Dubai: Businesses large and small are under threat from ransomware. Ransomware deliberately scrambles the critical data files on your computer, leaving the criminals behind the attack with the only copy of the decryption key.
The crooks then offer to sell you the key, typically for about $300-$1000, so you can unscramble your files and carry on working. This can cause massive disruption to your organisation: even if you decide to pay up, the process of recovering your files is both uncertain and time-consuming.
According to a research by SophosLabs, cybercriminals are targeting their ransomware attacks more and more effectively, varying the attacks by region to make it more likely that even well-informed users will fall for the scam.
Emails delivering ransomware, for example, are often written in the local language, with good spelling and grammar, and use local brands and logos to make them more believable.
“Most ransomware arrives in booby-trapped files attached to emails. These days, many organisations use their email filters to discard program files sent in by email, because they are very frequently dangerous, and there is almost no business case for allowing them,” said Harish Chib, vice-president for Middle East and Africa at SophosLabs.
Moreover, he said that ransomware attacks always avoid sending in programs (executable files) directly, instead claiming to be documents containing invoices, requests for quotations and other types of correspondence that are bread and butter for the average organisation.
After all, documents are supposed to be opened and looked at — how else to decide what attention they need?
These days, he said that ransomware commonly arrives in JavaScript files that pretend to be documents. This sounds like a strange disguise, because JavaScript files are usually associated with web browsing, not with emailed documents, and they have the extension. JS, which will seem unfamiliar to many users.
However, Windows OS shows filenames without their extensions by default, so that a file name Invoice. PDF. JS will actually show up as Invoice. PDF. Worse still, the Windows icon for JavaScript files is a scroll of paper with written script on it, reinforcing the impression that the user really is looking at an innocent document.
Unfortunately, when JavaScript is saved into a file and then opened outside the browser, it doesn’t run inside the protected “sandbox” of the browser. The browser’s sandbox prevents JavaScript programs from reading and writing files on the hard disk or across the network, but those restrictions don’t apply when Windows runs JavaScript files directly.
“A malicious JavaScript attachment, saved from an email and opened directly in Windows, may connect to a predetermined website and download a ransomware program that forms the second stage of the attack, or may be ransomware in its own right,” Chib said.
For example, a recent malware family known as RAA consists entirely of JavaScript. Despite its innocent name and an icon that makes it looks like a document, the RAA ransomware not only scrambles and locks your files before demanding money, but also downloads and installs a second item of malware known as Pony.
The Pony malware is a well-known password stealer, so the criminals not only get to extort money through the ransomware component, but also to sniff out passwords that they can use for later attacks, or sell on to other criminals in the cyber underground.
Attacks such as ransomware often pass through many security checkpoints, such as email filters, endpoint protection and more. Traditionally, however, these products have worked independently, reflecting the fact that, in many organisations, each part of the network is managed and secured separately.
Unfortunately, he said that it can lead to a situation that is rather like a hospital where the patients can’t talk to the doctors, the doctors can’t talk to the nurses, and the nurses can’t talk to the patients.
“When it comes to protecting networks against malware, detection and remediation can be improved greatly if there is coordinated communication and interaction between the various security layers,” he said.
Better safe than sorry
Best practices
• Backup files regularly and try to keep a recent backup copy offline. Encrypt the backup for added protection.
• Regularly update your security software.
• Don’t open unsolicited attachments just out of curiosity.
• Don’t turn off security features just because an email or document asks you to do so. (For example, many ransomware files arrive in documents that tell you to “enable macros”, without which the ransomware won’t work.) .Don’t give your staff more login privilege than they need. Users who are administrators will do much more damage to your network if malware attacks their computer.
• When you need administrator right, login to perform your administrative tasks and then logout. Try to avoid browsing and opening documents while logged in as an administrator.
• Disconnect from Wi-Fi or unplug from the network immediately if you run a file that you suspect may be ransomware. Once active, ransomware may scramble files accessible across the network, as well as on your own hard disk.
• Patch early and patch often. Ransomware that is not spread via email attachments often relies on security bugs in popular applications such as Office and Flash. The sooner you patch, the fewer the security holes available to cybercriminals.
• Don’t give up on user education. Even though a well-informed user may still make mistakes, an uninformed user will not know how to avoid them at all.
• Divide up functional areas within the company network with internal firewalls. This helps to restrict the damage that a cyberattack in one department can do to the rest of the organisation.
• Stay up-to-date with new security features in your business applications. For example, Office 2016 now includes a control called “Block macros from running in Office files from the internet”.
— N.K.
