WIXLIB

RANSOMWARE:A SURVIVAL GUIDEBrought to you by Altaro Software,developers of Altaro VM Backup

TABLE OF CONTENTSEXECUTIVE SUMMARY.3INTRODUCTION.4RANSOMWARE EXPLAINED.5HISTORY AND MAJOR VERSIONS.7AIDS/PC 8Cerber.8WHY ANTIVIRUS SOFTWARE ALONE IS NOT SUFFICIENT.9WHAT TO LOOK FOR. 10Ransom demands. 10Threats from “Legal Authorities”. 11Inaccessible files. 12User reports. 12Log files. 12PROTECTION STRATEGIES, OR THE BEST DEFENSE IS A LAYERED DEFENSE. 13Limiting user rights. 13Antimalware software. 13Blocking attachments. 13Execution control. 14Scanning downloads. 14Implement, and use, PAWS. 15Use Exchange Online Protection with Advanced Threat Protection. 15Plan for future. 15User training. 15MITIGATION STRATEGIES, OR HOW DO I LIMIT THE DAMAGE?. 17Least privilege. 17Backups, backups, backups. 17Insurance. 20REACTION STRATEGIES, OR WHAT DO I DO KNOW?. 22Single workstation falls victim, local data only with backups. 22Single workstation falls victim, local and network data with backups. 23Multiple workstations fall victim, data has backups. 24Anything falls victim and you don’t have a backup. 24CLOSING REMARKS. 26ADDITIONAL RESOURCES. 27ABOUT ALTARO. 28FREE VM BACKUPMore info & DownloadLike this ebook?SHARE IT!2

EXECUTIVE SUMMARYOne of the most devastating and prevalent forms of malware threatening consumersand enterprises today is ransomware. The pervasive and damaging type of malwareencrypts data and holds it for ransom, extorting victims to pay up or lose out. In thise-book, you will learn about ransomware, how to defend yourself and your usersagainst it, and how to respond should you fall victim to it. At the end of this guide youwill also find additional resources and material to learn more.FREE VM BACKUPMore info & DownloadLike this ebook?SHARE IT!3

INTRODUCTIONRansomware – it’s a name that conveys a lot about what can potentially be the mostdevastating form of malware you might ever encounter. Ransomware is malicioussoftware that parses your local hard drive, any attached removable storage, and evenmapped network drives for your data. When it finds data files, like images and mediaand documents and databases and presentations and more, it encrypts them so thatyou cannot access them. It then provides you with an ultimatum-pay up, or kiss yourdata goodbye. While it may be a pain to have to format your computer and reinstallyour operating system and all your apps when normal malware hits, that effort is atleast manageable. But when irreplaceable photos and videos, or documents you’vespent days to weeks creating, or databases containing information you cannot possiblyrecreate are gone, what can you do? Ultimately, you can either choose to lose that data,or pay off the attackers’ ransom demands.The problem is particularly challenging to deal with when the malware used todistribute the ransomware is so new that it constitutes a “zero-day attack.” Zero-daymalware is so new that traditional antivirus software, which use signature files toidentify known malware, do not detect it.When attackers combine this zero-day malware with targeted attacks on your business,known as spear phishing attacks, you can quickly find yourself in a very bad situation.But take heart, as this is not a lost cause nor reason to cancel your Internet circuit andgo back to paper and pen. There are several things end users and businesses can do tohelp avoid becoming a victim, as well as strategies you can employ to recover withouthaving to pay up. Keep reading to learn more!FREE VM BACKUPMore info & DownloadLike this ebook?SHARE IT!4

RANSOMWARE EXPLAINEDRansomware is a type of malware that is becoming more and more common lately.Wikipedia’s page on ransomware defines it as “a Cryptovirology attack carried out usingcovertly installed malware that encrypts the victim’s files and then requests a ransompayment in return for the decryption key that is needed to recover the encryptedfiles.” Microsoft’s blog post on ransomware defines it as “Ransomware is a type ofmalware that holds computers or files for ransom by encrypting files or locking thedesktop or browser on systems that are infected with it, then demanding a ransom inorder to regain access.” Both are accurate, but really don’t convey the nastiness that isransomware. Consider all the data on your computer, or that you have Change accessto on the network. That could be your kid’s first birthday party or their high-schoolgraduation, or the video of your wedding, or your tax returns for the past five years, orthe only surviving copy of your grandmother’s best recipes. Or, it could be the RFP fromyour largest customer, or the secret formula for your company’s best product, or thatworkbook you base your business predictions on that has evolved over the past fiveyears and which you cannot function effectively without.Whatever that data is imagine that I took it from you. I dangle it in front of you, anddemand that you give me your lunch money or I will drop it into the toilet and flush itaway forever. It’s right there. You can see it. But you cannot do anything about it exceptpay up. That’s what ransomware is. It’s an Internet bully blackmailing you for yourlunch money, but on a cyber scale.Ransomware encrypts your data using algorithms that cannot be cracked or reversedin practical terms. We’re not talking about password protecting a Word document.We’re talking about applying things like AES 256 or other strong encryption to all ofyour critical data, using a key that is unique to you. Either you pay up, or you lose thedata. No one is going to brute force the password, or figure out a way to reverse it foryou. You can’t go online to find someone else who fell victim, paid up, then posted thepassphrase online so you wouldn’t have to do the same thing. You can either pay up, orconsider all of the encrypted data to be gone baby gone and lost forever.Some ransomware just renders your files inaccessible, with a text file left in thedirectory for you to find in order to read the ransom note. Others can open a webFREE VM BACKUPMore info & DownloadLike this ebook?SHARE IT!5

browser and open the ransom note from a web server, or pop up a dialog box. Themost recent, Cerber, went so far as to include an audio ransom note. However, a victimbecomes aware of the fact that they are now in a bad way, the ransom demands havesome things in common. Tim Rains of Microsoft recent published a blog post entitled“Ransomware: Understanding the Risk” which summarizes the common elements ofransomware very well. Common elements in ransom notes include: making encrypted data unrecoverable after a certain period of time threatens to post captured data publicly claims to be law enforcement and threaten prosecution an increasing cost for the ransom the longer the user waits to pay up threats to render the machine unbootable threats to erase all data and render all enterprise computers inoperable demands payment through various difficult or impossible to trace methods, withBitcoin being the most common today.Users can pay up in the hope that they get the decryption key, or they can flatten theirsystems and start over again, hopefully restoring their data from backup. If they chooseto pay, they may have to visit a website linked in the ransom note in order to processthe payment. They may or may not receive the decryption key as soon as they enterpayment that’s of course another risk. You pay up, and are still out your data.Let’s look more closely at some of the major ransomware variants that are in the wild.FREE VM BACKUPMore info & DownloadLike this ebook?SHARE IT!6

HISTORY AND MAJOR VERSIONSRansomware is not exactly new, but it’s definitely experiencing a surge in commonality.The first known and documented ransomware was all the way back in 1989, with apiece of malware known as both AIDS and PC Cyborg. 2005 saw more ransomware withseveral different types in the wild that were both more widespread and sophisticated.Ransomware “hit the big time” in 2013 with Cryptolocker, a type of malware that madewidespread news and is estimated to have netted attackers millions of dollars. Let’stake a closer look at some of the most significant versions of ransomware since 2005.AIDS/PC CYBORGKnown by both names, this ransomware was allegedly written and used by a singleindividual, Joseph Popp, in 2005. AIDS would both encrypt and hide files and demanda US 189 ransom to regain access to the data. Popp was arrested but found unfit tostand trial. Interestingly, AIDS used symmetric key encryption, and the key was storedin the code of the malware. Of course, for most of his victims, this made no difference.GPCODEFirst appearing around 2005, there have been numerous variants of Gpcode. Earlyversions used symmetric key encryption and/or deleted the unencrypted versions offiles, making it fairly easy for some users to recover their data without paying the 100to 200 ransom demand left in TXT files in each directory. Others used a proprietaryalgorithm which was flawed and quickly broken by researchers. As Gpcode evolved,it started to use asymmetric encryption and proper encryption algorithms such asRSA and/or AES, and overwriting the unencrypted files to prevent recovery withoutpayment.REVETONIn 2012, the ZeuS botnet gave rise to the Citadel Trojan which was used to spreadReveton, a piece of ransomware with a new twist started to hit mostly Europeanvictims. Purporting to be from a law enforcement agency, and frequently brandedor customized to the region the victim was in, this ransomware claimed that illegalcontent had been found or illegal activity detected, and fines had to be paid to theparticular law enforcement agency to unlock the computer. Of course, these “fines”had to be paid through various online and anonymous means. The warnings frequentlyincluded the victim’s IP address to convey legitimacy, and some even took images fromthe victims’ webcam to appear as if the user was under surveillance. In a twist of fatethat shows even some of the darkest clouds have silver linings, one victim was actuallyFREE VM BACKUPMore info & DownloadLike this ebook?SHARE IT!7