Ransomware has become a sufficient threat to warrant a public alert by the US-CERT in March 2016, with an update posted in July 2016.
Ransomware is a virus that partially or entirely encrypts a hard drive. The encryption key is then sold to the owner to allow the data to be recovered. One branch of this virus charges an additional fee to not distribute any data which may have been delivered to a 3rd party. Of course, both the negotiating of the key and the promise not to distribute are only that, promises.
Unfortunately, a new trend is appearing where the ransomware scripts erase or corrupt the data. Even if the ransom is paid, there is no data to recover and the victim suffers both the financial and data loss.
The US-CERT alert makes a strong case to not pay ransomware services as, “paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
In the short-term, it may seem like the best option to reclaim lost data or return to the regular operating status is to pay. However, there is no guarantee the key will be distributed or that the malware which originally encrypted the drive has been removed.
Windows does have some defenses against such measures in the form of shadow copies of the files. These Volume Snapshot Service (VSS) files can be used to roll back the encrypted files to an earlier version. However, ransomware is becoming more sophisticated by removing these VSS files while encrypting the files, and therefore removing the option of an easy resolution.
Best Methods of Protection:
The strongest defenses against this brand of attack includes backup/recovery procedures, regular patching, and user awareness.
Rather than pay a fee on the off-chance of decrypting data, the entire drive should be wiped and replaced with the latest backup. Not all backup tools are considered equal in preventing ransomware and the configuration determines how strong the prevention method may be. If a backup does not maintain the differences between versions, it may simply be overwriting good files with the compromised encrypted versions. Tools such as Synology’s Hyper Backup or Bvckup 2 allow for version control of the uploaded files. Obviously, this requires considerably more disk space.
Since ransomware may spread to attached devices, the backup tools should be used from external drives, which only connect when creating a backup, or by cloud services.
As an additional protection, regularly migrate critical files into cloud storage systems, such as Microsoft’s OneDrive, Dropbox, or Google Drive. Multiple versions can be stored and these business critical documents may be preserved.
To truly combat ransomware, 2 requirements must be satisfied: 1) the backups must be versioned and 2) backups must be contained externally. It is also imperative to regularly make backups and test them as a part of a disaster recovery plan.
Patching can help resolve security holes and limit potential exposures. Malicious websites and viruses prey on out of date systems with widely known vulnerabilities.
Informing users of potential methods of social engineering makes it less likely to be effective. If a situation seems suspicious, it most likely is. Users must be on the lookout for malicious emails or downloads. One of the more popular 2016 ransomware tools, Cryptolocker (commonly referred to as Locky), was distributed within spam email attachments.
This method sends an attached file that appears corrupted. It informs users to download the macros to allow the content to be viewed. These macros act as vectors to download additional malware that attempts to scramble any file of a target type (videos, pictures, Office documents, or code) it can access.
To prevent such an exploit, test suspicious attachments via Microsoft Office viewers. These show the document’s contents without opening the file. As the viewers do not support macros, the chance of accidentally enabling malicious content is eliminated. Any file that is malformed should be assumed to be malicious.
Other methods of preventing ransomware include:
Disable Remote Desktop Protocol (RDP) – The Remote Desktop Protocol is a method used by Locky to distribute malware and is not needed in most production environments. Disabling the service reduces the attack surface and the ability of the malware to communicate.
Disable files running from AppData or LocalAppData folders – Restricting the group policy will substantially reduce the effectiveness and likelihood of successful malware. This may work in a corporate environment where systems should already be more locked from a security perspective. A system of whitelist applications may then be used for known good applications, such as Dropbox, Chrome, and Microsoft Office. The Cryptolocker Prevention Kit is one tool that can be used to enforce Group Policy on these directories and only allow access to known good applications. More information on setting up whitelisting and blacklisting with Windows policies may be found here:
In the event that ransomware gets deployed in a system, it is difficult, and impractical, to decrypt. However, there are some potential alternatives to attempt to safely recover the data.
The first step is to identify what method was used to encrypt the drive or the malware that has been implemented. This can be done by uploading a sample of the files left of the server at the following website:
Depending on the type of malware, choose the correct tool to attempt to decrypt. These tools have low rates of success and newer versions of the ransomware malware are designed specifically to defeat them. Also note that in using such decryption tools, the data may become corrupted, and even with a decryption key, remain unusable.
The best strategy if compromised is to enact proper backup and recovery procedures. In addition to storing backups, the recovery process must be regularly tested to ensure it is working as expected.