Ransomware Response Procedures

Ransomware is a type of malicious software that encrypts your files and demands a ransom to restore them. It can cause serious damage to your data, your privacy and your finances. If you discover that your computer has ransomware, you need to act quickly and follow these 10 steps:

  1. Disconnect your computer from the internet and any other devices. This will prevent the ransomware from spreading to other machines or contacting its command-and-control server.
  2. Identify the type and variant of ransomware that infected your computer. You can use online tools such as ID Ransomware or other reputable sites to upload a ransom note or an encrypted file and get information about the ransomware.
  3. Check if there is a decryption tool available for the ransomware that infected your computer. Some security researchers and companies have created free tools that can decrypt some types of ransomware. You can find a list of such tools on various security-related websites, like Avast, Emsisoft, Kaspersky, McAfee, Trend Micro, or other solutions.
  4. If there is no decryption tool available, try not to pay the ransom. It may not be possible to recover the encrypted files, so you may feel the need to pay the ransom. Paying the ransom does not guarantee that you will get your files back, and it may encourage the attackers to target you again. Moreover, you may be breaking the law by funding criminal activity.
  5. Remove the ransomware from your computer. You can use an antivirus or anti-malware program to scan your computer and remove any traces of the ransomware. You may need to boot your computer in safe mode or use a bootable USB drive to run the scan.
  6. Restore your files from a backup, if you have one. The best way to recover from a ransomware attack is to have a backup of your important files that are stored offline or on a separate device. If you have such a backup, you can quickly restore your files after removing the ransomware from your computer.
  7. Change your passwords and enable multi-factor authentication. The ransomware may have stolen your credentials or installed a keylogger on your computer, so you should change your passwords for all your online accounts and enable multi-factor authentication where possible.
  8. Update your operating system and applications. The ransomware may have exploited a vulnerability in your software to infect your computer, so you should update your operating system and applications to the latest versions and apply any security patches.
  9. Educate yourself and others about ransomware prevention. The best way to avoid ransomware is to prevent it from infecting your computer in the first place. You should learn how to recognize phishing emails, avoid clicking on suspicious links or attachments, and use reputable security software.
  10. Report the incident to the authorities and seek professional help if needed. You should report the ransomware attack to the relevant authorities in your country or region, as they may be able to assist you or investigate the attackers. You should also seek professional help from a trusted IT expert or a security company if you need assistance with removing the ransomware or recovering your files.

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Responding to Ransomware Attacks

In the event that your personal computer or even the computers on your corporate network fall victim to a successful ransomware attack, an effective response plan determine the difference between disaster and successful recovery. If you are impacted by a company-wide malware infection that takes down multiple endpoints, it could mean a permanent business closure if you are unable to recover critical data.

We will discuss  how you might respond in the beginning of an attack to help remediate any issues before you make some wrong decisions.

How to respond to a ransomware attack

If preventative measures fail, like hardening your systems from Mimikatz attacks (links here and here), making users more cybersecurity aware with Security Awareness Training tips, and all the Windows 10 hardening tips didn’t work, then your organization should take the following actions immediately after identifying a successful ransomware infection.

If you have an Incident Recovery Plan, execute the notification process and get all the teams required started communicating and remediating the systems impacted by the attack.

1. Quarantine Infected Systems

The majority of ransomware attacks will include a function to scan the target network, identifying other systems on the same network that can also be targeted for attack, and then encrypting all the files stored on network shares or other computers as the attackers movers laterally across the network. To help contain any  infection and to prevent the ransomware from spreading to all infected systems the infected systems must be removed from the network as soon as possible. This will significantly slow the spread and buy you time for analysis and troubleshooting before everything is rendered useless.

Note: This includes blocking them from wired and wireless network access.

This will also help prevent infected system from access resources like internal email, backup systems, employee record systems, critical databases, etc.

2. Block Internet Access

Every system on the network may already have the malware copied to the system and it just might not have started the encryption process yet because it hasn’t been able to access the command and control server on the internet. Disconnect all systems from the internet. Those that are still working will not start encrypting the drives, and those already encrypting have been removed from their ability to communicate to the safe systems by the step listed above.

Note: This includes blocking internet access from wired and wireless networks.

Now you have known bad systems (they are actively encrypting the user files or have already encrypted all the user files) isolated from the network (can’t see other systems on your network) and are blocked from the internet (can’t see other systems on the internet). You also have suspected good systems that are blocked from accessing the internet and are disconnected from the bad systems. You can now verify those clean looking systems are definitely clean and return them to normal as you are sure they are not infected. More about that in Step  5 below.

3. Identify Ransomware

Identify the “brand” of ransomware that has infected your systems. While this might seem strange, there are many types of ransomware from many different malware groups. Knowing which one has infected your systems could help you better identify the methods used in the attack, how to stop the spread, and how you might be able to get your data back without paying a ransom.

There have been instances of law enforcement agencies shutting down a  ransomware authors “business” and releasing the decryption keys. Also older  ransomware from groups that no longer are actively infecting new systems have sometimes released their decryption keys.

You can visit a  website like this to help identify which malware has infected your systems so you can get help stopping, removing, and decrypting your locked files. To get a better understanding of the volume of internet threats that exist today, a visual threat map can be helpful. This threat map from Fortinet helps visualize the threats in a more “real-time” visual presentation.

4. Disable Scheduled Tasks

You  should immediately disable any automated or system-scheduled maintenance tasks such as user or system clean-up routines, log deletion tasks,  deleting old backup files, etc. because these automated tasks can remove files you might wish you had later, might be something  your forensic teams might need, or you might perform an action that could prevent a successful remediation from the ransomware attack.

5. Remove Ransomware from Infected Systems

You can use available antivirus tools to identify and successfully remove the ransomware from your computer. If you are already using anti-virus and it didn’t stop the infection, this is probably a good time to investigate your current configuration issues or get a better solution. Once you have scanned and cleaned the system, it is ready to restore your files.

Once you find the right software to scan and detect the malware, run the scanner on all your systems, not just the infected systems. You might think you know which systems are infected, but the scanner can help you determine which systems are actually infected.  You want to do the clean-up and remediation just one time, so do it right the first time.

6. Don’t Pay the Ransom

Note: Only restore your files to systems that you know are clean.

I realize you may not have an option if your critical business files are encrypted, you don’t have good backups you can recover, and you can’t find a free decryption tool. If backups are unavailable or damaged and there is no free decryption tool available, you will be tempted to pay the ransom and recover your files. Just remember you may pay the ransom and still not get your files back. These people are criminals looking for easy money, they are not in the business of being your friend.

While paying the ransom may seem like an easy answer, only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in your company going out of business. Paying the ransom might also get you into trouble with the law, so be very careful and consult an attorney.

7. Restore Your Backups

Note: Only restore your files to systems that you know are clean.

Hopefully you were able to jump right past Step 6 (Don’t Pay the Ransom) because you know not to pay a ransom to a criminal because it only encourages them and finances their next attack. You don’t need to pay the ransom because you either don’t need the files that were encrypted, you were able to find a free decryption tool, or you had good backups ready for you to use.

Restoring backups can take a long time, be difficult to perform, and you still might lose some data. If you have been verifying your backups, practicing the restore process at least once a year, and have a well documented process the effort will be less likely to fail.

If your user files are also backed up to the cloud using a tool like OneDrive, this might also be useful and a quick way to restore a user’s personal files including documents, music, and pictures.

8. Restore Network

Now that you know which systems are clean, the cleaned machine can have access to the internet and other network resources. The infected machines can be cleaned one at a time, files can be restored, then the systems can be returned to the proper network.

Don’t forget to restore internet access for the clean systems. Once you have verified your backup files won’t be over-written, the log files are intact, and what files are required for the audit and forensics teams are saved, you can re-enable scheduled tasks that you have reviewed and know are safe to enable.

9. Change Passwords

Now that you know someone has had access to your systems, you can’t be sure they did not steal your user and system passwords. Have all users reset their passwords. Reset the passwords for all service accounts, accounts used to run scheduled tasks, the KRBTGT account (used by Active Directory), and any enabled accounts used by your systems. Make sure all administrator-level users also change their passwords. Do a full inventory of accounts, looking at the last time the password was changed, and either change the password or disable the account.

10. Investigate Intrusion

Things are now back to normal. Users are back onto their computers, the files are all back where they should be, and users are back to work and not on the telephone with you. That doesn’t mean you are done.

You have to look at what happened so you can make sure it doesn’t happen again.

  • How was the ransomware able to get past your computer controls and be easily installed onto a user’s computer without being detected? Was it a user bypassing a control (authorized or unauthorized), or did the ransomware just not get stopped by any existing security control?
  • Are there changes required to your anti-virus software to make it a stronger defense against ransomware? Is it time to remove the existing solution and replace it with something more powerful or can you just change the configuration of the solution you already own to make it work better?
  • Do you need to make changes to the hardening of your Windows 10 devices to make it harder to bypass your security controls and encrypt the users files?
  • Do you need to alter or improve your corporate firewall controls? What about the security of your remote users and they way they connect to the Virtual Private Network (VPN)?
  • Do you need to make changes to your network to make it harder for software running on the user’s computer to get access to systems like Domain Controllers, Database Servers, File Servers, Web Servers, etc.?
  • Do you need to change the way you perform (or don’t perform) backups of user and system files? How about changes to the way you restore files? Do you have adequate documentation of the procedures used for backing up and restoring files?
  • Do user accounts have the correct level of authorization? Maybe now is a good time to remove elevated permissions from normal users, limit who has elevated permissions, and lock down the use of all admin-level accounts?

Summary

If you need help, now is the time to really get some help figuring out the changes that can help prevent a repeat of the security event. A ransomware incident can stop a company from normal business for days, weeks, or forever.  It can chase away customers, compromise business critical data, and cost you a lot of money to remediate.

Looking at the steps required now can help you practice and plan for a future incident. Careful planning, remediation of security gaps, and technical training can help prevent a successful ransomware attack, shorten the remediation timeline, and help promote confidence in your Information Technology team.

Helping Prevent Mimikatz Attacks

Mimikatz is a hacking tool that can be used to attack your endpoint in an attempt to “steal” any passwords that may exist on your Windows device. It can also play a role in internal penetration testing or red team exercises to test an attack on your network devices. Mimikatz is very effective and in a lot of cases it can lead to lateral movement and eventual escalation to domain control.

You should also consider that Mimikatz can only dump credentials and password hashes if it is executed as a privilege user like the built-in local administrator account. If you are logged into your Windows device as a local administrator, Mimikatz can be run and it probably will disclose your password.

Once of the things Mimikatz requires to run successfully is the debug privilege. The “Debug Privilege” is a permission that determines which users can attach a debugger to any process or to the kernel. By default this privilege is given to Local Administrators, but it is highly unlikely that a Local Administrator will need this privilege unless you are a programmer or have a specific reason to need this permission.

To help prevent Mimikatz from running successfully, just remove this “Debug Privilege” permission from all users. Mimikatz requires this privilege as it interacts with processes such as LSASS. It is important to set this privilege only to the specific group of people that will need this permission and remove it from the Local Administrators. The SeDebugPrivilege can be disabled by defining the policy to contain no users or groups.

Continue reading “Helping Prevent Mimikatz Attacks”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Building a Successful Cybersecurity Strategy

Photo by Pixabay on Pexels.com

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

What is Cybersecurity?

Cybersecurity is the process of protecting networks, systems, data, and programs from digital attacks. Cyberattacks are usually organized and planned attacks intended to gain unauthortized access to business or personal computer systems to allow changing, stealing, or destroying sensitive information. This activity can lead to unplanned business interruptions or subject the victims to extortion in order to get continued access to their data or to prevent the release of sensitive data to the internet.

Understanding Cybersecurity

Cyberattacks are often launched by people employed by organized crime or malicious state actors and are constantly evolving their attacks from one technique to the next as older techniques become less effective and newly discovered vulnerabilities are weaponized.

You don’t have to be a cybersecurity expert to understand the risk and learn how to provide some basic protection for your systems and critical data. This article is intended to provise some basic guideance and to send you in the correct direction to become more effective in protecting your personal or business data.

Continue reading “What is Cybersecurity?”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

  1. Malware and Virus Detection – Install and properly configure an anti-malware and anti-virus solution on every endpoint. This offers, as a minimum, basic protection from known malware signatures, and probably offers advanced heuristic protection algorithms to detect behavior to indicate malicious activity even on zero-day attack attempts. The Microsoft Defender endpoint protection features in Windows 10 is a good example of this type of software that is highly rated and very effective.
  2. Standard User Accounts – Since users are usually the ones that allow the initial compromise through drive-by downloads or clicking on a phishing email, you must limit the power of the malware by limiting the power of the user. Require all users to login with a standard standard user account and don’t make them a local administrator on any computer. Even administrators should log into their computer with a standard account as a normal practice. They should only log into systems with administrative rights when they need to actually perform administrative tasks.
  3. Enforce Least Privilege – Only allow users access to systems if they have a business need to that resource. Only allow the minimum privileges to allow the user to do exactly what they need to do, nothing more. This helps prevent malware from using the users permissions to gain unauthorized access to sensitive data.
  4. Multifactor Authentication – Implement multi-factor authentication for access to internal and external systems, all applications, and  even social media. This basically requires the user to approve access through an mobile application or SMS message before their computer password is accepted. This means that even if a user’s password is stolen or guessed by an attacker, they can’t access the resource without the user’s cellphone.
  5. Conditional Access Controls – Restricting access based on static elements like location, operating system, or even time of day is a basic control that limits account login, even with approved credentials, to enforce compliance dynamically. Microsoft O365 and Azure offers a wide range of conditional access features based on location, operating systems, user risk, etc. to add security options for greater account protections.
  6. Strong Password Management – Require strong passwords that are different for every account. Never allow users to reuse passwords and encourage users to use password managers so they have strong password hygiene. Block common unsafe passwords (i.e. password1, qwerty123, etc.) and configure systems to log password failure attempts. Configure systems and devices to change or eliminate default passwords and  require every system to have a unique passwords across all privileged accounts. Never store passwords inside a script. Implement SSH key management tools.
  7. Patch Management – Configure systems and devices to automatically download and install vendor patches as soon as they become available. If the system needs to be tested before any patch is applied, do the testing as soon as possible to target installing all vendor patches within 30 days. Less vulnerabilities mean it is harder for an attacker to get into a system through a software security weakness.
  8. Network Segmentation – Group assets (users, application servers, etc.) into logical units that do not trust each other. Segmenting your network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. If malware can’t access systems, it severely limits an attackers ability to jump from one system to the next. Where possible, go beyond standard network segmentation to segment based on context of the user, role, application and data being requested.
  9. Implement Threat Behavior Monitoring – Implement base security event monitoring and log events that will help you later understand what systems were compromised. Using  advanced threat detection (including user behavior monitoring) you can quickly detect compromised account activity as well as symptoms of insider privilege misuse.
  10. Application Whitelisting – If possible, implement policies to only allow known good applications to execute while you block and log all other applications launch attempts. Windows 10 allows you to implement this functionality using AppLocker. As a minimum you can pre-install the software required by a user and block them from installing any new software.

While backups will not help prevent a successful lateral movement attack, if your files are compromised by an attack your only remediation may be to restore/replace the missing or encrypted files from a recent backup. Don’t forget to include offline backups in your security efforts as a safely net when all preventative measures fail.

While none of these steps will prevent a successful attack on their own, a combination of tactics can truly limit the ability of a successful attack from doing severe damage to your business.  By limiting the scope of an attack you can reduce the cost of recovery, limit the scope/quantity of lost or damaged files, prevent a compromise of critical business intelligence, and build confidence in your ability to protect critical business assets.

Understanding Internet Threat Maps

You usually see threat attack maps as background images on wall mounted televisions behind a talking head giving an interview to explain the internet is a dangerous place. Some people don’t take these types of displays seriously, usually because people don’t understand their limitations or because people put too much stock in what the simple display is attempting to visualize.

While threat maps can be entertaining, as with all information generated for non-technical people, the data is often too complex to be complete on one display.  While a threat map is mostly eye candy with limited context and almost no usable intelligence, there are some very creative ways they can be used to great effect.

One interesting way to use an animated threat map is in your SOC (Security Operations Center) to provide some context to the the global image of constant attacks and how the SOC is tasked with preventing a successful attack in your business. Many non-technical people don’t understand the volume and intensity of attacks, and this will help them understand the size of the cyber-security problem facing your business today.

Continue reading “Understanding Internet Threat Maps”

Ransomware Lessons

Ransomware is malicious software that attacks a computer or your entire network to force you to pay a fee (ransom) to regain access to your systems. If the fee is not paid within a set timeframe, the criminals who now has access to your systems will wipe the data. Since those systems are unavailable to your organization most businesses are faced with a decision to pay the ransom and get back to business or refuse to pay the ransom and risk forever losing customer data.

Like any other virus or malware the ransomware is usually downloaded from the internet, most often by clicking a suspicious link in an email or on a website.

Continue reading “Ransomware Lessons”

Ransomware: WannaCry Malware Review

The WannaCry ransomware was first noticed on May 12, 2017 and it spread very quickly through many large organizations, infecting systems worldwide. Unlike other ransomware, this sample used the SMBv1 “ETERNALBLUE” exploit to spread. “ETERNALBLUE” became public about a month prior when it was published as part of the Shadowbroker archive of NSA hacking tools.

Prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March 2017 Patch Tuesday release. The patch was released for only supported versions of Windows. In response to the rapid spread of WannaCry, Microsoft eventually released a patch for later versions of Windows as part of MS17-010, going back to include the still popular Windows XP and Windows Server 2003.

One way to detect the spread of the malware was the significant increase in activity on TCP port 445. The increase in traffic was caused by infected systems scanning for more victims. It is still not clear how the infection started. There are some reports of e-mails that included the malware as an attachment, but at this point no actual samples have been made public. It is also possible that the worm entered a corporate network via vulnerable hosts that had TCP port 445 exposed to the internet. The WannaCry malware itself doesn’t have an e-mail component.

At startup, the malware was first checking if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, but it can no longer be assumed that newer versions will still demonstrate this behavior. This was a simple “kill-switch”, since if it found the site it would stop operations.

Eventually, the malware would create an encryption key and encrypt all the user files on the infected PC to prevent normal user access to those files. The idea is to force the user to pay a fee to recover the files they no longer could access.

Encrypted files use the extension: wncry. To decrypt the files, the user is asked to pay $300, which increased to $600 after a few days. The ransomware threatened to delete all user files after a week waiting period.

In addition to encrypting files, the malware also installed a “DOUBLEPULSAR” back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have already been reported with slight changes to the kill switch domain and other settings. There is also a decryption key that can be used on many systems, but prevention is always better than searching for recovery options.

If your version of Windows was supported and you installed all available patches from Microsoft, your system would not have been infected. Microsoft also announced that the new “Windows 10 S” would help prevent ransomware infection as it will only run software purchased from the Microsoft Store.

What Security Threat Are You Overlooking?

A recent european IDC survey of more than 400 organizations discovered that many companies fail to address one of the main causes of data exposure, which is an insider threats. The report shows that most security attacks are caused by users unintentionally using outdated credentials to access secure systems. The problem is only 12 percent of companies surveyed considered insider threats as “highly concerning”, with common threats like viruses, phishing, ransomware, etc. listed as bigger threats requiring more attention.

This gap in security thinking can lead organizations to misunderstand users and miss opportunities to detect intentional user breaches.

Businesses need to shift their security focus away from the actions that must happen after a breach, like dealing with the aftermath of ransomware or removing a new virus, and focus on the true source of the problem which is mostly user behavior. Education can go a long way to reduce activity that leads to dangerous behavior, as well as reducing the events that lead to unintentional misuse of user credentials. This should reduce the threats from multiple sources and allow your security team to focus on those users that need additional attention, as well as those users that have attempted the intentional misuse of user credentials.

It is really an effort to stop reacting to attacks caused by uneducated users doing silly things and be proactive on those threats that you can control.

 

Microsoft Tackles TeslaCrypt Ransomware

Ransomware is a new threat that is proving an effective attack vector for malware. Microsoft has released a rescue tool for thousands of Windows machines that were infected starting in August by file-encrypting ransomware TeslaCrypt. Along with October’s updates, Microsoft upgraded its malicious software removal tool to tackle TeslaCrypt. Microsoft refers to the treat as Tescrypt, but their telemetry data picked up a large spike in detections for TeslaCrypt in late August, jumping from below 1,000 detections per day to over 3,500 detections on August 24.

The malware is typically delivered in the payload of several exploit kits, including Angler. Exploit kits are part of the estimated $60m per year automated hacking market, which companies like Cisco have tried to disrupt several times. You can download the Microsoft rescue tool here.

You can read more about what Microsoft is able to detect, and their efforts to protect Windows users, here.

Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does:

  1. Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions it targets)
  2. Encrypts the files with AES 256 hash encryption
  3. Demands payment from the PC’s user in exchange for a key or code that will decrypt the files

It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.

Recent variants, however, store the key in the registry as binary data.

The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:

  • .arch00 
  • .d3dbsp 
  • .dayzprofile
  • .ibank 
  • .mcgame​
  • .qdf –
  • .rofl 
  • .sav
  • .t12/ .t13
  • .tax 
  • .vfs0 
  • .vpp_pc 
  • .w3x

Telemetry

We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.

 

Figure 1: Tescrypt encounters since August 2015

Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.

Free Tool For Removing Ransomware

The recent introduction of ransomware might be the most sinister type of malware introduced into the world of software. As you may have heard, this type of malicious software installs onto your computer and encrypts all your files until you pay to have your files returned. If you don’t pay, then you don’t get your files (document, images, music, etc.) returned and they are lost forever.

There is now a new free tool to combat some of the most popular ransomware being used right now by hackers. The tool is from Kaspersky Lab, which is a well known name in the anti-virus world. They have a free utility that is at least partly effective against some variants of this malware, but it is better than nothing and points to another step towards neutralizing malicious software.

You can also read about other efforts here.

%d bloggers like this: