Ransomware Survival Guide

Malware and ransomware cases are on the rise. Cybercriminals are lured to the lucrative win of encrypting an organization’s files, then holding them for ransom. According to Security Intelligence by IBM, Q1 2016 saw a record high for ransomware. Kaspersky Lab noted a 30% increase in ransomware victims in Q1 compared to the one before. The number of attacks may actually be higher because the statistics only reflect signature based detections.

The battle is ongoing as ransomware techniques and malware continue to evolve. How can you best safeguard your financial institution against these? By focusing on two important areas: Preventative and Responsive efforts.

The following are just some of the basic preventative security guidelines to follow and, if implemented properly, they could significantly reduce the likelihood of infection by ransomware or any other future type of attacks:

  1. Implement a reputable AV solution and ensure that all PCs, laptops, and mobile devices are kept up to date with the latest versions and signatures.
  2. Implement a means to keep all devices patched with the latest versions and patches for all key software employed on those computers.
  3. Block all outgoing I2P and other peer-to-peer network traffic at the firewall to prevent infected computers communicating with their masters and receiving further instructions.
  4. Subscribe to a reliable threat intelligence source which will regularly update you with details of malicious and suspicious URLs, domains, and IP addresses on the Internet. Access to these malicious and suspicious URLs, domains, and IP addresses should then be blocked.
  5. Install ad-blocking software on your firewall to prevent infections via malicious ads on websites.
  6. Disable ActiveX content in the Microsoft Office Suite of applications. Many computer viruses use macros to take advantages of ActiveX and download malware onto the vulnerable PC.
  7. Look at ways to block executable files from the %APPDATA% and %TEMP% paths on computers with the Microsoft Windows OS installed. These folders are often used by malicious software to download and execute files associated with ransomware and other malicious software.
  8. For Windows-based computers use Software Restriction Policies to allow only authorized software to run on your computers.
  9. Remove local admin access to Windows-based computers, and the equivalent for other operating systems, to minimize the likelihood of malware being installed on the device by the user.
  10. Look at ways to segment your network so that you can control network traffic or isolate parts of your network to contain an outbreak.
  11. Run regular security awareness training campaignsto enable users to identify and deal with potential threats.

In the unfortunate event that ransomware does make its way on to your network, you now have to respond to this incident. Your incident response plan should be your automatic go-to and will have both an incident response plan and tactical procedures on how you will handle the ransomware infection. Many in our industry will advise not to pay the ransom as doing so incentivizes hackers to try again in the future. Paying the ransom also funds cybercriminals, helping them to create stronger ransomware and distributing to other hackers. You may wish to incorporate the following into your incident response program:

  1. Isolate the infected machine from the network.
  2. Replace the hard drive.
  3. Restore from bare metal using your latest backup. Note that if you are not backing up frequently enough, then the lapse in time represents your data loss and possibly financial loss. In an ideal world, your systems would back up in real time 24/7, but the cost of doing so may not fit within your budget.

Another responsive step involves new technologies to decrypt infected files. A July 25, 2016 article on CUInfoSecurity.com introduced the No More Ransom portal to combat ransomware. NoMoreRansom.org was developed through a collaboration of the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Center, Kaspersky Lab and Intel Security. The site offers several decryption tools to combat ransomware variants including Chimera, TeslaCrypt, Coinvault, Bitcryptor and also includes  ShadeDecryptor,  RannohDecryptor and RakhniDecryptor. Victims can also upload samples of encrypted files to see if they can be decrypted using available tools. NoMoreRansom.org may well be worth adding to your incident response program.

Through a combination of both preventative and responsive measures, you can maximize your cyber resilience and minimize the impact of a ransomware infection at your organization.