Don’t React to Ransomware, Prevent It!

Picture the scene, you’ve just got back from your holiday and downloaded all of your photos to your laptop and deleted them from your camera. You go to run the slideshow in front of the family audience and BOOM, up pops that message “Your files have been encrypted, pay the ransom using bitcoin to blah blah blah etc”.

From the ecstasy of reliving your dream holiday with your family to the agony of knowing that, unless you pay hundreds of pounds, the only images that remain are the ones forever etched into memory in your own head.

You haven’t got any back ups, so unless you pay the files will be permanently destroyed. Even if you do pay the chances are you won’t get access back to your files so you’ll be out of pocket as well.

As recent events have proven, for organisations around the world the stakes are even higher. Petya ransomware attack represents the second major ransomware crime to go global in two months. The previous one being WannaCry which affected 230,000 computers in over 150 countries.

How Does Petya Ransomware Work?

The Petya ransomware exploits the EternalBlue vulnerability in Microsoft Windows (Microsoft recently released a patch but not everyone will have installed it) or through two administrative tools. The Malware tries the first option and if that fails it tries the next, making it much more effective than the recent WannaCry attack.

How do I Prevent Ransomware?

The first step is to recognise what different types of ransomware there are and what you have been hit with. Ransomware ranges from annoying popups to a more severe complete lockout and encryption.

Scareware

Most people have seen this kind of attack, its not as scary as the name makes it sound. You are likely to have seen a windows pop up telling you that billions of infections have been detected on your hard drive and only by paying for the software in the link will it be cleaned. If you do nothing you are likely to receive more pop ups but your files are ultimately safe! Running a quick scan with a reputable security software application will more than likely resolve this.

My tip: A legitimate cyber security firm would not solicit customers in this way. If you don’t already have this company’s software installed then they will not be monitoring you for infection. If you do have this company’s software already installed then, you’ve already paid for the software to do this job.

Screen lockers

On a scale of 1 to 10 these guys are around 5 or 6. When these types of attacks occur you will be locked out of your PC entirely. When you restart your machine a full size window will claim that it is from the FBI or some other international body and having detected illegal activity on your computer you must now pay a fine. The only real way to take control over your PC here is through a full system restore or running a scan from an external device.

My tip: No international law enforcement agency would freeze you out of your computer and demand a fine. If illegal activity was detected by the police you would more than likely get a knock on your door and be carted off in handcuffs to the local nick.

Encryption ransomware

Like Petya and WannaCry, this really is the nasty stuff. Actually early indications are that Petya appears quite amateurish in the sense that only one link has been created to pay the bitcoin ransom. With more advanced ransomware attacks there would be multiple links to pay the ransom that get automatically generated as the infection spreads. By masquerading as ransomware in this way, we can see that Petya was designed to be more disruptive (though equally devastating) than a fully destructive attack by seasoned Cyber Criminals.

The reason this kind of attack is so nasty is because once the criminals get a hold of your files and encrypt them there ain’t no security software on the planet that is going to fix it. They are gone, finished, dead, unless you risk paying the ransom of course?

My tip: It’s difficult to say what you should do here as firstly you are dealing with Criminals. There is differing evidence to support paying over not paying. Paying doesn’t necessarily guarantee you access to your files, you are after all dealing with Criminals. It also might leave you open to future attacks. Not paying leaves you in the lap of the Gods and unless you have recent uninfected back ups then you are finished. Law enforcement agencies now recommend that if the files are absolutely critical you may wish to try and negotiate the release for less money.

With this kind of attack, you really need to be ahead of the game, you need a reputable security application installed that can detect and prevent this infection from running. Once you get infected its game over!

Ransomware prevention

The first step to prevent ransomware is a full Risk Analysis and Security Audit, understand exactly what tools you have got in place today, where the gaps are and how exposed you are to the risk of an attack. HANDD provides a world leading consultancy service that can walk your organisation through this entire process.

Once you know exactly what it is you want, you are now ready to invest in a market leading, trusted cyber security solution with real-time protection to prevent possible ransomware attacks. Customers who were using Malwarebytes 3 Premium, for example, were protected from the WanaCrypt0r attack.

Next you want to look at implementing a proper back up plan for your data on a regular basis. Whether USB or external hard disks, just make sure they are disconnected from your network after the backup completes. If you opt for cloud backup then I recommend a server with high-level encryption and multi-factor authentication.

Make sure your software is up to date! Petya took advantage of a Microsoft vulnerability that was patched and released back in March 2017. Many didn’t install the update and that is why they fell victim to the attack. It’s not easy, but HANDD can help provide some of that much needed expertise and resource to alleviate some of the stress.

Finally education and awareness. Social Engineering has become one of the most common ways that ransomware infects computers. Educate your workforce on how to detect all kinds of phishing campaigns, dodgy websites etc.

Above all, exercise some common sense and be careful.

I was in a meeting a couple of month’s back with Dan Plastina (@rmsguy) who heads up the Information and Threat Protection team at Microsoft. On the back of his laptop he had a sticker which read “PROTECT YOUR EPIC SH*T!”

Thanks for reading….as you were…

Written by Danny Maher

Danny Maher is Chief Technology Officer at HANDD Business Solutions, an independent specialist in global data security