In continuation to the previous post, I will try to address how impactful the Ransomware would be across various sectors and 3 ways to handle the below scenario-
1. How to develop IT-Border security force to combat
2. What business should do if they are impacted? How to develop security response mechanism if data is compromised and encrypted.
3. Innovation or Innovating Idea to fight back with Ransomware– Virtual Machine based container inside the machine.
Ä Summary- What happens during a Ransomware attack?
It’s an organized crime as said in my previous blog post, where attacker forms a small business unit to generate the revenue by a marketing campaign. As part of this campaign, the attacker injects malware (using emails attachment or any other social engineering technique) which hijacks your files and then demand that you pay in the form of Bitcoin in order that they are “released”.
? Bitcoin is a digital asset and a payment system and came into existent in 2009. Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the then network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part and hence it’s used for many Criminal activities.?
One should keep in mind that it’s not necessary that your system is infected today or yesterday. It might be possible the malware code is residing in dormant for many years as well. So the process is not very straightforward as it looks like!!!.
MLet’s understand “What if” scenario across different vertical-
1. What if, attacker infects your core financial system and demand Ransom to release Transactional data file? Result in financial crisis and will affect the core financial transaction and havoc across citizens. Catastrophic impact i.e, No Business!, No food!, No life!!!
2. What if, attacker infects your healthcare related information? Result is major havoc
3. What is attacker infect your Police stations or criminal tracking system? This will result in no information available of the criminal?
Recently, reports are stacking up of police departments paying attackers ransoms -- payments in the $300 to $500, made in Bitcoins -- for the recovery of encrypted files and equipment.
The Tewksbury P.D. enlisted the help of the FBI, the Department of Homeland Security, the Massachusetts State Police, and private info security firms -- all to no avail. After nearly five days of unsuccessful attempts to decrypt the locked systems, they decided to pay the attackers roughly $500 in Bitcoin.
4. What if attacker infects your mobile platform? Result in citizens using mobile devices getting trapped in cyber-attack which could affect the daily usage of the device.
A family of mobile malware called "Godless" has affected over 850,000 Android devices worldwide with almost half of these devices in India alone. This malware puts 90% of Android devices at risk
5. What if attacker infects schools or Universities? The complete student details will be at stake and may be re-exam needs to be conducted. Or the student may need to lose a complete year or Universities/school needs to pass all the student. Both the approaches are morally not accepted.
Ä Should I pay the ransom?
1. The first option is to pay the ransom, however, It’s like a lottery system, there is NO guarantee that attacker (BOSS) will release your files. It is advisable to follow the steps to remove this Ransomware from your computer and hopefully, decrypt your files. According to our research, some users get their data back and some others don’t. Firstly, identify the impact on the system and then follow the Incident response management procedure as mentioned below.
2. Please don’t encourage this crime by simply paying the money.
Ä How to defend or to get the files back?
Do not lose sight that we are talking about cyber crime here and there are chances that you may not able to decrypt the file. Having said that please don’t lose hope; since there are many ways by which you can combat with Ransomware using
Defending from Ransomware is not an easy task; it requires collaborative effort and Management buying to define and develop strong security control across the organization. It may require
1. Proactive- To establish Border Security Force(IT- BSF UNLIKE BSF)
The below table outline the proactive approach to handling cyber-attack.
Area
|
Controls
|
Governance and Policies
|
§ Establishing Strong Governance Framework
§ Establishes the context for all the standards in the series, defining concepts and terminology, as well as lifecycle and compliance metrics.
|
Cybersecurity Monitoring & countermeasures
|
Behavioral Network Pattern Analysis- Deploy solutions which will not just perform the monitoring; however also perform Behavioral monitoring, so that APT can be identified and controlled. The solution like SIEM to be a fine tune and integrated with all systems. In case any abnormal activities are noticed in terms of spikes, an unknown process, popup etc. immediately system can be turned offline. I know some of you may not agree with me considering Custody of chain to get the evidence; however, this will simply break attack. This is because cryptovirus works on the principal that for encrypting any files it needs to communicate with hacker command and control system. If it’s not successful, the infection won’t able to get the public.
|
Cyber security countermeasures at Network Layer
|
§ Deploy Stateful inspection firewall with Intrusion detection/prevention capability
§ Network segmentation to segregate the network so that impact of Ransomware is minimized.
§ Deploy Email Gateway at the right place with correct Polices. Email Gateway Policy refinement to block .exe, .scr, .vbs, .js, .jar, .bat, .pif, or .cpl attachments, so that email attachment never able to reach users.
|
Cyber security countermeasures at User Layer
|
§ Conduct User Awareness to minimize social engineering-based attack.
§ Conduct User Awareness drill by sending a piece of code as part of mail, so that success of user awareness exercise is calculated. This drill should replicate a phishing attack as part of Campaign and will provide a clear indication of risk level. Phishing Simulator can be used to change risky employee behavior when it comes to being able to recognize and report malicious phishing emails.
§ In line with this, SIEM based solution provide more insight i.e. it can replay the incident to identify the origin of the attack i.e. which user got infected by clicking the link so that corrective actions can be taken for that business unit.
|
Cyber security countermeasures at System Layer
|
§ Keep your OS and software up to date
§ Keep Anti-virus solution updated with latest security policy and update
§ Use Software whitelisting tools like Windows AppLocker
§ Use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) provides an additional protection layer
§ Keep macros disabled
§ Treat ActiveX with caution
§ Configure Windows to show file extensions
§ Enable Windows firewall on
§ Install a popup blocker
§ Disable Windows PowerShell
§ Don’t give admin rights to the end users
§ Disable file sharing
§ Remote services
§ Implement restricted use policy
§ Renaming vssadmin.exe which administers the Volume Shadow Copy Service (VSS) on a Windows machine. Typically Ransomware disables this process and deletes the shadow copy so that recovery of the file is not possible.
|
Cyber security countermeasures at Data Layer
|
Strong backup management strategy to maintain secure backups and battle Ransomware. In the case of infection, an organization can restore the backup to retrieve the file back.
|
Incident response management
|
§ Select vendor who has right skill and knowledge in incident response management.
§ Have complete day monitoring instead of business hrs since the majority of the incident are driven from different geography which contributes to the time difference.
§ Incident response drill to get assurance for procedure and responsibilities of parties involved.
§ Alignment with Agencies who can take necessary actions against Cybercrime.
|
2. Reactive- Fight back to retrieve the file back
As per the study, Security vendor provides protection against malware, however; 97 percent guarantee offered by security vendors is not enough: 3 percent will still mean a large number of endpoints being compromised. To address the above concerns following mitigation plan should be considered
- Identify suspicious activity- Quickly scan the system with tool along with manual review in order to identify a potential threat.
- Closed Review- Check log files/process task for any suspicious activity
- Known Variant- Once confirmed on the attack, Identify the known variant by understanding the behavior/characteristic. Identify the ransomware and download corresponding Anti-Ransomware tool if available. Example-Downloading and using Trend Micro™ Ransomware Screen Unlocker Tool. Download [Download Bitdefender Trojan.Ransom.Ice Generic Removal Tool]
- Unknown Variant- If it’s a new variant, then the tool may not able available and hence manual process needs to be performed to retrieve your data.
- Review security forums- Quite a few ransomware variants, including TeslaCrypt, DMA Locker, and AlphaLocker, were decrypted by researchers who released free decrypt solutions for everyone infected. Therefore, if confronted with a ransom Trojan, do not fail to look up the name on the Internet and surf security forums like BleepingComputer, where recovery breakthroughs appear once available.
- Delay the trigger- Shutdown your system and change the BIOS clock back-Crypto infections provide a deadline for the victim to submit the ransom, after which its ransom increases. It’s usually somewhere between 4 and seven days, with the starting point being the time of complete data encryption. Fortunately, there is an easy way to get around this restriction. Setting the system BIOS clock to an earlier date will trick the countdown timer and give you an additional time span to find and implement a fix.
- Response Plan and Management buying-When hit by a ransomware threat, it’s critical for an enterprise to adopt timely countermeasures and mitigations before the payment deadline expires and the ransom goes up. To this end, IT executives should do an inventory of critical data resources, know where these assets are located, and evaluate the damage from the possible unavailability of this data. Also, quickly need to understanding and scan the complete network for a potential threat. Don’t pay money for it glance!!!
- Restoration- Before you try to recover files, you should use Windows Defender Offline to fully clean your PC.
- Restore file from shadow copies- Before restoring your files from shadow copies, make sure the Ransomware process is not running. You have to remove this malware permanently using the anti-malware scanner.
- Restore file from backup copies- The key challenge is to understand when your machine was infected so that you can restore that backup copy; otherwise, it might be possible that infection is relapsed since backup copy itself was infected
- Try to restore previous versions of files using Windows folder tools
3. Innovation or Innovating Idea– Virtual Machine based container inside the machine.
In future, we can expect this approach to handle cyber-attacks. The core of this approach is running a virtual container within your machine. The virtual container will host all applications which require access to the internet like Browser, Outlook etc. Example- A new browser instance would be run inside its own virtual machine, so if the user accidentally clicked on a rogue link or went to a malicious URL, the infection would be contained within that virtual machine. "You don't really care whether that URL is malicious or not because it's only going to do damage that virtual machine and not the entire laptop. It's not going to have access to your documents or your credentials. There's nothing else on that machine. The virtual machine will get killed as soon as the application is closed or machine is restarted.
Conclusion- To run a sustainable business operation against online digital extortionists, individuals and organizations should be continuously assessing and enhancing their security posture.