Many business executives are concerned about
protecting their sensitive data and intellectual
property. They ask IT to address threats to
these assets by implementing firewalls and
anti-virus solutions to protect the
organization's electronically stored
information. What many executives don't know is
that their major risks come from internal
threats.
Employees already have a sign-on ID and
password to the network. By having this basic
information, your staff already has access to
resources such as customer data and email.
However, the greatest risk may be physical
access to IT systems.
Ransomware is a new type of malicious
software (malware) that restricts access to your
programs and data. Frequently, the malware
demands payment in order for the restrictions to
be removed. Some forms of ransomware encrypt
files on hard drives while other variations of
the software lock the computer and display
messages enticing the computer user to pay a
fee.
Ransomware is typically installed when the
computer user opens an infected e-mail
attachment or downloads and executes a file from
the Internet. Once activated, newer versions of
malware encrypt files on the computer's hard
drive using a strong 2,048 bit key that is
almost impossible to break. Once encrypted, the
computer user no longer has normal access to the
files. In many cases, computer users receive
little or no warning while malware runs in the
background encrypting files. Only the malware
author has the private key needed to decrypt the
files and allow the computer user access to the
documents.
Some ransomware does not use encryption.
Instead, the malicious software restricts
interaction with the system, typically by
modifying the start up sequence (e.g. master
boot record, setting the Windows Shell to
itself, etc.).
Ransomware may display warnings or other
messages that appear to come from law
enforcement agencies claiming that the software
is unlicensed, has been used for illegal
activities, or has pirated content. Ransomware
attempts to convince the user to pay a fee to
receive a program that will decrypt the
encrypted files or receive an unlock code that
will undo the changes made to the computer
system. Payments are often made using hacker
friendly payment systems including MoneyPak,
Ukash, cashU, and Bitcoin.
CyrptoLocker is one of the newer forms of
ransomware. It connects to a server that
generates a public and private key pair (both
are needed to encrypt and then decrypt files).
The private key is stored on the server while it
uses the public key to encrypt files stored on
the user's computer. CryptoLocker displays a
message to the user demanding payment to recover
the private key needed to decrypt the files. The
malware threatens to delete the private key
unless payment is received within three days.
CryptoLocker may also attempt to locate backups
on a network drive connected to an infected PC.
Once found, these files are also encrypted.
How do you protect yourself?
- Ensure systems are patched per a formal
Patch
Management Policy
- Ensure you have updated anti-malware
software
- Implement robust backups with archiving
of system and data files
- Maintain effective e-mail spam filters
- Provide role-based security education
and awareness training
If a system is infected, it may be possible
to go back to an earlier point in time using the
System Restore feature of the operating system.
Network
security audits help protect against
ransomware and related threats by evaluating
your anti-malware protection, patch management,
and effectiveness of your security education and
awareness training.
Security Blog menu
Tags: ransomware | ransom ware |
cryptolocker |
security audit | malware
|