Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.
FBI 2020 Ransomware Cyber Tips
Ransomware: One of the fastest growing threats
In a ransomware attack, victims may click on an email attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Ransomware continues to strike State and local governments across the country. In July, 2019, the Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) released a joint call to action recommending immediate action to safeguard against ransomware attacks. View the press release.
Protect Yourself from Ransomware (source:https://www.fbi.gov/news/stories/ransomware-on-the-rise)
Steps to Reduce Your Risk of Being a Victim of Ransomware
- Make sure you have updated antivirus software on your computer.
- Enable automated patches for your operating system and web browser.
- Have strong passwords, and don’t use the same passwords for everything.
- Use a pop-up blocker.
- Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.
- Use the same precautions on your mobile phone as you would on your computer when using the Internet.
- To prevent the loss of essential files due to a ransomware infection, it’s recommended that individuals and businesses always conduct regular system back-ups and store the backed-up data offline.
What to Do if You become a Victim of Ransomware
- Disconnect the Computer from the Network
Once you suspect a computer might have ransomware on it the first thing you need to to do is take it offline. Pull the ethernet cord, shut off the Wi-Fi and shut off the computer. Some ransomware can spread via network connection, the sooner you disconnect any potentially infected computers the better your chances are of containing the breach.
- Disable Shared Drives
A growing number of ransomware varieties, such as CryptoFortress and Locky, will encrypt network and shared drives connected to the infected computer. If you think you may have a ransomware infection it’s a good idea to take all of your shared drives offline temporarily until you’ve cleaned out your network.
- Update and Run your Security Software
Check for and install any available updates on your security software and run a scan on all of the devices on your network. Ransomware changes pretty rapidly so make sure you have the most current version of your antivirus and anti-malware endpoint protection installed on computers throughout your network.
- Restore from Backup (if possible)
The best way to fix your computer without paying the ransom is to restore it from your backup.
Ransomware Threats Sample
Bad Rabbit Ransomware
The Bad Rabbit ransomware attack is distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly. Dubbed "Bad Rabbit," is reportedly a Petya-like targeted ransomware attack against corporate networks, demanding bitcoin payment as ransom from victims to unlock their systems.
Introduction - After the very public Petya-Like attack that occurred, a new and remarkably similar ransomware has been observed spreading in the wild throughout Russia, Ukraine, and several other countries. Bad Rabbit, as it is known, was initially spread via drive-by downloads, but also contains the ability to propagate via SMB, as well as encrypting files and preventing an infected system from booting properly.
Impact - Bad Rabbit is a nasty ransomware in that it not only modifies files, but also the underlying filesystem and master boot record (MBR). It will harvest credentials using Mimikatz and attempt brute-force logins to propagate using SMB. Once it is active within an organization it will typically spread successfully and rapidly, rendering the system completely inoperable in the process.
Bad Rabbit Resources
- Protecting against modified Petya and BadRabbit ransomware variants September 19, 2019
- Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses October 15, 2019
- Going down the ransomware rabbit hole July 30, 2019