This is the first in a new series called "Hello, Friend". In this series, FIREFX US Army trained Cyber-Experts will tackle common and emerging cyber-threats and cyber awareness and try to keep it at a level that anyone (even a non-hacker) can understand. Our goal with this series is to better educate you and help you become a "Hard Target" to hack.
If you have questions regarding this or other cyber-security threats please feel free to email or call us directly.
"Hello, friend... Ransomware"
Perpetrators of Ransomware can be organized crime rings, lone wolf hackers, or even more recently Ransomware offered as a service by shady hacker "business" organizations.
Ransomware perpetrators are sophisticated, profit-hungry, cybercriminals on the lookout for unsuspecting small to mid sized businesses and high net-worth or high-profile individuals to violate. Ransomware cybercriminals are also organized and profitable, earning 10-50 million dollars a month.
Ransomware criminal teams often work out of office buildings, making the stealthy and disruptive pieces of malicious software, and designing deceptively simple schemes to infiltrate their targets.
Recently, a Ransomware-as-a-Service organized cybercrime ring was discovered, which infected around 150,000 victims in 201 countries in July 2016; splitting profits 40% to malware authors and 60% to those who discover new targets.
The overhead is low, the profits are high, the Bitcoin is anonymous, and the list of targets are endless.
Ransomware is here... and it isn't going away. Ransomware is a new threat that either encrypts your files making them unusable, publishing them on the Internet in the near future, or simply marks them for deletion on a timer. This encryption/deletion/publication is only averted by paying a ransom to the criminal(s) who infected the computer. The perpetrators typically demand a payment in untraceable cryptocurrency like Bitcoin in exchange for the private key required to decrypt and access the files.
Ransomware is a term for the many variations of malware that infect computer systems, typically by social engineering schemes. A cryptovirology attack encrypts critical files and systems, then renders them inaccessible to the owner.
Infamous ransomware examples include CryptoLocker, CryptoWall, Locky, Cerber, KeyRanger, SamSam, TeslaCrypt, TorrentLocker, and Reveton.
Social Engineering is the typical gateway for Ransomware perpetrators. Social engineering is nothing new. It’s a tool of psychological manipulation that’s been used since the dawn of man. Why? To influence people into taking action that might not be in their best interest.
Sometimes it’s fairly harmless, like a child sweet-talking his mom in order to get extra candy. (I’m a victim of this one.) Many times, however, social engineering is used for nefarious purposes.
Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, sympathy, or the strongest feels of them all: the desire for free stuff.
Which is why cybercriminals have caught on. They use this dangerous weapon to get at the weakest link: us. They know that the easiest way to penetrate a computer system is to go after the user. “Attacking the human element has always been a favorite,” says Jean-Phillip Taggart, Senior Security Researcher at Malwarebytes. “Why use some hard technical flaw to acquire a password when you can simply ask the user for it?”
While you won't likely tell someone your password (Although some do when tricked over the phone), you might be lured into opening an infected PDF file (Hoe many PDFs do you open in a day?), clicking on a link, opening an email attachment, or visiting an infected website. Any of these can grant access to hackers, allowing them to download Ransomware packages.
Any serious security scheme must take a layered "Onion" approach. This is what we in the Army and Corporate world commonly refer to as "Enterprise" level security. Below are some of the main layers of security that should be considered in any network.
FIREWALL: Firewalls are of no use in countering Ransomware because social engineering hacks typically start behind the firewall when someone inadvertently opens a malware package. A firewall is helpless to stop an attack initiated from its trusted side.
PASSWORD SCHEME: A password scheme is of no use in countering Ransomware again because social engineering gains the access required without the need of a password as the end user is executing the malware. Check your password strength with a tool like this PASSWORD METER.
EDUCATION: Probably the most effective and hardest protection scheme to employ consistently. Good Security practices regarding emails, email attachments, and computers is the first step. Educate anyone with access to company or home network email accounts, computers, or servers (Even guest networks). The hackers only have to get a deception to work once, while we have to be right 100% of the time! Vigilance must be our watchword.
ANTI-VIRUS: In the Enterprise networking environment, Anti-Virus is typically referred to as a Host based Intrusion Detection and Prevention Service (HIDS). Quality Antivirus can stop 1000s of attacks per day, saving a system from a full-blown infection even if a user clicks on a virus-containing link. Since this attack begins on a PC or other end user device, a good and regularly updated ant-virus is your second best line of defense. Unfortunately we can't control the infection levels on our guest computers, so malware may still be introduced to our network. Don't forget to also secure your servers with Anti-Virus where applicable. Anti-Virus is meant to act as a safety-net in case of a breakdown in Education by preventing the malware from installing on your system.
NETWORK INTRUSION DETECTION/PREVENTION: In addition to your HIDS, you should always employ a Network based Intrusion Detection/Prevention Systems (NIDS or IDPS). A properly configured NIDS system will look at all traffic traversing your network regardless of its source and comparing it to an Emerging Threat database that is updated regularly (Daily). This will help protect your network assets from breakdowns in EDUCATION (User error) or the HIDS (Ant-Virus failure or pre-infected guest devices with outdated or no HIDS joining network).
SECURE DNS: Utilizing a secure Domain Name Server (DNS). DNS servers are the middlemen between your browser and website content. Utilizing secure DNS can provide an additional layer of content filtering, malware and phishing blocking, protection against automated botnets, and even url typo correction. These protections are updated in real time by the DNS service.
GEO-BLOCKING: If we have reached this level of protection, we are in bad shape, as we have had a breakdown in Education and someone clicked on a link or opened a file that was malicious, our malware was installed defeating our Anti-Virus, and our NIDS has failed to identify the network traffic as a threat. As a last resort, we Geo-Block types of traffic from certain known locations that are identified as nefarious. This list is only updated monthly so it is truly the last resort in protection.
SECURITY PATCHES/UPDATES: Updating operating systems and applications with the latest security patches is a required first line of defense as many of the ransomware attacks exploit these known vulnerabilities. The hackers are counting on your neglegence in this attack.
BACKUP: So it has come to this then? Yes, even with all of the above protections... you can still be hacked. Even though you are a much harder target, you must secure your data with regular backups. A redundant data security solution that backs up and stores data in a secure location with snapshot technology, encryption, and replication will be your final layer of defense. With a solution like this, you can at the very least reset and recover without paying the ransom.
DON'T PAY THE RANSOM
Of course paying the ransom is a very bad idea. Cybersecurity experts have warned businesses against meeting hackers' demands for money in the wake of the "unprecedented" attack on hundreds of thousands of computer systems around the world.
Cybersecurity Experts agree that whether or not to agree to ransomware demands presented practical and ethical dilemmas.
"As a matter of principle, the answer should always be no … based on the simple dynamics of perpetuating bad conduct."
"However, as a matter of practicality and necessity, the situation is somewhat more complex."
Experts point to the Australian Telstra cybersecurity report 2017, which found that that 60% of Australian organisations had experienced at least one ransomware incident in the previous 12 months.
Of that figure, 57% paid the ransom. Nearly one in three of the organisations that paid did not recover their files.
"You really are rolling the dice if you choose to pay a ransom, and your chances aren't good," the researchers found.
The report concluded that paying the ransom was a "dubious choice" when it did not guarantee the release of the data and could have the effect of labeling businesses as "soft target", increasing their chances of being attacked again in future.
Keep in mind that this is not all encompassing, but it is a very good start to securing your networks. Also, for mobile devices, being outside of your network environment effectively removes the layers of security afforded by your network based Enterprise scheme (NIDS, GEO-BLOCKING, SECURE DNS, and possibly BACKUP)
Winner of a 2017 Best New Hardware Product at CEDIA, the FIREFX Network Guardian is a pre-configured high performance router/firewall with GEO-BLOCKING, SECURE DNS, and a fully functional Network Intrusion Detection/Prevention Systems (NIDS/IDPS) designed specifically for the Pro-AV market and small to mid-sized business deployments.