5 Tips For Preventing Ransomware On Your Network
Top Tips For Preventing Ransomware on Your Network
One of the hot topics with our customers at the moment is the increase in variants of ransomware viruses. The Cryptolocker Trojan first surfaced in September 2013 and a number of different variants have appeared in recent months including HowDecrypt. These are a very nasty piece of work. Typically the virus arrives via email and installs when links within the email are clicked. Once active the virus will then seek out user files and encrypts them. Once the encryption process is complete the virus creates a text and image file which contains information on how to get the data decrypted.
The criminals behind these viruses typically request $350-$600 (0.5 Bitcoins) for a decryption key. In other cases a message will be displayed on your PC suggesting that the system was used to download pirated music files and that you would be reported unless a ransom is paid. According to Dell SecureWorks, malicious software raked in some $5 million the last four months of 2013. This makes this a very successful approach and will result in many new variants coming out in the months ahead. A survey by researchers at the University of Kent found that 41% of UK respondents who were Cryptolocker victims claimed to have agreed to pay the ransom.
Once infected the client will also try and make outbound connections to command and control server IP addresses in Russia and the Ukraine. These command and control servers can also be accessed through the Tor network which protects it against DNS sinkholes. One of our customers found a number of clients on their network trying to connect to 184.108.40.206 which is registered in Russia. They immediately blocked access to this on the firewall and investigated any client that tried to connect to it.
The big worry for most IT managers is that not only can the ransomware viruses encrypt local files but they also have the ability to encrypt data hosted on network shares. This has many managers frantically checking their backup procedures in case the virus gets on their network.
So, what should you be doing to protect your network?
- Backup your data and make sure you do test restores.
- Make sure your end users are educated on the risks of clicking on links contained within any email.
- Ensure you have up to date antivirus and operating system patches on all network connected devices.
- Find out what is happening on your network through the use of traffic analysis and forensics tools.
- Make sure you understand what is going in and out of your network perimeter. Remember that all sorts of applications could be using TCP port 80.
- Keep up to speed with what is happening in the world of IT security. Subscribe to security themed RSS feeds or follow a few of the influential security professionals on Twitter.
You should conduct a review of you network as soon as possible. Make sure your backup jobs are completing so that you have an option to restore files in case they do get encrypted. Check for activity associated with 220.127.116.11 which we have found to be associated with ransomware activity. You can use LANGuardian to do this by simply entering the IP address into the forensics search panel. Also check for tell-tale signs on your file shares like the presence of files called HowDecrypt.txt or HowDecrypt.gif. This video below shows you how you can use the LANGuardian file activity reports to check for these files.
Finally, be careful with some of the information that is doing the rounds. Some people claim you can monitor for activity using logs or flow data. Most of this is just marketing spin. When it comes to a threat like ransomware it all comes back to end user awareness, good backup procedures, and having a good understanding of what users are doing on your network.
Follow me on Twitter @darraghdelaney