Date: 26 September 2012
Click here for printable version
Yesterday AusCERT was notified of a server being held hostage by ransomware. All data and backup storage attached to
the server had been encrypted, accompanied by a message titled "Anti-Child Porn Spam Protection". The message advised
that illegal sites had been accessed and in order to retrieve the data the victim had to pay $3,000. Non-compliance would result in a report being
sent to law enforcement with a sample of images allegedly from the illegal site. While similar malware has been
circulating overseas, it is only recently that Australian organisations have been targetted.
An excellent explanation of the malware is available on the Emsisoft website, an Austrian anti-malware vendor,
including some possible ways to recover the data. However the ransomware currently circulating in Australia may be a
new variant. For those wanting to try the suggestions in the article, make sure this is only attempted on a copy of
the data as it is not known what an incorrect code will do.
The previously mentioned organisation wanted to know how they could get their data back. However without recent
backups, and relatively little known about this specific variant, the unfortunate reality is that the data is not recoverable. Some may be tempted to pay the ransom, however be warned that
there are no guarantees the data will be returned and it is highly likely that your organisation will be targeted
again. Next time, it might not be as easy as restoring a server or paying a ransom.
In order to protect against such attacks, the following best practices are worth repeating:
Patch all applications and operating systems
Run, and test, regular daily backups and either store a copy of recent backups off site or ensure that backup data is not directly accessible e.g. via a network share or a directly accessible external hard disk
Disable unnecessary services e.g. leave RDP disabled if it is not needed
Enforce complex password policies and account lockout policies to defend against brute force attacks
Only allow secure remote connections (e.g. VPN or SSH tunnelling) from known individuals and services
Review the DSD Top 4 for Windows Environments
Till next time,