Like everything in the world, Digital world has its own share of disadvantages. This has been proved right when the entry of malicious software took place named Ransomware. According to the survey reports of May 2017 Wanna Cry (Type of Ransomware) has affected more than 2 Lakhs computers across 150 countries including India. We all have come across malware like Bugs and Viruses however they are very different from Ransomware as they access the computer and corrupts the files. In the latter case, the computer system is locked which could be only unlocked with a certain amount of ransom is paid.
This Ransomware attack started on May 12th, 2017 beginning from England in National Health and Survey Department. The other companies which became the victim of ransomware were: FedEx, Telefonica (Spain’s Telecom Company ) etc. In India, the Computer Emergency Response Team reported that this malware affected the Andra Pradesh Police Department too.
Types of Ransomware
• Locker ransomware (computer locker): Denies access to the computer or device
• Crypto ransomware (data locker): Prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does.
Both types of ransomware are aimed directly at our digital lifestyle. They are designed to deny us access to something we want or need and offer to return what is rightfully ours on payment of a ransom. Despite having similar objectives, the approaches taken by each type of ransomware are quite different.
Few popular names of Ransomware are :
Reveton, Crypto Locker, CryptoLocker.F,TorrentLocker,CryptoWall,Fusob,Petya,WannaCry and Bad Rabbit.
How could Ransomware spread?
Hackers are attacking Microsoft outdated operating system, so the software comes with some attachments in email ids etc. When the user opens this attachment, the computer gets locked and they demand a ransom to get it unlocked. The ransom is between 300 to 500 $. If the ransom is NOT paid within three days, it is apparently doubled (as claimed by media reports).
According to the information provide in The Hindu : (Edition MAY 13, 2017 15:05 IST)
“According to the US Computer Emergency Readiness Team (USCRT), under the Department of Homeland Security, ransomware spreads easily when it encounters unpatched or outdated software. Experts say that WannaCry is spread by an internet worm — software that spreads copies of itself by hacking into other computers on a network, rather than the usual case of prompting unsuspecting users to open attachments. It is believed that the cyber attack was carried out with the help of tools stolen from the National Security Agency (NSA) of the United States.”
Who Could be behind the Attack?
After research from different nations, the reports say that it could be Nation Driven and the suspect is Russia, however, some say that it is created with some individual group who have ties with some National Security Agency (NSA) as they can easily breach and enter the systems of even the strongest securities.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bit coins, roughly equal to $300 U.S.
Ransomware is a type of malware that can alter the normal operation of your machine. It encrypts the data and prevents you from using your computer partially or wholly. Ransomware programs also display warning messages asking for money to get your device back to normal working condition.
Recommended Steps for Prevention
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF),
- Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
- Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
- Test your backups to ensure they work correctly upon use.
Recommended Steps for Remediation
• Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
• Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
Pay or Not to Pay?
39% of enterprises were hit by ransomware last year … Of those, 40% paid the attackers in order to retrieve their data.
Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risky decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic? Peter Coroneos, the former chief executive of the Internet Industry Association and an expert on cyber policy, said whether or not to agree to ransomware demands presented practical and ethical dilemmas.
“As a matter of principle, the answer should always be no … based on the simple dynamics of perpetuating bad conduct.
“However, as a matter of practicality and necessity, the situation is somewhat more complex.”
According to Forbes report 2017 :
“While that is all well and good, the initiative to prevent further attacks in a similar vein should arise from law enforcement agencies side by side individual users, as asking a victim not to pay ransom when their valuable data is held hostage is in no way a permanent solution.”
We suggest you that prevention is better than CURE and for that, you should be aware of the security breach. Keep a backup and avoid opening suspicious email attachments or links. Even after practicing all these measures you face this tragedy then we will suggest you NOT to PAY the RANSOM unless the data is extremely important to retrieve(which cannot be assured for ). Since it is a criminal approach to acquire money.