Every week, a new ransomware appears that can paralyse a company's activity in less than a day. Similar to viruses in the way they work, ransomware's aim of extorting money makes it more harmful. To protect yourself, there are a few rules to follow.
The mechanics are classic. A lawyer's office, one morning, an attachment, the person opens it. Nothing happens. At the end of the morning, a user complains to support that he can't access his files. Support identified the source of the malfunction, a cryptolocker called Locky. The company found itself frozen due to an IT failure. The IT department tried to unblock the paralysed servers by encrypting each file and restarting the business. All that remains is to call CERT to try and find out the source of the infection.
Bitcoin as a facilitator
This story, told by Luc Roudé of Intrinsec, is a real one, and is echoed almost every week by companies and individuals. The cause is the now infamous ransomware, a kind of pseudo virus designed to encrypt information held by companies or individuals. The encryption is removed in return for a "ransom" paid in Bitcoins to a temporary address. "Attacks are multiplying and are made easier with the advent of Bitcoin," explains Luc Roudé. The ease of use and lack of traceability of this virtual currency have accelerated the development of this new type of attack. While most of the time the sums demanded are "small" and the payment procedure is well established, other times the attacks are more dangerous, such as the one suffered by a Los Angeles hospital last February, which was forced to pay $17,000 to unblock its computer system.
Rapid evolution of ransomware
From a technical point of view, all ransomware looks the same, but none of it is the same. They evolve very quickly, and there are many variations on how they slip through the cracks of antivirus software. With 30 new families in 2015 and already 15 since the start of 2016, the number of attacks and programmes is multiplying, as are the points of contagion. The most common is an attachment, often a CV or invoice from a supposedly trustworthy sender, sent to a functional email such as contact@entreprise.fr or rh@entreprise.fr. Once opened, modifying the document activates a "macro" that executes the encryption program. In addition to attachments, these cryptolockers can also be transmitted via an institutional website or a website considered to be trustworthy. "Another important vector is what is known as "drive by download". A user goes to a news site that has been attacked - either directly or via its advertising network. In this case, it's the site itself that spreads the virus", explains Luc Roudé. Recently, the Pathé.fr website fell victim to this type of virus.
Identify patient zero
Once activated, it takes between one and three days on average to eradicate the plague. The aim is to find patient zero. See where the ransomware has gone to execute itself from a logical point of view. Most of the time, it's an email that is the source of the contagion. Then you need to find out who is behind it, who is affected, whether or not the attachment has been opened and by whom. In a standard case, it takes a few hours to identify the source. The work consists of analysing the malicious programme, tracking down the contaminated IP addresses and, above all, communicating with the systems supervision team to check that no e-mail has been transferred, in order to prevent widespread superinfection of the organisation and third parties.
Prevention: offline back-ups and organisational awareness-raising
Preventing this type of attack starts, of course, with a backup infrastructure and associated processes. Backups must be offline and tested regularly. An obvious but always necessary reminder. Cases where the activation of the backup requires part of the IS to be blocked are not uncommon. As far as the response is concerned, the scenario is similar to a service continuity plan, with the IS being restarted via the backups.
To counter viruses, apart from prohibiting the activation of macros, there is no need to revolutionise the security plan. Ransomware does not seek to exploit vulnerabilities or replicate itself, and encrypting files on volumes is effective in itself. However, the encryption itself can pose a real problem, as Luc Roudé explains: "Of all the families of ransomware, some are poorly designed. This makes it possible to recover files without paying the ransom. But these are marginal cases, because most of the time it's impossible to counter them. They use AES to encrypt files and an RSA key to protect the encryption. On average, less than 10 % of ransomware volumes are decryptable."
A predominantly organisational aspect
The faster the response, the more damage we can limit," explains Jean-Raphaël Frydman, security consultant at Intrinsec. Feedback is an important point. The user is the company's best probe. On the other hand, employees need to be taught the right reflexes and awareness campaigns need to be conducted. When we carry out phishing exercises, which involve sending fake e-mails from the IT or human resources departments to users, for example, we see a real change in user behaviour, as they gradually become able to detect increasingly targeted malicious messages.
This awareness also provides a lever to facilitate change management. Indeed, blocking attachments can have an organisational impact and be badly perceived if the introduction of this type of restrictive measure does not respond to a risk that is understood by everyone. Finally, incident management involves notifying support and possibly calling in an external service provider with end-to-end expertise in managing this type of attack. "A company that is the victim of malicious software can find itself in a crisis situation. Operating losses can run into the hundreds of thousands of euros, putting the company at risk. As well as crisis management, it's not unreasonable to lodge a complaint to report the problem, even if the chances of success are virtually nil today."
Source and information
The case of the Los Angeles hospital
Awareness and best practice sheet offered by the Intrinsec Incident Response Centre
The growth of ransomware measured by Symantec