RANSOMWARE is a most happening thing in technology this article is focusing on latest variants and attacking vectors and on serious note biggest threat.
Ransomware is the fastest growing and most lucrative form of malware, cyber criminals can leverage today, leading to an escalating upswing in new Ransomware development each month.
Be careful there is no silver bullet which can effectively protect infecting with scareware (Ransomware). They are highly sophisticated and not only encrypts files on a victims’ computer but also attacks any files on connected storage devices, network shares, system restore points and volume shadow copies. And now in some variants, they are infecting the cloud services like Google Drive, AWS, Dropbox etc. It also steals cryptocurrency wallet funds stored on your system. There are several new types of Ransomware: ZEPTO, BART, CERBER, CRYPTXXX following :
WHY AREN’T BACKUPS WORKING?
To save money, some organizations don’t include all their important files in their backups or don’t run their backups often enough. Others don’t test their backups and find out that the systems don’t work only when it’s too late. Finally, some companies put their backups on network drives that Ransomware can easily find and jump to and encrypt.
Educational as well Hospital sector are mostly targeted, the quickest way to restore the systems was to pay the Ransomware. No decryption is possible as normal infrastructure until having the Private key. Your only option for recovering the files is to have a back-up available or pay the ransom.
FIRST RESPOND PROCEDURE FROM SOLUTION PROVIDER
- Initiating by notifying insurer regarding this incident, obtain a technical legal response from the party(client) itself.
- Asking about Backup (BCP) or other policies, network sharing architecture and most important which variants are affected.
- Hopefully figure out what happened, how it happened, when it happened, how to keep it from happening again and even possibly track down the perpetrators.
- Client mainly focuses on their data and they least bother about how they get infected. Our response depends on the client’s scope of work; initiate with the identification of infected systems.
- Perform Multiple checklists.
- Forensic imaging, analysis about IoC, browser history, Mails, events from DLP, SIEM firewall logs whatever endpoint security placed.
- Looking for the variant (Ransomware) is old or if their decryption tools are avail in the market then have to go with that.
- If required then run certain plug n play tools (Hitman pro, Spyhunter, Emsisoft, Kaspersky etc.), Treat Anti-Malware to cleaning up the ransomware infected file.
Ransomware Tips: Some Effective Tips
Ransomware what Next: Needs to implement
Locky Ransomware Hits Indian cyberspace.
Would recommend preventive measures the following:
- Recheck that the perimeter anti-spam / anti-malware system has the signatures for detecting and blocking this ransomware. Same for end points & servers too.
- Block .VBS file attachments in incoming emails. This should be checked even if the attachment is within the zip file
- Block the locky Ransomware downloader website mentioned in the article
- Search for such emails, if they have entered the network by searching for key words mentioned in the article for subject lines, attachment name etc.
- If found, have such emails deleted from the user mail boxes centrally
- Create specialized rules on SIEM / security analytics to detect this
- Create user awareness to not click on links / open attachments from unknown sources
- Update OS security patches
- Keep backup of important data/computers
- Keep handy, websites which can help in decrypting data, if encrypted
But still, brace yourself from advanced Zero Days APT attacks
FOR MORE DETAILS: