Ransomware continues to be one of the biggest menaces on the internet.  A simple click on the wrong link could be enough to set off a sequence of events that ends with all your data being encrypted by Hackers and Cyber Criminals, who will only unlock it in return for a hefty ransom — usually in bitcoin or another hard-to-trace cryptocurrency.

Allegedly, Smartwatch maker Garmin has become the latest apparent victim of cybercriminals, with a suspected attack taking offline its website, mobile app, and customer service call centers.

On Twitter, the company confirmed it was “experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time”.

Smartwatch maker Garmin was taken offline after suspected cyber-attack

Garmin begins recovery from a ransomware attack

What is Ransomware?

Ransomware is a form of malware that encrypts files on an infected device and holds them hostage until the user pays a ransom to the malware operators.

After the initial infection, ransomware will attempt to spread to connected systems, including shared storage drives and other accessible computers.

If the threat actor’s ransom demands are not met (i.e., if the victim does not pay the ransom), the files or encrypted data will usually remain encrypted and unavailable to the victim. Even after a ransom has been paid to unlock encrypted files, threat actors will sometimes demand additional payments, delete a victim’s data, refuse to decrypt the data, or decline to provide a working decryption key to restore the victim’s access. Millions of dollars have been extorted through ransomware attacks, 

How does ransomware work?

Ransomware usually enters devices as a Trojan, masquerading as a normal file that is downloaded intentionally or unintentionally by the user. Upon execution, ransomware begins encrypting the files on an infected device 

Ransomware generally adds an extension to the encrypted files, such  as  .aaa,  .micro,  .encrypted, .ttt, .xyz, .zzz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted—the file extension used is unique to the ransomware type.

Once the ransomware has completed file encryption, it creates and displays a file or files containing instructions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that the victim can use to unlock the files, making them accessible.

Ransoms are typically paid in Bitcoin or other digital currencies that are difficult to trace.

How is ransomware delivered?

Ransomware is commonly delivered through phishing emails or via “drive-by downloads.” Phishing emails often appear as though they have been sent from a legitimate organization or someone known to the victim and entice the user to click on a malicious link or open a malicious attachment. A “drive-by download” is a program that is automatically downloaded from the internet without the user’s consent or often without their knowledge. It is possible the malicious code may run after download, without user interaction. After the malicious code has been run, the computer becomes infected with ransomware.

COMMON RANSOMWARE’ –  List of some common ransomware that has hit various organizations in the past 5 to 7 years.

CryptoLocker – CryptoLocker was discovered on September 15, 2013, and is the first modern strain of ransomware. It was distributed through email attachments and botnets to encrypt files on Windows computers and any mounted drives.

Cyrptowall  – CryptoWall was discovered on June 19, 2014, and is not related to CryptoLocker in any way. It was initially distributed through exploit kits and emails but has recently been connected with malicious ads and compromised websites as well. CryptoWall encrypts files and deletes any VSS or shadow copies to prevent data recovery. After infection, the computer displays a web page or text document that provides payment directions to the user.

Samas / SamSam / Samsa  – Samas, which is perhaps the most destructive form of ransomware, was first discovered on December 9, 2015. The code for Samas is not particularly advanced, but the methods of distribution are more targeted than other attacks. The ransomware is deployed manually once enough systems have been breached. Like CryptoWall, Samas will delete shadow copies after encrypting the original files and demand payment in Bitcoin.

Locky – Discovered on February 16, 2016, Locky is one of the newest ransomware strains. Like most, it is distributed through malicious email attachments, encrypts files on the main computer and mounted devices, deletes shadow copies of original files, and demands a ransom in return for the decryption key. It also changes the computer’s desktop wallpaper to an image file displaying the ransom message that is impossible to overlook.

WannaCry – WannaCry is a widespread ransomware campaign that affected organizations across the globe. The ransomware hit over 125,000 WannaCry organizations in over 150 countries. The ransomware strain affected Windows machines through a Microsoft exploit known as EternalBlue.

Bad Rabbit – A strain of ransomware that has infected organizations in Russia and Eastern Europe. Bad Rabbit spreads through a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding .05 bitcoin.

Jigsaw – Jigsaw encrypts and progressively deletes files until a ransom is paid. The ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72-hour mark, when all remaining files are deleted.

Petya –  Unlike some other types of ransomware, Petya encrypts entire computer systems. Petya overwrites the master boot record, rendering the operating system unbootable.

How to Protect against Ransomware

Secure your Endpoints – Secure your Endpoints with a proper antivirus solution. These days many antivirus packages now offer ransomware-spotting features or add-ons that try to spot the suspicious behavior that is common to all ransomware: file encryption.

  • Restrict Admin Privileged on endpoints to prevent privilege escalations on endpoints – use privileged management solutions to strengthen the control.
  • Disable Autorun for all mounted devices: disabling autorun will prevent malware from being able to spread autonomously, it’s an important step in containing malware should an infection occur.
  • Disable USB disk access on endpoints, as these are one of the key carriers of malware and ransomware.

Keep your systems patched & updated – Ensure your applications and operating systems (OSs) have been updated with the latest patches. Vulnerable applications and OSs are the targets of most ransomware attacks. Enable automatic updates whenever possible to streamline this process.

Identify Critical Data Assets – Identify your critical data assets in your organization. Isolate them and restrict access to these assets. Ensure you have a robust backup and restore strategy in place should there be any ransomware attack. Having secure and up-to-date backups of all business-critical information is a vital defense. Perform frequent backups of your system and other important files and verify your backups regularly.

Manage Privileged Access – Ensure you have a proper solution/process in place to manage privileged access with-in your organization. 

  • Ensure default passwords are changed and they are rotated regularly.
  • Ensure there are accountability and ownership to privileged access.
  • Segment your network and restrict access to critical assets and make it harder to roam across the network.

Train your staff – Training staff to recognize suspicious emails can help protect against ransomware and other email-borne risks like phishing. The basic rule: don’t open emails from senders you don’t recognize. And don’t click on the links in an email if you aren’t absolutely sure it is legitimate. Avoid attachments whenever possible and beware of attachments that ask you to enable macros, as this is a classic route to a malware infection

Having a Tested Recovery Plan is Critical – A recovery plan that covers all types of technical disaster should be a standard part of business planning, and it should now include a ransomware response as well.  It should not only have provision for technical recovery; however, it should also contain scenarios for communication to customers, suppliers, and regulators/(if applicable).   . Having a document is not enough: you also need to test out the assumptions you have made because some of them will be wrong.

Visibility of What is happening with-in your network – If you can’t see what’s happening on the network, there’s no way you can stop an attack. There are an array of security products which can give you visibility and control over what is happening within your network,  Implement such tools (like –  IPSD / IDS, SIEM), These products can give you an up-to-date view of your network, and should help you spot the sort of traffic anomalies that might suggest you’ve been breached by hackers, whether they are intent on infecting your systems with ransomware or have something else in mind.

Be Aware – Inform yourself – Be vigilant and keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques.  You may want to subscribe to the latest security bulletins from various security websites, which will alert you when a new Alert, Analysis Report, Bulletin, Current Activity, or Tip has been published.

This is not the complete list of things; however, these can help build your defenses against any ransomware attack. Basis the size of the organization you are, you can decide to implement some of these or all these controls with-in your organization.

We at Erasmith can help you implement these controls in your organization. We are certified partners for CyberArk, Microfocus, DataResolve, BMC, and have experience and expertise in implementing and managing these controls.

Author: Mr. Vijay Dogra

Reach out to us at info@erasmith.com for any further assistance.