Ransomware in Malaysia- How to Protect Yourself Against Ransomware?

May 12^th, 2017 saw the biggest ever cyberattack in Internet history.  A Ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe. At the same time, Malaysia’s cybersecurity agency has issued an alert as the country emerged as one of the nearly 100 nations hit by a massive global cyberattack of Ransomware. Until May 24^th, the infection has affected over 200,000 victims in 150 countries and it keeps spreading.

What is Ransomware?

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

The virus gets into a computer when a user clicks or downloads malicious files. The user then gets a random demand which must be paid for access to be restored. Security experts, however, warn there is no guarantee that access will be granted after payment.

How Does it Enter the Systems?

Common penetration techniques include:

1. Spam and social engineering
2. Direct drive-by-download or malvertising
3. Malware installation tools and botnets

How Ransomware Works?

1. End user receives an email that appears to be from their boss. It contains a URL to a SaaS application such as Salesforce, Workday or ZenDesk.
2. The link opens a browser window and directs the user to a website that seems legitimate.
   It’s actually a landing page for an exploit kit hosted in a .co.cc top level domain (TLD).
3. Upon loading the page, the web server hosting the exploit kit begins communicating with the victim machine. The server sends requests about versions of software such as Java to find a vulnerable version for which the kit has an exploit.
4. When a vulnerable version is confirmed, the kit attempts to exploit the vulnerability.
   Once successful, the exploit kit pushes down a malicious .EXE file – let’s call it “ransomware.exe.” The malicious binary on the victim machine then attempts to execute.
5. From this beachhead, the binary spawns child processes, including vssadmin.exe (shadow copy), to delete existing shadows on the victim machine and create new ones to hide in.
   The attacker does this to limit the possible recovery of files by the victim using Shadow Copies that Windows stores on a system.
6. The binary also creates a powershell executable to propagate copies of itself throughout the filesystem. The executable also searches the filesystem for files of specific extensions and begins to encrypt those files.
7. The powershell.exe child process creates three copies of the originating malware binary, first in the AppData directory, next in the Start directory, and finally in the root C:\ directory.
   These copies are used in conjunction with the registry modifications to restart the malware upon reboot and login events.
8. After encrypting the victim’s files, the malware sends the encryption key and other host- specific information back to the command-and-control server.
9. The server then sends a message to the victim. This could be a simple “alert user of encryption and directions on paying us.” It could also include directions that result in downloading additional malware, which enables the attacker to steal credentials from the victim as well.

To amplify the victim’s distress, ransomware often includes a countdown clock with a deadline for paying the ransom – or else the decrypt key will be destroyed, eliminating any chance of recovery.

Paying the ransom often means the attacker will unlock the victim’s machine or provide the key to decrypt files. However, it rarely means the originating malicious binary, “ransomware.exe” in the case above, has been removed. That will require IT and SecOps support.

The attack doesn’t necessarily end there. Attackers often load additional malware on a user’s machine, allowing them to harvest personal information, intellectual property, and credentials to sell for additional revenue.

The Damage Caused by Ransomware

In 2015, there were numerous media and researchers stating that Ransomware was not all it is cracked up to be. Ransomware accounted for roughly USD 325 million in 2015, accordingly to Microsoft.

After a surge of attacks the following year, Cybersecurity Ventures predicted that ransomware damages and related costs would reach USD 1 billion annually in 2016.

According to the Cisco 2017 Annual Cybersecurity Report, Ransomware is growing at a yearly rate of 350%.

What Happens If You Don’t Pay the Ransom?

Typically one of two things: Either you restore your files from a backup, or you lose them forever. Hackers often give victims a deadline — say 72 hours to pay the $300 in bitcoin; after that, the price doubles. If the targets refuse to pay, their computers will be permanently locked- a serious problem for people who have not backed up their data.

How to Protect Yourself Against Ransomware?

1. Do not provide personal information when answering an email, unsolicited phone call, text message or instant message. Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
2. Use reputable antivirus software and a firewall. Maintaining a strong firewall and keeping your security software up to date are critical. It’s important to use antivirus software from a reputable company because of all the fake software out there. Ask us today: http://www.itsolutionskl.com/contact-us/
3. Do make sure that all systems and software are up-to-date with relevant patches. Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
4. Do employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
5. Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
6. If traveling, alert your IT department beforehand, especially if you are going to be using public wireless Internet. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public Wi-Fi like Norton WiFi Privacy.