “Why ransomware often goes undetected by antivirus” section);
It often recruits the infected PCs into botnets, so cyber criminals can expand their infrastructure and fuel future attacks;
It can spread to other PCs connected to a local network, creating further damage;
It frequently features data exfiltration capabilities, which means that it can also extract data from the affected computer (usernames, passwords, email addresses, etc.) and send it to a server controlled by cyber criminals; encrypting files isn’t always the endgame.
It sometimes includes geographical targeting, meaning the ransom note is translated into the victim’s language, to increase the chances for the ransom to be paid.

How many people have been affected by the current strain, Wanna Cry?

Over the weekend, Europol officials said that some 200,000 computers have been hit by the malware. But that number has almost certainly risen as people in Asia – who had logged off for the workweek before Wanna Cry began spreading – have returned to work. On Monday, the Japanese electronics maker Hitachi, a prominent Korean theater chain and the Chinese government said their systems had been affected. Chinese state media reported that 40,000 businesses and institutions have been hit, according to NPR, including universities, gas stations and city services.

What are best practices for protecting against ransomware?

New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.
Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.