Cyber security update June 2016: Ransomware

Recent months have seen a significant number of reports of ransomware attacks and incidents in the IT press, several relating to attacks on the U.S. healthcare centre (see these examples from BBC News, Ars Technica and SecurityInfoWatch). This month Ars Technica reported that Canada's University of Calgary paid almost $16,000 (approximately £10,800) to recover data encrypted by a ransomware attack.

InfoBlox reported a 35-fold increase in newly observed ransomware domains in the first quarter of 2016 from the fourth quarter of 2015, describing “industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises.” PhishMe reported an unprecedented rise in encryption ransomware attacks so far in 2016; also see analysis from BBC News. Verizon’s 2016 Data Breach Investigations Report also recorded a significant increase in ransomware. Computer Weekly reported research by Eset that ransomware attacks now account for around a quarter of cyber threats targeting internet users in the UK, while ZDnet reported on Kaspersky’s analysis that ransomware has replaced advanced persistent threat (APT) network attacks as the most problematic cyberthreat.

US-CERT, the US Computer Emergency Readiness Team, has published a useful alert on ransomware. It offers advice on guidance on the main characteristics of ransomware, its prevalence, the variants that may be proliferating and how users can prevent and mitigate against ransomware. Also see a similar alert from the Federal Bureau of Investigation (FBI).

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Computing reported that the Action Fraud and National Fraud Intelligence Bureau received an average of 8,000 reports of phishing scams per month in 2015; more on phishing here and here. New propagation methods have also been observed, including the exploitation of vulnerable web servers as network entry points (also see this example again from Computing). Ransomware variants include Xorist, CryptorBit, CryptoLocker (for which US-CERT published its own alert in 2013), Locky and Samas. Systems infected with ransomware are also often infected with other malware, for example Trojans.

US-CERT’s alert notes that some compromised users may simply pay the ransom, but discourages this, suggesting that this “does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.” Suggested preventative measures include ensuring appropriate data backup and recovery procedures are in place, application whitelisting, making sure software patching is up to date and restricting users’ permissions to prevent malware from running or spreading. User education and encouraging good cyber hygiene practices are important too.

Press coverage continues to bear out the increasing prevalence and complexity of ransomware: the Financial Times reported how ransomware is becoming more difficult to circumvent with the capability to disrupt entire corporate networks; also see this example from Ars Technica. Network World reported that users of Apple computers have suffered their first ransomware attack via the KeRanger ransomware. On a more positive note, both Ars Technica and BBC News reported that a solution had been found for Petya ransomware victims, though Network World reported that a later Peyta variant now offers an additional threat in the form of another ransomware program, dubbed Mischa. Network World also reported on a solution for victims of Jigsaw ransomware and also on the development of a method of decrypting files affected with the latest version of CryptXXX.