Ransomware clearly has people on many fronts worried, so much so that the United States and Canada took an unprecedented step last week to issue a joint advisory on the threat posed by crypto-ransomware.
The U.S. Cyber Emergency Response Team together with the Canadian Cyber Incident Response Centre penned a comprehensive warning on the heels of high-profile infections at hospitals nationwide that have made headlines the past few weeks.
The advisory describes the threat, potential impact and offers solutions which companies and consumers can take advantage of.
“The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware,” the advisory reads.
Contrary to advice given by the FBI last fall, the respective CERTS say that paying the ransom may not be the best solution.
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information,” the advisory says. “In addition, decrypting files does not mean the malware infection itself has been removed.”
Ransomware has shut down major health care providers, including MedStar Health in the D.C. area, and Los Angeles-based Hollywood Presbyterian Medical Center, affecting not only access to data stored on computers network-wide, but also patient care as in the case of Hollywood Presbyterian Medical Center, sick and injured has to be shuttled to other facilities in the area.
The respective CERTS warn against financial loss and reputational harm, in addition to possibly permanently corrupted files. The advisory urges organizations to employ common sense computer hygiene, starting with regular, available, secure backups of critical information. Application whitelisting and vigilant patching are also recommended; the CERTS also caution that organizations should educate users to avoid enabling macros. Many ransomware strains, including Locky, arrive in spam and phishing emails with Word documents posing as a business invoice. The victim is directed to enable macros in order to properly view the document, but instead the macro is downloading the ransomware in the background.
The speed by which ransomware is evolving is striking, perhaps more so than any other type of malware or exploit.
In the past two weeks, we’ve seen PowerWare co-opt Windows PowerShell via a malicious macro to pull down the ransomware and avoid writing files to the disk.
More recently, Petya ransomware was exposed in attacks targeting HR operations at German companies. The twist with Petya is that it spreads via a Dropbox link—which has since been disabled—spammed out to organizations. The malware replaces the boot drive’s Master Boot Record with a malicious loader. The malware forces Windows to reboot and displays a phony check disk (CHKDSK) operation to the victim while the malware executes in the background and encrypts the master file table.
Researcher Hasherezade said in a detailed analysis posted to the Malwarebytes blog that despite claims in the ransom note, Petya does not encrypt the full disk; by encrypting the master file table, it makes it so that the file system is not readable. The ransomware executes in stages and Hasherezade said that if detection happens in the first stage, data can be recovered.