Much appears to have been written about the current information security phenomena known as Ransomware, with AusCERT itself writing two previous blog posts on the topic.

Yet it remains a serious and current risk, and unfortunately many small to medium businesses are yet to heed and respond to the warnings.

At this point in time Ransomware appears to fall into two very general categories; "non-encrypting" malware that can often be circumvented, and "file encryptors" that gather all valuable data on a system and make it unavailable by encrypting it. Often this will include connected backups. As the name implies, ransomware locks access to a resource, and then demands a payment to have it returned. Those who have suffered ransomware should never pay the demand, as it increases the likelihood of more attacks in future and the data or resource that is restored may have back-doors, be incomplete or in many other ways be untrustworthy. You're dealing with crooks after all. For those interested in more detail, Sophos have released an excellent paper analysing various types of Ransomware.

Prevention is better than cure

For some businesses or organisations that don't employ permanent IT staff, Information Security problems like Ransomware may seem all too difficult a challenge, so here are some key points that will help. Ask your IT staff to carry them out:

• Keep reliable backups of all your valuable data, and keep some copies disconnected from a computer and the Internet. Large capacity data storage is quite inexpensive and easy to get from places like Officeworks. Don't just keep your backups on one external hard drive that's always connected to the computer or Internet. This is too risky, as attackers are known to encrypt or delete backups connected to the computer or network. Buy at least four external hard drives or similar, and keep multiple copies of your backup data using a backup rotation scheme like "Grandfather-father-son" or "Tower of Hanoi". All but one of the external hard drives should be disconnected from your computer, and stored in a physically safe and secure location. Periodically test the restoration of your backups, to confirm that the data is good.

• Remote Desktop Protocol (RDP) should not directly face the Internet at all. It's just too risky. From about $150 modem routers are available that come with Virtual Private Networking (VPN) services built in. Using a VPN to remotely connect is much more secure than having RDP available to the whole world, where it can be attacked using brute force or key loggers.

• Configure lock-out policies so that if too many false attempts are made to log in with an account, it will be locked as a precaution. This will reduce the risk from brute force attacks.

• Network equipment like modems and routers require some configuration to make them secure. Don't just use them straight out of the box. Be sure to change the default passwords to new ones that are at least 12 characters in length, not a dictionary word and with letters, numbers and special characters. Default passwords of network equipment are widely known. Disable UPnP and any unnecessary services. Always keep a backup of the configuration of your network equipment in a secure place, like a CD or a flash drive, disconnected from the Internet, in case you need to restore any settings. Be sure to keep the firmware on your network equipment patched and up to date, so as to fix any security vulnerabilities that the manufacturer may identify. If your modem/router has an inbuilt firewall, take the time to configure it, leaving only the bare minimum ports open. Most ports should be blocked including 3389, 4899, 5000, 5500, 5631 & 5632 etc. If you're not sure what IPv6 is, then you should also block protocol 41 (IPv6 encapsulated in IPv4).

• Configure the built-in firewall available on your computer workstations as well.

• Make sure that the computer accounts used by people in your organisation to browse the Internet do not have administrative privileges. If these accounts do have administrative privileges, the damage that malware infections can cause will be much worse, including possible ransomware infection.

• Use memorable but complex passwords for all accounts, especially any that have remote or administrative access. As mentioned above, be sure that they are sufficiently long, and not a dictionary word, in any language.

• Use up to date antivirus software, with up to date definitions.

• If possible, you should enable application white listing. While it can be a challenge to configure, this technology which is built into many operating systems will significantly reduce the ability of malicious software to take hold.

How might Ransomware develop?

Ultimately it's important to remember that Ransomware is essentially a way for people with malicious intent to make money. How it develops is tightly related with how it will continue to make them money with minimal chance of being caught. While people pay the crooks, the various types of ransomware will grow.

From time to time the bad guys do get caught however, as has happened recently when the EC3 (European Cyber-crime Centre) rounded up a group of 11 people in Spain that were disseminating "police ransomware".

For ransomware to continue to be viable for criminals, they need to attack with relative ease the valuable infrastructure of many businesses or organisations, and restrict or deny access.

With that in mind some areas that businesses and organisations should take extra care with are:

• Default passwords in network connected equipment like routers, switches, modems, etc. AusCERT have previously warned of vulnerabilities of this nature. Another example of the dangers of default credentials can be found in infrastructure like the Dell Remote Access Controller (DRAC).

• UPnP should not be enabled on your network gateway. This is not a service you want to advertise to the world. Security holes related to UPnP have the potential to wreak havoc on your network infrastructure in a way that can cripple it, or bust it wide open. The potential also exists for exploited vulnerabilities in UPnP to provide misleading information, install malicious applications like ransomware and use your Internet connection to attack others. Rapid7 have published an extensive research-based report UPnP named: Security Flaws in Universal Plug and Play: Unplug, Don't Play.

• Most of the Internet today runs on IPv4, which is old, and has exhausted its available addresses. The successor to IPv4 is IPv6, which is not currently in widespread use. It is however included in most modern operating systems. To smooth the transition from the old to the new, tunnelling of IPv6 over IPv4 can be made available. Windows 7 for example provides a “6TO4 Tunnel adapter”. One of the problems with this approach is that it allows a network back door past all your firewalls and network security infrastructure. Weaknesses blocked in IPv4 will be available to be exploited in IPv6. The best way to mitigate this problem for the moment is to block IP protocol 41 ( IPv6 encapsulated in IPv4 ).

• Cloud based infrastructure being compromised is a phenomena that is beginning to become more common. Most often it's due to misconfiguration, or social engineering, but sometimes vulnerabilities in cloud infrastructure will allow unintended access to parties with malicious intent. If a business or organisation is heavily dependant on that particular cloud infrastructure, the impact on them could be catastrophic.

Will ransomware target the larger Enterprise with skilled permanent IT staff? This is a genuine possibility, and should not be immediately dismissed as fiction. However at the moment due to economies of scale relative to opportunities via wide-spread uniform security vulnerabilities, along with increased risk of being caught, smaller businesses and organisations without permanent IT staff continue to be a more attractive target.
It appears that the ongoing threat trend that larger organisations do need to prepare for includes targeted attacks from hacktivists, and of groups with malicious intent, looking to collect account credentials and valuable data to sell.

Regards,
The AusCERT Coordination Centre Team.