14 Jun 2016

How to spot the latest in ransomware

Ransomware is a worry for all businesses, primarily because there’s very little that can be done to stop it.

An innocuous-looking email containing a link to download something (in the most recent case a copy of the AGL monthly bill). The attachment loaded with malware can’t be detected by anti-virus checkers, because it’s not attached to the email itself. There’s nothing in the header; no viruses, no code … literally nothing for security software to detect.
The danger lies in the attachment, and the risk that a user will download the PDF or open the GIF (two of the most common attack vectors) that contains the malware.

This means that, for good or ill, the only proactive step you can take to protect your organisation against ransomware is to educate your users and instil a security-conscious culture around email.

Four ransomware clues

It’s not as hopeless a task as it might sound. There’s always something in the email that gives it away, because even though the email is legitimate insofar is it’s not infected with malware, it has still come from an illegitimate source. Things to look out for include:

  1. Incorrectly spelled company names
  2. Emails sent from Gmail, Yahoo or, more generally, not the email domain of the company claiming to send the email
  3. Similarly suspicious-looking return email addresses
  4. Bills or official communications being sent to your work email address (when they should be going to a home email account).

Some recent examples show how sophisticated these attacks are becoming.

Emails allegedly from police departments, containing fake traffic infringements have done the rounds – but would you include your work email address on your car registration papers?

There was also a series of now fairly well-known emails allegedly from Australia Post, notifying users of a package to be delivered (with attached documentation), and one from AGL containing power bills. But again, would you use a work email address for a personal delivery or home electricity account?

More broadly, users can often check the information these emails claim to be providing, for example, by looking for account, license or address details (and checking whether they’re correct), visiting an online government portal to pay a traffic infringement, a delivery company’s website to track a package, or a utility provider’s site to pay a bill.

It’s vital to bring users along with you on this security journey, because the only technological measures the IT team can implement are reactive, to stop an infection spreading further. This includes making sure users feel comfortable to contact the IT team if they’ve opened up a ransomware-laden attachment (or even if they only suspect they have).

Containment and backup

The first step is to immediately isolate any affected machines from the network, because ransomware will infect every network drive it can find. For a desktop machine this will be as simply as pulling the Ethernet cable, but for laptops and mobile devices you’ll also need to shut down their Wi-Fi, so they can’t be found by other machines on the network.

Once you’ve sandboxed the infection, you can restore any lost data from a backup – which means, of course, that you need to have a rigorous backup regime in place.

 Should you pay?

We’ve seen some cases of ransomware victims simply paying the ransom but that may not get you out of the woods. Sometimes the data is restored (or more correctly, unlocked) immediately. Sometimes it’s restored slowly (we recently saw data being restored at a rate of about 1GB per hour). And sometimes, it’s not restored at all.

Once again, the best defence is to create a security-conscious user culture around email, and to encourage users to contact the IT team immediately if they think there’s a problem. The alternative is to be on the hook for sometimes reasonable, sometimes absurd ransom demands – which may or may not be honoured.

It’s best to avoid the situation entirely – after all, there’s no honour among thieves.