„Where did my server go?“: How to defend against ransomware

You get calls from your customers coming to you every day with all kinds of problems. But there’s one call you definitely don’t want to get. It’s the one where they tell you they can’t access their workstation or server and have a screen saying their files have been encrypted, they need to pay money to an online account, and the encryption key will be destroyed in a matter of hours from now.

That’s right – your customer has been hit with ransomware.

Cyber-CrimeIf you’re unfamiliar with it, ransomware is malware with a different intent. Rather than taking the traditional focus of trying to steal information or capture keystrokes (to obtain credentials), ransomware focuses on being far more in your face by flat out telling you it’s there and you need to pay to get rid of it.

One of the worst (or best, if you can appreciate the innovation of it all) is Crypt0L0cker, which uses state-of-the-art public/private key encryption to encrypt files with very specific extensions (the ones you care about – docx, xlsx, etc…). It’s a very advanced form of ransomware.

As if that’s not bad enough, it’s not just the ransomware you need to be worried about.  Recent efforts have shown ransomware that acts like a sophisticated APT, automatically creating new payload variants with each attack, to avoid detection.

There are a few types of ransomware running amok today, each with a different level of nastiness.

  • Scareware – this is little more than a bogus application purporting to be a PC Repair or Antivirus program claiming they’ve detected issues. These usually can be easily removed.
  • Screen Lockers – these popup an official-looking window with some kind of police-related logo saying you’ve broken the law and need to pay up.
  • Encryptionware – this is the worst. These threaten to encrypt (or already have encrypted) every file on a customer’s workstation or server, leaving that machine lost in encryption hell forever – that is, unless you pay them $500.

Given that ransomware is a pain for your customers and will take some significant reactive effort to remove it, you’re going to want to avoid this kind of malware entirely.

So, what steps do you take to provide your customers with a layered defense?

  1. Antivirus/Anti-malware – You need a solution in place that actively watches for spyware, malware, and viruses that continually updates signatures.
  2. Patch Management – malware (and ransomware) needs a delivery mechanism, which can often be a known vulnerability. Patching will keep vulnerabilities in check.
  3. Web Protection – malware can also be delivered via websites. Spearphishing attacks via email are often used as the point of entry to an organization with links to malicious sites posing as known “safe” ones – often so well crafted, users can’t tell the difference. Putting a solution in place to watch for malicious sites will add another layer of protection, ensuring ransomware (and any other kind of malware) doesn’t get in via website interaction.
  4. Email Protection – Another spear phishing tactic is through the use of malware-laden attachments. Take the recent Talk Talk data breach, where customer data was stolen and the thieves-turned-scammers used the stolen data to extract even more sensitive information (such as bank account and credit card numbers) from affected customers via email. Having mail protection in place blocks suspect attachments that can be used to extract information as quickly as injecting ransomeware on an endpoint.

Ransomware is nasty stuff. And your customer’s may not appreciate the difficulty in trying to remove it, making you look like less of the expert you are. Putting a proactive set of solutions in place in a layered approach will give your customers the best chance of never being held hostage – making certain that you get paid, instead of those trying to take your customer’s money by force.