| |
 |
 |
 |
|
|
|
|
Date: 14 December 2012
Click here for printable version
If you’ve read our previous blog on ransomware, you’ll know the modus operandi is to encrypt a victim’s files and demand a ransom for the encryption key. AusCERT have noted an increase in the instances of ransomware in Australia, and we’d like to discuss a couple of notable examples here with the aim of raising awareness and hopefully preventing an incident within your own organisation.
Small businesses and individuals are both at risk. The cost of damage to small businesses that don't have dedicated IT staff makes them especially at risk. Frequently they may not devote the time and attention required to secure their systems, and thus have sufficient weaknesses for cybercriminals to exploit. Worthy of consideration is that while this is a technical topic, cybercriminals happily take advantage of any lack of interest or aptitude by ordinary folk towards technology.
The actual ransomware itself, the software used by attackers to take control of computer systems, is readily available and traded on the black market. Security firm Symantec predicts an increase in ransomware attacks in 2013, and already we’ve seen cleverly crafted "police ransomware" which assumes the identity of the local law enforcement agency with a false message demanding a penalty for supposed illegal content found on a victim’s computer.
Case studies
Case 1: Small office with ten computers
An organsation’s server (domain controller) was targeted, we believe, via a weak Terminal Services password. Using this method for remote access is fraught with risk (technically speaking a VPN - Virtual Private Network should be used instead). It is also believed that some staff may have browsed to adult web sites using one or more of the office computers. Aside from the human resources considerations, these types of web sites are well known for deploying malicious software and could have contributed to the ransomware attack.
The attacker deployed ransomware on the domain controller and since this device was the heart of the computer network, all other computers in the organisation were effectively compromised as well. A ransom of $5,000 was demanded. The cure was to erase the computers and rebuild each one from scratch to ensure a secure environment.
Case 2: Medical centre
The attacker took control of the doctors’ database containing patient records. The attacker provided proof that recovery was possible by safely returning two sample files belonging to the medical centre. The ransom demand was $4,000.
In this case, the attacker had actually infiltrated the medical centre some weeks prior to the ransom demand. During this time the attacker had made numerous strategic changes within the system such as disabling the patient database in the tape backup scheduler. After several weeks of backup tape rotations, recent backups were not available even in the medical centre’s offsite storage location. Additionally the medical centre’s USB hard disk backup device was plugged in to the system, and had therefore already been seized by the attacker.
The cure was to erase and rebuild the server, and recover older data from backup tapes. In this case, the medical centre had good practices such as keeping two different types of backup, applying security patches and maintaining an up-to-date business continuity plan. However, repelling these targeted ransomware attacks requires stronger defenses.
What can I do to prevent a ransomware incident in my organisation?
Prevention is always better than a cure; hence businesses and individuals should take the time to keep their systems secure. The Defense Signals Directorate (DSD) published an excellent document in "Top 4 Mitigation Strategies to Protect Your ICT System". AusCERT’s blog discusses DSD’s recommendations and how to effectively gain the approval of key decision makers within your organisation – essential reading for IT professionals within larger organisations. Additionally AusCERT members can access our full publication on this topic.
For small businesses without existing information security programs, we suggest the following items. Your IT services professional will be able to assist with interpreting DSD’s recommendations from which these points are derived, and then apply them to your computer system.
1. Apply all security updates to both operating systems and applications.
2. Restrict administrative privileges. If you browse the Internet with a host account that has administrative privileges, you're inviting disaster. It makes compromising your computer with malicious software very easy. Similarly remote access should be non administrative.
3. Have a very reliable backup regime that includes all your important data. Err on the side of having more, not less data in your backups, and periodically test restoration of the backups. Keep some of the backups disconnected and physically separate in a remote location.
4. Disable unnecessary remote access. Only allow secure remote connections via a VPN (virtual private network) or similar setup, and ensure the system locks out user accounts after a number of failed password attempts to prevent guessing attacks.
5. Use memorable but complex passwords for all accounts, especially any that have remote or administrative access.
6. Use up to date antivirus software.
7. Configure the host-based firewalls to block all access, only allowing external access to required services.
8. Enable application white listing.
If a business or individual is infected with ransomware, they should:
1. Not interact with the cybercriminals making the demands
2. Immediately disconnect the infected computer or server from the Internet
3. Notify your local or state police station of the incident.
4. Seek the services of IT professionals to:
(i) Use a parallel live operating system to recover essential data if possible, not included in the last backup.
(ii) Wipe the infected computer clean by formatting and do a fresh install of the operating system and any required applications.
(iii) Apply all security updates and configuration settings to ensure ongoing security.
(iv) Restore data.
Regards,
The AusCERT Coordination Centre Team.
|
|
|
|
 |
|
 |
|
|