Exclusive: Ransomware isn't hard to beat - here's how
FYI, this story is more than a year old
Cybercriminals can earn $84,000 on a $6000 investment in an exploit kit – great news for the cyber criminals, not so great for businesses, as ransomware explodes, but one industry expert says ransomware can be beaten right now, if you just know how.
Kent Shuart, SonicWall’s global evangelist and director of product marketing for Asia, dubs ransomware ‘a phenomen’.
“It’s approaching US$1 billion annually,” Shuart says.
“There’s a business for you, a billion dollar business – and it was nothing five years ago.”
Often using military grade RSA 2048 encryption, ransomware denies access to a device or data until the victim pays a ransom – usually in crypto-currency such as Bitcoin or BTC – to remove the restriction.
While it has been around for ‘many years’ it has recently become much more profitable and popular – ‘because it works so well’ – with new versions offering new ‘features’ including waiting to see where data is held and encrypting that as well.
Another recent version of cryptoware ransomware, which Shuart dubs ‘really cool’, encrypts the operating system, forcing the victim to use a different computer to pay the ransom – and infecting that machine in the process.
“It’s self propagating,” says Shuart, who was in New Zealand recently at a launch event for SonicWall and new Kiwi distributor Dicker Data NZ.
That variant, .cry ransomware, also uses a different way of communicating, using UDP rather than TCP to evade detection because most antivirus software doesn’t look at UDP.
It also uses Google Maps API to find out the victim’s location – providing information about the affluence of the community the victim lives in – and deletes the system shadow volume copies.
“It also stays persistent not only after reboots, but after system cleaning as well, because it hides places. And it hides in the strangest places – it’ll hide in the Bios of your computer, or the firmware of your camera, or in your printer.
“There are all kinds of cool places you can store this thing.”
It also comes complete with a functioning support page to enable communication with the criminals, and includes a free, drag and drop, decryption of one file to prove the files can be decrypted.
“Ransomware is just like Microsoft Office,” Shuart says. “It’s not a guy in a hooded suit in the corner somewhere. It’s a business and they’re operating it that way. They have marketing, business plans, tech support, patchups, they have financing available!,” he says.
“If we don’t know more about it, we are doomed to be penalised by it.”
But Shuart says it’s not hard to beat ransomware.
“Ransomware can be beaten right now. You just have to get smart. And there are ways you can do that,” he says.
Shuart cites education as a key, saying its crucial to ‘build the human firewall’.
“The average person on the street has no idea what ransomware is,” he says. “And the first step in betting ransomware is understanding it.
“The thing to know about ransomware is that if you’re smart, if you’re educated, if you look for things that aren’t right that aren’t right, if you look for inconsistencies, you can find ransomware as well as malware very quickly and just protect yourself.”
He cites the example of a phishing email from a contact, where the contact signed off as ‘Mike’ rather than the usual ‘Michael’.
“Be aware, educate your people, understand when something looks awry, it is awry.”
He’s also a big advocate for constant patching of systems, with exploitation of unpatched systems, browsers and applications a common delivery method, along with phishing emails and malvertisements.
“When you start talking about patches, they publicise what they do. So I know what the breach should be about because Java talks about patching a specific piece of the system – well that’s the piece I’m going to target,” Shuart says.
“Last thing each day I update my system. It’s a geeky thing to do, but it keeps me from getting caught.”
Ransomware can also go undetected in firewalls that are unable to decrypt and inspect SSL-encrypted web traffic.
“Increasingly, cybercriminals have learned how to hide malware in encrypted traffic.
“If I want to deliver you malware and you have no way of inspecting that – whether it’s malware, ransomware, whatever – this is an easy way in.
“Hidden ransomware is very simple to deliver.”
Shurt says the use of SSL/transport layer security encryption continues to surge, leading to under-the-radar hacks affecting at least 900 million users in 2015, according to some reports.
Shuart says keeping the network compartmentalised, taking a multilayered security approach with network, endpoints and mobile devices protected, and turning on all firewall features, including intrusion detection and encrypted files, even at the risk of reduced network efficiency, are also critical in protecting against ransomware, as is backing up files and, critically, moving them offline.
Unsurprisingly, Shuart also took the time to highlight SonicWall’s offerings, including its cloud-based Capture service, available with SonicWall firewalls, which analyses the file, using a multi-engine approach with three engines at once.
“Things happen very quickly. The idea behind this is to take performance and security by utilitising three things – multi-engine, multi-layer, cloud-based protection.”
Shuart says the offering operates at line speed, with analysed files becoming a known file,” he says.
“We can beat ransomware, it’s not that hard to do. We just have to get more sophisticated.
“We do that by identifying families of ransomware.”
Cybercriminals can buy families of products, which morph to make it more difficult to detect.
“But if you can identify a family of products, rather than a individual product, it is an art and a science. It’s the secret sauce.”
And for those who have been compromised, Shuart offers up some simple tips: Disconnect, determine the scope of the infection and the variant you have and evaluate your options – restoring from a backup, decrypting using a de-cryptor service (which has limited success, Shuart says) or paying the ransom.