 |
| Ransomware History And How To use Them |
Here are some of the most interesting cases of cybercriminals threatening digital data, affecting organizations all over the world:
- Bitdefender suffered severe data loss due to ransomware
Notorious for its extensive campaigns targeting several countries, including the U.K., Russia, and the U.S., cybercriminals associated with the hacking collective known as The Shadow Brokers released a DDoS attack targeting the heavily protected Bitdefender security product in early September.
Losing access to Bitdefender’s antimalware product was a devastating blow for researchers behind all of the company’s highly visible projects, which drive millions of dollars above and beyond the usual average. The Shadow Brokers included images taken from the Bitdefender security product showing one of the ransom notes referencing an attack on the DNS provider Constant Contact. According to security firms ESET and TrendMicro, a total of 34 server computers were hit in the DDoS attack. The service provider’s DNS servers were reportedly hit with over 200 billion DNS lookups.
As part of the attack, cybercriminals also uploaded a new version of CRAW.L containing exploits for popular antivirus software products to distribute.
While the attack affected approximately 14,000 Bitdefender domain servers, a large portion of the affected traffic returned to normal as soon as the affected domains were re-taken down by DNS providers. The company’s 20,000 employees were never at risk as network operations were already in place to isolate any potential infections once individual sites were brought back into service.
It’s not known how much money The Shadow Brokers made off their attack, but the story of its release is undoubtedly an influential one for those who campaign to encrypt client data and have strict policies in place to ensure server security. While it’s not unusual for malware to move on to other targets after its initial infection, threats like Bitdefender’s are significant as the company had made several large investments for server security.
WannaEncrypt dropped several files on Stan’s desk
While the vast majority of cybercriminals attack primarily PC users, organizations that use WannaEncrypt as part of their strategy may be at higher risk than others due to the highly targeted nature of this campaign.
Launched on May 19, WannaEncrypt encrypts any websites visited with a service cookie before passing the information to the site’s owner allowing for URLs to be decrypted. The initiative culminated in the first-ever successful code release by the WannaEncrypt team, corresponding with the release of its “Welcome Wall” website on May 28.
Anecdotal evidence continues to trickle in of WannaEncrypt encrypting sites while other equally secure websites are left unencrypted.
Safely deploying software to protect data is for both a doctor and a nurse, as it is important to have a backup plan in place at all times. Oftentimes, companies receive reports of infections and then take immediate action because of the potential harm to those affected. When cybercriminals have infected sensitive information, the response of the business can be left in limbo, or it could become increasingly expensive to restore the data after the attack is over.
In this blog post, I recommend a few steps, tips, and recommendations for how businesses can minimize the impact of these types of attacks.
What is Ransomware?
Simply put, ransomware is a type of malware where criminals encrypt files on a computer until a specified deadline, at which point the files are usually put back online and what is left behind is a decoy. Ransomware aims to extort money from the victim, but of course, it doesn’t stop there. Ransomware also affects the neighbors around the affected PC, and it affects the entire network as well. Malware can also affect important infrastructures like hospitals or government agencies.
Why are some victims hit harder than others?
It is very hard to know what type of malware is responsible for a certain infection, but luckily, it’s relatively easy to reverse the effect of the ransomware. For each type of ransomware, there are specific ways to recover from the attack, but there are also other factors to take into consideration in addition to what data was affected.
Types of Ransomware
The first thing to understand when this type of malware hits your organization is that there are different types of ransomware. There is the “On the Fly” Ransomware, where the main threat is that the malware will have the computer on autopilot until someone pays a ransom. Ransomware is also known as “On Crap” or “On the Brink of Death.” Yes, these types of attacks CAN work. However, they are a different breed of malware.
The “Abandoned” Ransomware has been one of the most prevalent types of malware since its widespread adoption, mainly due to Internet users’ willingness to pay ransom for “lost” files. This type of ransomware is fought by anti-virus software directed at malware droppers, the optimized infection of which will stop the malware from spreading via normal HTML emails. If looking at the ransom note left behind after a successful attack by the Abandoned Ransomware crew, you can see that this type of malware tries to check for any file MD5 or Hashed passwords and encrypt or delete to a new one.
And while it’s still unclear exactly how ransomware works, it doesn’t appear to be much of a mystery in terms of its roots. While traditional ransomware prioritizes encrypting files, new strains such as the Carbanak ransomware target PCs by encrypting boot disks and locking them until a user complies with a series of demands.
To do this, the malware encrypts a PC’s volatile boot sector, wiping it clean and chaining it to prevent future boot jumps, the very process which keeps PCs bootable in the first place. This prevents affected PCs from ever loading, essential software such as Office and Adobe applications, or even simply performing basic tasks such as starting a web browser.
Why would cybercriminals carry out such a procedure now?
According to security firm Bitdefender, Carbanak ransomware encrypts an average of 230,000 systems worldwide per month — around 15% of all computers hit by the malware. Therefore, crippling around 15% of all existing PCs around the globe appears a not insignificant target.
Whether Carbanak ransomware uses this technique to handle threats on its own is unknown, but past instances have suggested it does. For instance, we recently observed a computer network impacted by a similar strain of ransomware, but which was again encrypted and chained to prevent further boot jumps and restore files when payments were made.
Because both Bitdefender and Korn Ferry have observed remote PC losses after encrypting devices, we speculated that this may be a method used in these new instances, whereby the malware encrypts boot media and continuously chains to prevent the PC from ever loading.
What can be done if you are affected?
Fortunately, regardless of the individual impact of the ransomware on your PC, you can prevent it. Here in the realm of malware and viruses, there are a few obvious ways to defend yourself:
Make sure your computer and its drivers remain up-to-date by visiting the Microsoft Download Center. If you haven’t already done so, download updates from here so that your PC can stay malware-free.
Use antivirus software to catch such infections immediately. You can install security updates directly from the Microsoft Download Center or download the latest security patches from the Update Center. You can use McAfee Internet Security currently for free. Or, next month, Cyber Security could be a paid offering.
Use a security product for data encryption. Bitdefender is pre-installed on many computers, as well as on some tablets and smartphones. Those targeted by ransomware might also benefit from a product known as UltraPrivacy.
