Changes: Ransomware

Definitions

Ransomware is

“

[a] form of malware that restricts access to a device unless the victim pays to have it unlocked.[1]

”

“

[a] malicious form of software that locks your computer or files and requires you to pay money to get the decryption code to unlock your files or device.[2]

”

“

a form of malicious software ("malware") designed to block access to a computer system or data, often by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims' access to their systems or data.[3]

”

“

a type of malware which restricts access to the computer system that it infects, and demands a ransom be paid in order for the restriction to be removed.[4]

”

“

a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user's data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user's data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or exfiltrates data, or ransomware in conjunction with other malware that does so.[5]

”

“

a form of malware that targets your critical data and systems for the purpose of extortion.[6]

”

Overview

Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then:

• Disable an essential system service or lock the display at system startup.
• Encrypt some of the user's personal files. Encrypting ransomware were originally referred to as cryptoviruses, cryptotrojans or cryptoworms.

In both cases, the malware may extort by:

• Prompting the user to enter a code obtainable only after wiring payment to the attacker or sending an SMS message and accruing a charge.
• Urging the user to buy a decryption or removal tool.

More sophisticated ransomware may be a hybrid — encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. The author who carries out this cryptoviral extortion attack offers to recover the symmetric key for a fee.

Ransomware is illegal under the Computer Fraud and Abuse Act.^[7]

FBI Recommendations to stop ransomware attacks

The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack.

• Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
• Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
• Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
• Only download software — especially free software — from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
• Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
• Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
• Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
• Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

Additional considerations for businesses include the following:

• Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
• Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
• Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
• Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
• Use virtualized environments to execute operating system environments or specific programs.
• Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization's e-mail environment.
• Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
• Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.

Specific Ransomware

Ransomware includes the following;

• CryptoWall
• CTB-Locker
• Locky
• SAMSAM
• TeslaCrypt
• WannaCry

References

1. Cybersecurity in the Golden State, Security Breach, Malware.
2. Cybersecurity A Primer for State Utility Regulators, App. B.
3. Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, at 1. "In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities (including financial institutions). The consequences of a ransomware attack can be severe and far-reaching — with losses of sensitive, proprietary, and critical information and/or loss of business functionality." Id. at 1-2.
4. Digital Currencies: Response to the Call for Information, at 11 n.1.
5. FACT SHEET: Ransomware and HIPAA, at 1.
6. How to Protect Your Networks from Ransomware, at 2.
7. Cybersecurity: Selected Issues for the 115th Congress, at 3.

Source

• "FBI Recommendations to stop ransomware attacks" section: Ransomware Victims Urged to Report Infections to Federal Law Enforcement.

See also

• "Drive-by" ransomware
• FACT SHEET: Ransomware and HIPAA
• How to Protect Your Networks from Ransomware
• Ransomware and Recent Variants
• Ransomware on the Rise: FBI and Partners Working to Combat This Cyber Threat
• State ransomware and computer extortion laws

External resources

• Microsoft, "What is ransomware?" (full-text).
• Decrypt Ransomware

This page uses Creative Commons Licensed content from Wikipedia (view authors).