Michael Angelo
CRISC, Chief Security Architect, Micro Focus
Everywhere we turn, we read stories crediting ransomware with everything from locking hotel guests out of their rooms to shutting down hospitals. Ransomware has created a situation of fear, uncertainty and doubt (aka FUD) not only in the business world but also in the general population. In order to combat FUD, we need to do three things: understand how you get ransomware, understand how it works and, most importantly, understand what you can do to protect yourself.
1. How do you get a ransomware infection?
Ransomware is a new twist on an old technology. This strain of computer virus has been around since the last millennium. The technology is well-studied and understood. Ransomware relies on the same technology and methodologies as traditional malware (i.e., viruses, worms and trojans). That is, viruses infect a file or system on a computer and cause it to try and infect other files or systems on that computer. Worms actively try to infect other computers on your network. Trojans are designed to trick you to run something that enables either a virus or a worm. Most of today’s attacks take advantage of one of these mechanisms to deliver the actual ransomware. The mechanism to deliver the trojan, virus or worm can vary. But the key point to remember is this: You can get ransomware from email or simply from surfing the web. There are two common delivery mechanisms.
A phishing attack is a well-crafted mail message that encourages you to open an attachment or click on a link. The file or the link then starts delivering malware. If the mail message is specifically crafted to a specific company or individual it may be called a spear phishing attack.
A compromised or spoofed website resembles a well-known popular website. The spoofed website, in the past, would try to get you to enter a username and password for the web site it was trying to spoof. Today’s spoofed website has evolved to include automatically downloading software, also known as a drive-by download.
2. How does ransomware work?
Ransomware may not start running right after you accidentally download it. Very likely it will stay dormant until your system is not being used. Then it will attempt to contact a repository on the web and register your system. Once your system is registered, the ransomware will download an encryption key. From there it will start to encrypt your system. Some forms of ransomware will try to encrypt just your files (documents, pictures, music). Others will try to encrypt the entire disk (including networked drives). Either way, when it’s achieved its mission it will present you with a message letting you know your system is being held ransom. At this point, your choices are simple. You can contact the FBI and see if they have a set of keys that you can use to decrypt your system, you can pay the ransom or you can attempt to restore your system from backups.
3. How can you protect your computer or network from ransomware?
Besides the obvious, such as doing your best to avoid phishing attacks and spoofed websites, there are numerous solutions out there that can be used. The key is to ensure that your anti-malware technology has a few key attributes. It should analyze files and look for command sequences (referred to as signature analysis). It should analyze your system and look for program or system level changes. Finally, it should monitor programs on your system to see if a program is doing something outside of the usual.
While each technique overlaps and ultimately can provide a very strong solution, the key is to have a solution in place before you get infected by ransomware or affected by FUD.