How to Safeguard Against Ransomware Attacks

The latest ransomware outbreak dubbed “Petya” or “GoldenEye,” which experts feel originated, albeit unknowingly, from a supply chain vendor in the Ukraine or Russia, poses an unusual threat.

The new version possesses worm-like capabilities which allow it to move laterally across infected networks. It freezes a user’s computer, encrypts the data, and demands an untraceable ransom be paid in the digital Bitcoin currency.

The malware reportedly hit the Chernobyl nuclear power plant in the Ukraine as well as Russia’s largest oil producer before infiltrating a Danish shipping company, a British advertising agency, and U.S. pharmaceutical company Merck and Co., among others.

The US Department of Homeland Security has advised victims not to pay the ransom, saying there is no guarantee that access to files would be restored.

What is particularly disturbing about the most recent ransomware attacks is that they are distributed in the guise of a a trusted “third-party update.”  The initial infection appeared to have involved a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops the tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process.

In a discussion on Windows Security, the new Microsoft Malware Protection Center blog, community member Chris Smith argues that 3rd parties should not be building update mechanisms at all. “This entire attack vector exists because the platform doesn’t have a consistent distribution architecture other than for base updates. Every vendor builds an updater which increases the attack surface. Linux vendors, Apple OSX and most mobile vendors have nailed this to some degree,” said Smith.

There are two types of ransomware – lockscreen ransomware and encryption ransomware.

 

Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.

Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:

• Visiting unsafe, suspicious, or fake websites.
• Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
• Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.

It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.

That’s why the best solution to ransomware is to be safe on the Internet and with emails and online chat:

• Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
• If you’re ever unsure – don’t click it!
• Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).