• Stelios Katakalos

Ransomware for Hire: 3 Steps to Keeping Your Data Safe

For most people, the idea of losing all their data would send shivers down their spines. The scenario is even more alarming for companies who could risk having to reinvent man-years worth of intellectual property should their data be lost. Yet, for thousands of companies daily this nightmare becomes reality. The driving force behind this scenario is malicious software accurately named “ransomware” that encrypts files once introduced to a system.

Security, they say, is only as good as the weakest link. And, in many cases, the weakest link is well-intentioned employees focused more on getting work done than doing so securely. With this in mind, let’s take a deeper look at the newest ransomware threat, Ransom32, and three actionable ways to keep data from being held hostage.

In researching and reverse-engineering Ransom32, being sold online as ransomware-as-a-service, it quickly became apparent that it is different than other ransomware. Notably, Ransom32 was coded with JavaScript and uses the NW.js framework which allows for much more control and interaction with the underlying operating system. This benefits the developer as they can turn their web applications into normal desktop applications relatively easily—applications that are able to run the same JavaScript on different platforms and without the security-boundary restrictions of the web-browser.

As a result, an NW.js application only needs to be written once and is instantly usable on Windows, Linux and MacOS X. This means that Ransom32 could also easily be packaged for Linux and Mac OS X.  Ransom32 will encrypt users’ files, photos, documents and other data so that when their machine starts, they will see a ransom note demanding payment in Bitcoins in exchange for unlocking their data. To avoid this scenario:

  • Back Up Regularly While it’s a little like flossing for some people – you know you should do it, but don’t as often as you should — regular backups stored on a disconnected device really are the best first line of defense from ransomware. Ransomware will often explicitly target backups which is why it is important to store them where they can’t be readily reached. An external disk drive detached from corporate systems, or a cloud based file storage or backup system are all good approaches. Regardless of the method, regular (preferably daily) backups are an ideal insurance policy against ransomware attacks. Ransom32 is currently undecryptable without paying the ransom so don’t forget to test the data restoration process to ensure this insurance plan is actionable.

  • Don’t only Rely on Signatures to Protect Systems As a legitimate framework, using NW.js makes it more difficult for Ransom32 to be added to signature-based malware detection solutions and each sample may be differently configured by its ‘customer’. In fact, nearly two weeks after Ransom32 was introduced, signature coverage for it remains incredibly poor.Indeed, ransomware like Ransom32 in which signatures can be difficult to detect, are one of the reasons that ransomware is likely to be one of the biggest security threats this year. To address this issue, look for anti-malware protection solutions that don’t rely on signatures to detect and quarantine ransomware, but use smarter approaches like behavior blocking that watches out for certain behavior patterns in active threats rather than comparing known file fingerprints.

  • Real-Time Protection The greatest threat in many companies is the unwitting employee. Currently distributed by spam email campaigns impersonating delivery notifications, unpaid invoices and the like, Ransom32 quite literally banks on it. As with many other security threats, once an employee downloads and launches the package, the malware is able to execute its threat.Although employees should be educated about such threats, spam has become more sophisticated and the need for real-time protection is real. In addition, Ransom32 could easily be distributed through other channels, such as malvertising, exploit kits, or spear phishing. As a result, it is important to look for technology solutions that provide real-time scanning, blocking and quarantining of threats as they occur. And, it never hurts to remind employees of the very real threat presented by ransomware, regardless of its distribution point.Ransom32 is not just the latest ransomware, it is unique in that it packs the runtime and NW.js into one single executable which means it doesn’t need to rely on users having an existing framework installed illustrating yet one more way that ransomware is maturing and becoming a larger threat. In fact, Rick Holland, Vice President and Principal Analyst at Forrester Research, recently noted he doesn’t, “go more than a week without speaking to a client who has experienced a ransomware incident.”

Chinese have a saying, the best time to plant a tree was 20 years ago. The second best time is now. With Ransom32’s authors offering anyone the chance to sign up, create their own custom version of the ransomware, download and distribute it, be sure to take time now to ensure these basic security principles are in place to proactively protect your data and decrease your risk of being held hostage.

source: Emsisoft

13 views0 comments